/[RomCheater]/trunk/Win32/Sojaner.MemoryScanner/PEReader.cs
ViewVC logotype

Diff of /trunk/Win32/Sojaner.MemoryScanner/PEReader.cs

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

--- trunk/Win32/Sojaner.MemoryScanner/PEReader.cs	2012/06/09 22:23:15	356
+++ trunk/Win32/Sojaner.MemoryScanner/PEReader.cs	2012/06/10 00:47:58	357
@@ -17,7 +17,7 @@
 {
     public interface IAcceptPEData
     {
-        void SetPEViewerData(PEReader.PEData peData);
+        void SetPEViewerData(IPEDData peData);
     }
     public interface IAcceptsPEData
     {
@@ -25,668 +25,746 @@
     }
     public interface IPEViewerDataUpdatedEvent
     {
-        PEReader.PEData PEData { get; }
+        IPEDData peData { get; }
     }
     public class PEViewerDataUpdatedEvent : BaseEventArgs, IPEViewerDataUpdatedEvent
     {
-        public PEViewerDataUpdatedEvent() : this(new PEReader.PEData()) { }
-        public PEViewerDataUpdatedEvent(object sender) : this(sender, new PEReader.PEData()) { }
-        public PEViewerDataUpdatedEvent(PEReader.PEData peData) : base() { this.PEData = peData; }
-        public PEViewerDataUpdatedEvent(object sender, PEReader.PEData peData) : base(sender) { this.PEData = peData; }
+        public PEViewerDataUpdatedEvent() : this(PEData.Empty) { }
+        public PEViewerDataUpdatedEvent(object sender) : this(sender, PEData.Empty) { }
+        public PEViewerDataUpdatedEvent(IPEDData peData) : base() { this.peData = peData; }
+        public PEViewerDataUpdatedEvent(object sender, IPEDData peData) : base(sender) { this.peData = peData; }
         #region IPEViewerDataUpdatedEvent members
-        public PEReader.PEData PEData { get; private set; }
+        public IPEDData peData { get; private set; }
         #endregion
     }
 }
 namespace Sojaner.MemoryScanner
 {
-    public class PEReader
+
+    #region Structs
+    #region helpers
+    [Flags]
+    public enum MachineTypeFlags
     {
-        // Code (C) Sergey utilized from: http://www.sergeyakopov.com/2010/11/03/reading-pe-format-using-data-marshalling-in-net/
-        #region Structs
-        #region helpers
-        [Flags]
-        public enum MachineTypeFlags
-        {
-            x86 = 0x14C,
-            Alpha = 0x184,
-            ARM = 0x1C0,
-            MIPS16R3000 = 0x162,
-            MIPS16R4000 = 0x166,
-            MIPS16R10000 = 0x168,
-            PowerPCLE = 0x1F0,
-            PowerPCBE = 0x1F2,
-            Itanium = 0x200,
-            MIPS16 = 0x266,
-            Alpha64 = 0x284,
-            MIPSFPU = 0x366,
-            MIPSFPU16 = 0x466,
-            x64 = 0x8664,
-        }
-        public enum MagicType : ushort
-        {
-            NT_OPTIONAL_HEADER_NOT_PRESENT, // 0     
-            NT_OPTIONAL_HEADER_32 = 0x10b,
-            NT_OPTIONAL_HEADER_64 = 0x20b
-        }
-        public enum SubSystemType : ushort
-        {
-            IMAGE_SUBSYSTEM_UNKNOWN = 0,
-            IMAGE_SUBSYSTEM_NATIVE = 1,
-            IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
-            IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
-            IMAGE_SUBSYSTEM_POSIX_CUI = 7,
-            IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
-            IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
-            IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
-            IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
-            IMAGE_SUBSYSTEM_EFI_ROM = 13,
-            IMAGE_SUBSYSTEM_XBOX = 14
-
-        }
-        public enum DllCharacteristicsType : ushort
-        {
-            RES_0 = 0x0001,
-            RES_1 = 0x0002,
-            RES_2 = 0x0004,
-            RES_3 = 0x0008,
-            IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040,
-            IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
-            IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100,
-            IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
-            IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
-            IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
-            RES_4 = 0x1000,
-            IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000,
-            IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000
-        }
-        [Flags]
-        public enum FileCharacteristicType : ushort
-        {
-            RelocationInformationStrippedFromFile = 0x1,
-            Executable = 0x2,
-            LineNumbersStripped = 0x4,
-            SymbolTableStripped = 0x8,
-            AggresiveTrimWorkingSet = 0x10,
-            LargeAddressAware = 0x20,
-            Supports16Bit = 0x40,
-            ReservedBytesWo = 0x80,
-            Supports32Bit = 0x100,
-            DebugInfoStripped = 0x200,
-            RunFromSwapIfInRemovableMedia = 0x400,
-            RunFromSwapIfInNetworkMedia = 0x800,
-            IsSytemFile = 0x1000,
-            IsDLL = 0x2000,
-            IsOnlyForSingleCoreProcessor = 0x4000,
-            BytesOfWordReserved = 0x8000,
-   }
-        #region DataSectionFlags
-        [Flags]
-        public enum DataSectionFlags : uint
-        {
-            /// <summary>
-            /// Reserved for future use.
-            /// </summary>
-            TypeReg = 0x00000000,
-            /// <summary>
-            /// Reserved for future use.
-            /// </summary>
-            TypeDsect = 0x00000001,
-            /// <summary>
-            /// Reserved for future use.
-            /// </summary>
-            TypeNoLoad = 0x00000002,
-            /// <summary>
-            /// Reserved for future use.
-            /// </summary>
-            TypeGroup = 0x00000004,
-            /// <summary>
-            /// The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files.
-            /// </summary>
-            TypeNoPadded = 0x00000008,
-            /// <summary>
-            /// Reserved for future use.
-            /// </summary>
-            TypeCopy = 0x00000010,
-            /// <summary>
-            /// The section contains executable code.
-            /// </summary>
-            ContentCode = 0x00000020,
-            /// <summary>
-            /// The section contains initialized data.
-            /// </summary>
-            ContentInitializedData = 0x00000040,
-            /// <summary>
-            /// The section contains uninitialized data.
-            /// </summary>
-            ContentUninitializedData = 0x00000080,
-            /// <summary>
-            /// Reserved for future use.
-            /// </summary>
-            LinkOther = 0x00000100,
-            /// <summary>
-            /// The section contains comments or other information. The .drectve section has this type. This is valid for object files only.
-            /// </summary>
-            LinkInfo = 0x00000200,
-            /// <summary>
-            /// Reserved for future use.
-            /// </summary>
-            TypeOver = 0x00000400,
-            /// <summary>
-            /// The section will not become part of the image. This is valid only for object files.
-            /// </summary>
-            LinkRemove = 0x00000800,
-            /// <summary>
-            /// The section contains COMDAT data. For more information, see section 5.5.6, COMDAT Sections (Object Only). This is valid only for object files.
-            /// </summary>
-            LinkComDat = 0x00001000,
-            /// <summary>
-            /// Reset speculative exceptions handling bits in the TLB entries for this section.
-            /// </summary>
-            NoDeferSpecExceptions = 0x00004000,
-            /// <summary>
-            /// The section contains data referenced through the global pointer (GP).
-            /// </summary>
-            RelativeGP = 0x00008000,
-            /// <summary>
-            /// Reserved for future use.
-            /// </summary>
-            MemPurgeable = 0x00020000,
-            /// <summary>
-            /// Reserved for future use.
-            /// </summary>
-            Memory16Bit = 0x00020000,
-            /// <summary>
-            /// Reserved for future use.
-            /// </summary>
-            MemoryLocked = 0x00040000,
-            /// <summary>
-            /// Reserved for future use.
-            /// </summary>
-            MemoryPreload = 0x00080000,
-            /// <summary>
-            /// Align data on a 1-byte boundary. Valid only for object files.
-            /// </summary>
-            Align1Bytes = 0x00100000,
-            /// <summary>
-            /// Align data on a 2-byte boundary. Valid only for object files.
-            /// </summary>
-            Align2Bytes = 0x00200000,
-            /// <summary>
-            /// Align data on a 4-byte boundary. Valid only for object files.
-            /// </summary>
-            Align4Bytes = 0x00300000,
-            /// <summary>
-            /// Align data on an 8-byte boundary. Valid only for object files.
-            /// </summary>
-            Align8Bytes = 0x00400000,
-            /// <summary>
-            /// Align data on a 16-byte boundary. Valid only for object files.
-            /// </summary>
-            Align16Bytes = 0x00500000,
-            /// <summary>
-            /// Align data on a 32-byte boundary. Valid only for object files.
-            /// </summary>
-            Align32Bytes = 0x00600000,
-            /// <summary>
-            /// Align data on a 64-byte boundary. Valid only for object files.
-            /// </summary>
-            Align64Bytes = 0x00700000,
-            /// <summary>
-            /// Align data on a 128-byte boundary. Valid only for object files.
-            /// </summary>
-            Align128Bytes = 0x00800000,
-            /// <summary>
-            /// Align data on a 256-byte boundary. Valid only for object files.
-            /// </summary>
-            Align256Bytes = 0x00900000,
-            /// <summary>
-            /// Align data on a 512-byte boundary. Valid only for object files.
-            /// </summary>
-            Align512Bytes = 0x00A00000,
-            /// <summary>
-            /// Align data on a 1024-byte boundary. Valid only for object files.
-            /// </summary>
-            Align1024Bytes = 0x00B00000,
-            /// <summary>
-            /// Align data on a 2048-byte boundary. Valid only for object files.
-            /// </summary>
-            Align2048Bytes = 0x00C00000,
-            /// <summary>
-            /// Align data on a 4096-byte boundary. Valid only for object files.
-            /// </summary>
-            Align4096Bytes = 0x00D00000,
-            /// <summary>
-            /// Align data on an 8192-byte boundary. Valid only for object files.
-            /// </summary>
-            Align8192Bytes = 0x00E00000,
-            /// <summary>
-            /// The section contains extended relocations.
-            /// </summary>
-            LinkExtendedRelocationOverflow = 0x01000000,
-            /// <summary>
-            /// The section can be discarded as needed.
-            /// </summary>
-            MemoryDiscardable = 0x02000000,
-            /// <summary>
-            /// The section cannot be cached.
-            /// </summary>
-            MemoryNotCached = 0x04000000,
-            /// <summary>
-            /// The section is not pageable.
-            /// </summary>
-            MemoryNotPaged = 0x08000000,
-            /// <summary>
-            /// The section can be shared in memory.
-            /// </summary>
-            MemoryShared = 0x10000000,
-            /// <summary>
-            /// The section can be executed as code.
-            /// </summary>
-            MemoryExecute = 0x20000000,
-            /// <summary>
-            /// The section can be read.
-            /// </summary>
-            MemoryRead = 0x40000000,
-            /// <summary>
-            /// The section can be written to.
-            /// </summary>
-            MemoryWrite = 0x80000000
+        x86 = 0x14C,
+        Alpha = 0x184,
+        ARM = 0x1C0,
+        MIPS16R3000 = 0x162,
+        MIPS16R4000 = 0x166,
+        MIPS16R10000 = 0x168,
+        PowerPCLE = 0x1F0,
+        PowerPCBE = 0x1F2,
+        Itanium = 0x200,
+        MIPS16 = 0x266,
+        Alpha64 = 0x284,
+        MIPSFPU = 0x366,
+        MIPSFPU16 = 0x466,
+        x64 = 0x8664,
+    }
+    public enum MagicType : ushort
+    {
+        NT_OPTIONAL_HEADER_NOT_PRESENT, // 0     
+        NT_OPTIONAL_HEADER_32 = 0x10b,
+        NT_OPTIONAL_HEADER_64 = 0x20b
+    }
+    public enum SubSystemType : ushort
+    {
+        IMAGE_SUBSYSTEM_UNKNOWN = 0,
+        IMAGE_SUBSYSTEM_NATIVE = 1,
+        IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
+        IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
+        IMAGE_SUBSYSTEM_POSIX_CUI = 7,
+        IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
+        IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
+        IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
+        IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
+        IMAGE_SUBSYSTEM_EFI_ROM = 13,
+        IMAGE_SUBSYSTEM_XBOX = 14
+
+    }
+    public enum DllCharacteristicsType : ushort
+    {
+        RES_0 = 0x0001,
+        RES_1 = 0x0002,
+        RES_2 = 0x0004,
+        RES_3 = 0x0008,
+        IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040,
+        IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
+        IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100,
+        IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
+        IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
+        IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
+        RES_4 = 0x1000,
+        IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000,
+        IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000
+    }
+    [Flags]
+    public enum FileCharacteristicType : ushort
+    {
+        RelocationInformationStrippedFromFile = 0x1,
+        Executable = 0x2,
+        LineNumbersStripped = 0x4,
+        SymbolTableStripped = 0x8,
+        AggresiveTrimWorkingSet = 0x10,
+        LargeAddressAware = 0x20,
+        Supports16Bit = 0x40,
+        ReservedBytesWo = 0x80,
+        Supports32Bit = 0x100,
+        DebugInfoStripped = 0x200,
+        RunFromSwapIfInRemovableMedia = 0x400,
+        RunFromSwapIfInNetworkMedia = 0x800,
+        IsSytemFile = 0x1000,
+        IsDLL = 0x2000,
+        IsOnlyForSingleCoreProcessor = 0x4000,
+        BytesOfWordReserved = 0x8000,
+    }
+    #region DataSectionFlags
+    [Flags]
+    public enum DataSectionFlags : uint
+    {
+        /// <summary>
+        /// Reserved for future use.
+        /// </summary>
+        TypeReg = 0x00000000,
+        /// <summary>
+        /// Reserved for future use.
+        /// </summary>
+        TypeDsect = 0x00000001,
+        /// <summary>
+        /// Reserved for future use.
+        /// </summary>
+        TypeNoLoad = 0x00000002,
+        /// <summary>
+        /// Reserved for future use.
+        /// </summary>
+        TypeGroup = 0x00000004,
+        /// <summary>
+        /// The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files.
+        /// </summary>
+        TypeNoPadded = 0x00000008,
+        /// <summary>
+        /// Reserved for future use.
+        /// </summary>
+        TypeCopy = 0x00000010,
+        /// <summary>
+        /// The section contains executable code.
+        /// </summary>
+        ContentCode = 0x00000020,
+        /// <summary>
+        /// The section contains initialized data.
+        /// </summary>
+        ContentInitializedData = 0x00000040,
+        /// <summary>
+        /// The section contains uninitialized data.
+        /// </summary>
+        ContentUninitializedData = 0x00000080,
+        /// <summary>
+        /// Reserved for future use.
+        /// </summary>
+        LinkOther = 0x00000100,
+        /// <summary>
+        /// The section contains comments or other information. The .drectve section has this type. This is valid for object files only.
+        /// </summary>
+        LinkInfo = 0x00000200,
+        /// <summary>
+        /// Reserved for future use.
+        /// </summary>
+        TypeOver = 0x00000400,
+        /// <summary>
+        /// The section will not become part of the image. This is valid only for object files.
+        /// </summary>
+        LinkRemove = 0x00000800,
+        /// <summary>
+        /// The section contains COMDAT data. For more information, see section 5.5.6, COMDAT Sections (Object Only). This is valid only for object files.
+        /// </summary>
+        LinkComDat = 0x00001000,
+        /// <summary>
+        /// Reset speculative exceptions handling bits in the TLB entries for this section.
+        /// </summary>
+        NoDeferSpecExceptions = 0x00004000,
+        /// <summary>
+        /// The section contains data referenced through the global pointer (GP).
+        /// </summary>
+        RelativeGP = 0x00008000,
+        /// <summary>
+        /// Reserved for future use.
+        /// </summary>
+        MemPurgeable = 0x00020000,
+        /// <summary>
+        /// Reserved for future use.
+        /// </summary>
+        Memory16Bit = 0x00020000,
+        /// <summary>
+        /// Reserved for future use.
+        /// </summary>
+        MemoryLocked = 0x00040000,
+        /// <summary>
+        /// Reserved for future use.
+        /// </summary>
+        MemoryPreload = 0x00080000,
+        /// <summary>
+        /// Align data on a 1-byte boundary. Valid only for object files.
+        /// </summary>
+        Align1Bytes = 0x00100000,
+        /// <summary>
+        /// Align data on a 2-byte boundary. Valid only for object files.
+        /// </summary>
+        Align2Bytes = 0x00200000,
+        /// <summary>
+        /// Align data on a 4-byte boundary. Valid only for object files.
+        /// </summary>
+        Align4Bytes = 0x00300000,
+        /// <summary>
+        /// Align data on an 8-byte boundary. Valid only for object files.
+        /// </summary>
+        Align8Bytes = 0x00400000,
+        /// <summary>
+        /// Align data on a 16-byte boundary. Valid only for object files.
+        /// </summary>
+        Align16Bytes = 0x00500000,
+        /// <summary>
+        /// Align data on a 32-byte boundary. Valid only for object files.
+        /// </summary>
+        Align32Bytes = 0x00600000,
+        /// <summary>
+        /// Align data on a 64-byte boundary. Valid only for object files.
+        /// </summary>
+        Align64Bytes = 0x00700000,
+        /// <summary>
+        /// Align data on a 128-byte boundary. Valid only for object files.
+        /// </summary>
+        Align128Bytes = 0x00800000,
+        /// <summary>
+        /// Align data on a 256-byte boundary. Valid only for object files.
+        /// </summary>
+        Align256Bytes = 0x00900000,
+        /// <summary>
+        /// Align data on a 512-byte boundary. Valid only for object files.
+        /// </summary>
+        Align512Bytes = 0x00A00000,
+        /// <summary>
+        /// Align data on a 1024-byte boundary. Valid only for object files.
+        /// </summary>
+        Align1024Bytes = 0x00B00000,
+        /// <summary>
+        /// Align data on a 2048-byte boundary. Valid only for object files.
+        /// </summary>
+        Align2048Bytes = 0x00C00000,
+        /// <summary>
+        /// Align data on a 4096-byte boundary. Valid only for object files.
+        /// </summary>
+        Align4096Bytes = 0x00D00000,
+        /// <summary>
+        /// Align data on an 8192-byte boundary. Valid only for object files.
+        /// </summary>
+        Align8192Bytes = 0x00E00000,
+        /// <summary>
+        /// The section contains extended relocations.
+        /// </summary>
+        LinkExtendedRelocationOverflow = 0x01000000,
+        /// <summary>
+        /// The section can be discarded as needed.
+        /// </summary>
+        MemoryDiscardable = 0x02000000,
+        /// <summary>
+        /// The section cannot be cached.
+        /// </summary>
+        MemoryNotCached = 0x04000000,
+        /// <summary>
+        /// The section is not pageable.
+        /// </summary>
+        MemoryNotPaged = 0x08000000,
+        /// <summary>
+        /// The section can be shared in memory.
+        /// </summary>
+        MemoryShared = 0x10000000,
+        /// <summary>
+        /// The section can be executed as code.
+        /// </summary>
+        MemoryExecute = 0x20000000,
+        /// <summary>
+        /// The section can be read.
+        /// </summary>
+        MemoryRead = 0x40000000,
+        /// <summary>
+        /// The section can be written to.
+        /// </summary>
+        MemoryWrite = 0x80000000
+    }
+    #endregion
+    #endregion
+    [TypeConverter(typeof(ExpandableObjectConverter))]
+    [StructLayout(LayoutKind.Sequential)]
+    public struct IMAGE_DOS_HEADER
+    {
+        public UInt16 _e_magic;
+        public UInt16 _e_cblp;
+        public UInt16 _e_cp;
+        public UInt16 _e_crlc;
+        public UInt16 _e_cparhdr;
+        public UInt16 _e_minalloc;
+        public UInt16 _e_maxalloc;
+        public UInt16 _e_ss;
+        public UInt16 _e_sp;
+        public UInt16 _e_csum;
+        public UInt16 _e_ip;
+        public UInt16 _e_cs;
+        public UInt16 _e_lfarlc;
+        public UInt16 _e_ovno;
+        [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
+        public UInt16[] _e_res1;
+        public UInt16 _e_oemid;
+        public UInt16 _e_oeminfo;
+        [MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
+        public UInt16[] _e_res2;
+        public UInt32 _e_lfanew;
+
+        public string e_magic { get { return string.Format("0x{0:x4}", _e_magic); } }
+        public string e_cblp { get { return string.Format("0x{0:x4}", _e_cblp); } }
+        public string e_cp { get { return string.Format("0x{0:x4}", _e_cp); } }
+        public string e_crlc { get { return string.Format("0x{0:x4}", _e_crlc); } }
+        public string e_cparhdr { get { return string.Format("0x{0:x4}", _e_cparhdr); } }
+        public string e_minalloc { get { return string.Format("0x{0:x4}", _e_minalloc); } }
+        public string e_maxalloc { get { return string.Format("0x{0:x4}", _e_maxalloc); } }
+        public string e_ss { get { return string.Format("0x{0:x4}", _e_ss); } }
+        public string e_sp { get { return string.Format("0x{0:x4}", _e_sp); } }
+        public string e_csum { get { return string.Format("0x{0:x4}", _e_csum); } }
+        public string e_ip { get { return string.Format("0x{0:x4}", _e_ip); } }
+        public string e_cs { get { return string.Format("0x{0:x4}", _e_cs); } }
+        public string e_lfarlc { get { return string.Format("0x{0:x4}", _e_lfarlc); } }
+        public string e_ovno { get { return string.Format("0x{0:x4}", _e_ovno); } }
+        public ushort[] e_res1 { get { return _e_res1; } }
+        public string e_oemid { get { return string.Format("0x{0:x4}", _e_oemid); } }
+        public string e_oeminfo { get { return string.Format("0x{0:x4}", _e_oeminfo); } }
+        public ushort[] e_res2 { get { return _e_res2; } }
+        public string e_lfanew { get { return string.Format("0x{0:x8}", _e_lfanew); } }
+
+        public override string ToString()
+        {
+            return Encoding.UTF8.GetString(BitConverter.GetBytes(_e_magic));
         }
-#endregion
-        #endregion
-        [TypeConverter(typeof(ExpandableObjectConverter))]
-        [StructLayout(LayoutKind.Sequential)]
-        public struct IMAGE_DOS_HEADER
-        {
-            public UInt16 _e_magic;
-            public UInt16 _e_cblp;
-            public UInt16 _e_cp;
-            public UInt16 _e_crlc;
-            public UInt16 _e_cparhdr;
-            public UInt16 _e_minalloc;
-            public UInt16 _e_maxalloc;
-            public UInt16 _e_ss;
-            public UInt16 _e_sp;
-            public UInt16 _e_csum;
-            public UInt16 _e_ip;
-            public UInt16 _e_cs;
-            public UInt16 _e_lfarlc;
-            public UInt16 _e_ovno;
-            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
-            public UInt16[] _e_res1;
-            public UInt16 _e_oemid;
-            public UInt16 _e_oeminfo;
-            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
-            public UInt16[] _e_res2;
-            public UInt32 _e_lfanew;
-
-            public string e_magic { get { return string.Format("0x{0:x4}", _e_magic); } }
-            public string e_cblp { get { return string.Format("0x{0:x4}", _e_cblp); } }
-            public string e_cp { get { return string.Format("0x{0:x4}", _e_cp); } }
-            public string e_crlc { get { return string.Format("0x{0:x4}", _e_crlc); } }
-            public string e_cparhdr { get { return string.Format("0x{0:x4}", _e_cparhdr); } }
-            public string e_minalloc { get { return string.Format("0x{0:x4}", _e_minalloc); } }
-            public string e_maxalloc { get { return string.Format("0x{0:x4}", _e_maxalloc); } }
-            public string e_ss { get { return string.Format("0x{0:x4}", _e_ss); } }
-            public string e_sp { get { return string.Format("0x{0:x4}", _e_sp); } }
-            public string e_csum { get { return string.Format("0x{0:x4}", _e_csum); } }
-            public string e_ip { get { return string.Format("0x{0:x4}", _e_ip); } }
-            public string e_cs { get { return string.Format("0x{0:x4}", _e_cs); } }
-            public string e_lfarlc { get { return string.Format("0x{0:x4}", _e_lfarlc); } }
-            public string e_ovno { get { return string.Format("0x{0:x4}", _e_ovno); } }
-            public ushort[] e_res1 { get { return _e_res1; } }
-            public string e_oemid { get { return string.Format("0x{0:x4}", _e_oemid); } }
-            public string e_oeminfo { get { return string.Format("0x{0:x4}", _e_oeminfo); } }
-            public ushort[] e_res2 { get { return _e_res2; } }
-            public string e_lfanew { get { return string.Format("0x{0:x8}", _e_lfanew); } }
+    }
+    [TypeConverter(typeof(ExpandableObjectConverter))]
+    [StructLayout(LayoutKind.Sequential)]
+    public struct IMAGE_NT_HEADERS
+    {
+        public UInt32 _Signature;
+        public IMAGE_FILE_HEADER _FileHeader;
+        public IMAGE_OPTIONAL_HEADER32 _OptionalHeader32;
+        public IMAGE_OPTIONAL_HEADER64 _OptionalHeader64;
+
+        public string Signature { get { return string.Format("0x{0:x8}", _Signature); } }
+        public IMAGE_FILE_HEADER FileHeader { get { return _FileHeader; } }
+        public IMAGE_OPTIONAL_HEADER32 OptionalHeader32 { get { return _OptionalHeader32; } }
+        public IMAGE_OPTIONAL_HEADER64 OptionalHeader64 { get { return _OptionalHeader64; } }
 
-            public override string ToString()
+        public override string ToString()
+        {
+            return Encoding.UTF8.GetString(BitConverter.GetBytes(_Signature));
+        }
+    }
+    [TypeConverter(typeof(ExpandableObjectConverter))]
+    [StructLayout(LayoutKind.Sequential)]
+    public struct IMAGE_FILE_HEADER
+    {
+        public UInt16 _MachineType;
+        public UInt16 _NumberOfSections;
+        public Int32 _TimeDateStamp;
+        public UInt32 _PointerToSymbolTable;
+        public UInt32 _NumberOfSymbols;
+        public UInt16 _SizeOfOptionalHeader;
+        public FileCharacteristicType _Characteristics;
+
+
+        public string MachineType { get { return ((MachineTypeFlags)_MachineType).ToString(); } }
+        public string NumberOfSections { get { return string.Format("0x{0:x4}", _NumberOfSections); } }
+        public string TimeDateStamp { get { return string.Format("{0} (0x{1:x8})", GetDateTimeFromDosDateTime(_TimeDateStamp).ToString(), _TimeDateStamp); } }
+        public string PointerToSymbolTable { get { return string.Format("0x{0:x8}", _PointerToSymbolTable); } }
+        public string NumberOfSymbols { get { return string.Format("0x{0:x8}", _NumberOfSymbols); } }
+        public string SizeOfOptionalHeader { get { return string.Format("0x{0:x4}", _SizeOfOptionalHeader); } }
+        public FileCharacteristicType Characteristics { get { return _Characteristics; } }
+        public override string ToString()
+        {
+            return MachineType;
+        }
+
+        private DateTime GetDateTimeFromDosDateTime(Int32 i32TimeDate)
+        {
+            Int16 i16Time = (Int16)(i32TimeDate & 0xFFFF);
+            Int16 i16Date = (Int16)((i32TimeDate & 0xFFFF0000) >> 16);
+            return GetDateTimeFromDosDateTime(i16Time, i16Date);
+        }
+        private DateTime GetDateTimeFromDosDateTime(Int16 i16Time, Int16 i16Date)
+        {
+            try
+            {
+                int iYear = 0;
+                int iMonth = 1;
+                int iDay = 1;
+                int iHour = 0;
+                int iMinute = 0;
+                int iSecond = 0;
+                iDay = (i16Date & 0x1F);
+                iMonth = ((i16Date & 0x01E0) >> 5);
+                iYear = 1980 + ((i16Date & 0xFE00) >> 9);
+                iSecond = (i16Time & 0x1F) * 2;
+                iMinute = ((i16Time & 0x07E0) >> 5);
+                iHour = ((i16Time & 0x0F800) >> 11);
+                return new DateTime(iYear, iMonth, iDay, iHour, iMinute, iSecond);
+            }
+            catch
             {
-                return Encoding.UTF8.GetString(BitConverter.GetBytes(_e_magic));
+                return new DateTime();
             }
         }
-        [TypeConverter(typeof(ExpandableObjectConverter))]
-        [StructLayout(LayoutKind.Sequential)]
-        public struct IMAGE_NT_HEADERS
-        {
-            public UInt32 _Signature;
-            public IMAGE_FILE_HEADER _FileHeader;
-            public IMAGE_OPTIONAL_HEADER32 _OptionalHeader32;
-            public IMAGE_OPTIONAL_HEADER64 _OptionalHeader64;
-
-            public string Signature { get { return string.Format("0x{0:x8}", _Signature); } }
-            public IMAGE_FILE_HEADER FileHeader { get { return _FileHeader; } }
-            public IMAGE_OPTIONAL_HEADER32 OptionalHeader32 { get { return _OptionalHeader32; } }
-            public IMAGE_OPTIONAL_HEADER64 OptionalHeader64 { get { return _OptionalHeader64; } }
 
-            public override string ToString()
-            {
-                return Encoding.UTF8.GetString(BitConverter.GetBytes(_Signature));
-            }
+    }
+    [TypeConverter(typeof(ExpandableObjectConverter))]
+    [StructLayout(LayoutKind.Sequential)]
+    public struct IMAGE_OPTIONAL_HEADER32
+    {
+        public UInt16 _Magic;
+        public Byte _MajorLinkerVersion;
+        public Byte _MinorLinkerVersion;
+        public UInt32 _SizeOfCode;
+        public UInt32 _SizeOfInitializedData;
+        public UInt32 _SizeOfUninitializedData;
+        public UInt32 _AddressOfEntryPoint;
+        public UInt32 _BaseOfCode;
+        public UInt32 _BaseOfData; // 32-but specific
+        public UInt32 _ImageBase;
+        public UInt32 _SectionAlignment;
+        public UInt32 _FileAlignment;
+        public UInt16 _MajorOperatingSystemVersion;
+        public UInt16 _MinorOperatingSystemVersion;
+        public UInt16 _MajorImageVersion;
+        public UInt16 _MinorImageVersion;
+        public UInt16 _MajorSubsystemVersion;
+        public UInt16 _MinorSubsystemVersion;
+        public UInt32 _Win32VersionValue;
+        public UInt32 _SizeOfImage;
+        public UInt32 _SizeOfHeaders;
+        public UInt32 _CheckSum;
+        public UInt16 _Subsystem;
+        public UInt16 _DllCharacteristics;
+        public UInt32 _SizeOfStackReserve;
+        public UInt32 _SizeOfStackCommit;
+        public UInt32 _SizeOfHeapReserve;
+        public UInt32 _SizeOfHeapCommit;
+        public UInt32 _LoaderFlags;
+        public UInt32 _NumberOfRvaAndSizes;
+        [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
+        public IMAGE_DATA_DIRECTORY[] _DataDirectory;
+
+
+        public string Magic { get { return ((MagicType)_Magic).ToString(); } }
+        public string MajorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
+        public string MinorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
+
+        public string SizeOfCode { get { return string.Format("0x{0:x2}", _SizeOfCode); } }
+        public string SizeOfInitializedData { get { return string.Format("0x{0:x8}", _SizeOfInitializedData); } }
+        public string SizeOfUninitializedData { get { return string.Format("0x{0:x8}", _SizeOfUninitializedData); } }
+        public string AddressOfEntryPoint { get { return string.Format("0x{0:x8}", _AddressOfEntryPoint); } }
+        public string BaseOfCode { get { return string.Format("0x{0:x8}", _BaseOfCode); } }
+        public string BaseOfData { get { return string.Format("0x{0:x8}", _BaseOfData); } }
+        public string ImageBase { get { return string.Format("0x{0:x16}", _ImageBase); } }
+
+        public string SectionAlignment { get { return string.Format("0x{0:x8}", _SectionAlignment); } }
+        public string FileAlignment { get { return string.Format("0x{0:x8}", _FileAlignment); } }
+
+        public string MajorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MajorOperatingSystemVersion); } }
+        public string MinorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MinorOperatingSystemVersion); } }
+        public string MajorImageVersion { get { return string.Format("0x{0:x4}", _MajorImageVersion); } }
+        public string MinorImageVersion { get { return string.Format("0x{0:x4}", _MinorImageVersion); } }
+        public string MajorSubsystemVersion { get { return string.Format("0x{0:x4}", _MajorSubsystemVersion); } }
+        public string MinorSubsystemVersion { get { return string.Format("0x{0:x4}", _MinorSubsystemVersion); } }
+
+        public string Win32VersionValue { get { return string.Format("0x{0:x8}", _Win32VersionValue); } }
+        public string SizeOfImage { get { return string.Format("0x{0:x8}", _SizeOfImage); } }
+        public string SizeOfHeaders { get { return string.Format("0x{0:x8}", _SizeOfHeaders); } }
+        public string CheckSum { get { return string.Format("0x{0:x8}", _CheckSum); } }
+
+        public string Subsystem { get { return ((SubSystemType)_Subsystem).ToString(); } }
+        public string DllCharacteristics { get { return string.Format("0x{0:x4}", _DllCharacteristics); } }
+
+        public string SizeOfStackReserve { get { return string.Format("0x{0:x16}", _SizeOfStackReserve); } }
+        public string SizeOfStackCommit { get { return string.Format("0x{0:x16}", _SizeOfStackCommit); } }
+        public string SizeOfHeapReserve { get { return string.Format("0x{0:x16}", _SizeOfHeapReserve); } }
+        public string SizeOfHeapCommit { get { return string.Format("0x{0:x16}", _SizeOfHeapCommit); } }
+
+        public string LoaderFlags { get { return string.Format("0x{0:x8}", _LoaderFlags); } }
+        public string NumberOfRvaAndSizes { get { return string.Format("0x{0:x8}", _NumberOfRvaAndSizes); } }
+        public override string ToString()
+        {
+            return Magic;
         }
-        [TypeConverter(typeof(ExpandableObjectConverter))]
-        [StructLayout(LayoutKind.Sequential)]
-        public struct IMAGE_FILE_HEADER
-        {
-            public UInt16 _MachineType;
-            public UInt16 _NumberOfSections;
-            public Int32 _TimeDateStamp;
-            public UInt32 _PointerToSymbolTable;
-            public UInt32 _NumberOfSymbols;
-            public UInt16 _SizeOfOptionalHeader;
-            public FileCharacteristicType _Characteristics;
-
-
-            public string MachineType { get { return ((MachineTypeFlags)_MachineType).ToString(); } }
-            public string NumberOfSections { get { return string.Format("0x{0:x4}", _NumberOfSections); } }
-            public string TimeDateStamp { get { return string.Format("{0} (0x{1:x8})", GetDateTimeFromDosDateTime(_TimeDateStamp).ToString(), _TimeDateStamp); } }
-            public string PointerToSymbolTable { get { return string.Format("0x{0:x8}", _PointerToSymbolTable); } }
-            public string NumberOfSymbols { get { return string.Format("0x{0:x8}", _NumberOfSymbols); } }
-            public string SizeOfOptionalHeader { get { return string.Format("0x{0:x4}", _SizeOfOptionalHeader); } }
-            public FileCharacteristicType Characteristics { get { return _Characteristics; } }
-            public override string ToString()
-            {
-                return MachineType;
-            }
+    }
+    [TypeConverter(typeof(ExpandableObjectConverter))]
+    [StructLayout(LayoutKind.Sequential)]
+    public struct IMAGE_OPTIONAL_HEADER64
+    {
+        public UInt16 _Magic;
+        public Byte _MajorLinkerVersion;
+        public Byte _MinorLinkerVersion;
+        public UInt32 _SizeOfCode;
+        public UInt32 _SizeOfInitializedData;
+        public UInt32 _SizeOfUninitializedData;
+        public UInt32 _AddressOfEntryPoint;
+        public UInt32 _BaseOfCode;
+        public UInt64 _ImageBase;
+        public UInt32 _SectionAlignment;
+        public UInt32 _FileAlignment;
+        public UInt16 _MajorOperatingSystemVersion;
+        public UInt16 _MinorOperatingSystemVersion;
+        public UInt16 _MajorImageVersion;
+        public UInt16 _MinorImageVersion;
+        public UInt16 _MajorSubsystemVersion;
+        public UInt16 _MinorSubsystemVersion;
+        public UInt32 _Win32VersionValue;
+        public UInt32 _SizeOfImage;
+        public UInt32 _SizeOfHeaders;
+        public UInt32 _CheckSum;
+        public UInt16 _Subsystem;
+        public UInt16 _DllCharacteristics;
+        public UInt64 _SizeOfStackReserve;
+        public UInt64 _SizeOfStackCommit;
+        public UInt64 _SizeOfHeapReserve;
+        public UInt64 _SizeOfHeapCommit;
+        public UInt32 _LoaderFlags;
+        public UInt32 _NumberOfRvaAndSizes;
+        [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
+        public IMAGE_DATA_DIRECTORY[] _DataDirectory;
+
+
+        public string Magic { get { return ((MagicType)_Magic).ToString(); } }
+        public string MajorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
+        public string MinorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
+
+        public string SizeOfCode { get { return string.Format("0x{0:x2}", _SizeOfCode); } }
+        public string SizeOfInitializedData { get { return string.Format("0x{0:x8}", _SizeOfInitializedData); } }
+        public string SizeOfUninitializedData { get { return string.Format("0x{0:x8}", _SizeOfUninitializedData); } }
+        public string AddressOfEntryPoint { get { return string.Format("0x{0:x8}", _AddressOfEntryPoint); } }
+        public string BaseOfCode { get { return string.Format("0x{0:x8}", _BaseOfCode); } }
+
+        public string ImageBase { get { return string.Format("0x{0:x16}", _ImageBase); } }
+
+        public string SectionAlignment { get { return string.Format("0x{0:x8}", _SectionAlignment); } }
+        public string FileAlignment { get { return string.Format("0x{0:x8}", _FileAlignment); } }
+
+        public string MajorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MajorOperatingSystemVersion); } }
+        public string MinorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MinorOperatingSystemVersion); } }
+        public string MajorImageVersion { get { return string.Format("0x{0:x4}", _MajorImageVersion); } }
+        public string MinorImageVersion { get { return string.Format("0x{0:x4}", _MinorImageVersion); } }
+        public string MajorSubsystemVersion { get { return string.Format("0x{0:x4}", _MajorSubsystemVersion); } }
+        public string MinorSubsystemVersion { get { return string.Format("0x{0:x4}", _MinorSubsystemVersion); } }
+
+        public string Win32VersionValue { get { return string.Format("0x{0:x8}", _Win32VersionValue); } }
+        public string SizeOfImage { get { return string.Format("0x{0:x8}", _SizeOfImage); } }
+        public string SizeOfHeaders { get { return string.Format("0x{0:x8}", _SizeOfHeaders); } }
+        public string CheckSum { get { return string.Format("0x{0:x8}", _CheckSum); } }
+
+        public string Subsystem { get { return ((SubSystemType)_Subsystem).ToString(); } }
+        public string DllCharacteristics { get { return string.Format("0x{0:x4}", _DllCharacteristics); } }
+
+        public string SizeOfStackReserve { get { return string.Format("0x{0:x16}", _SizeOfStackReserve); } }
+        public string SizeOfStackCommit { get { return string.Format("0x{0:x16}", _SizeOfStackCommit); } }
+        public string SizeOfHeapReserve { get { return string.Format("0x{0:x16}", _SizeOfHeapReserve); } }
+        public string SizeOfHeapCommit { get { return string.Format("0x{0:x16}", _SizeOfHeapCommit); } }
 
-            private DateTime GetDateTimeFromDosDateTime(Int32 i32TimeDate)
-            {
-                Int16 i16Time = (Int16)(i32TimeDate & 0xFFFF);
-                Int16 i16Date = (Int16)((i32TimeDate & 0xFFFF0000) >> 16);
-                return GetDateTimeFromDosDateTime(i16Time, i16Date);
-            }
-            private DateTime GetDateTimeFromDosDateTime(Int16 i16Time, Int16 i16Date)
-            {
-                try
-                {
-                    int iYear = 0;
-                    int iMonth = 1;
-                    int iDay = 1;
-                    int iHour = 0;
-                    int iMinute = 0;
-                    int iSecond = 0;
-                    iDay = (i16Date & 0x1F);
-                    iMonth = ((i16Date & 0x01E0) >> 5);
-                    iYear = 1980 + ((i16Date & 0xFE00) >> 9);
-                    iSecond = (i16Time & 0x1F) * 2;
-                    iMinute = ((i16Time & 0x07E0) >> 5);
-                    iHour = ((i16Time & 0x0F800) >> 11);
-                    return new DateTime(iYear, iMonth, iDay, iHour, iMinute, iSecond);
-                }
-                catch
-                {
-                    return new DateTime();
-                }
-            }
+        public string LoaderFlags { get { return string.Format("0x{0:x8}", _LoaderFlags); } }
+        public string NumberOfRvaAndSizes { get { return string.Format("0x{0:x8}", _NumberOfRvaAndSizes); } }
 
+        public override string ToString()
+        {
+            return Magic;
         }
-        [TypeConverter(typeof(ExpandableObjectConverter))]
-        [StructLayout(LayoutKind.Sequential)]
-        public struct IMAGE_OPTIONAL_HEADER32
-        {
-            public UInt16 _Magic;
-            public Byte _MajorLinkerVersion;
-            public Byte _MinorLinkerVersion;
-            public UInt32 _SizeOfCode;
-            public UInt32 _SizeOfInitializedData;
-            public UInt32 _SizeOfUninitializedData;
-            public UInt32 _AddressOfEntryPoint;
-            public UInt32 _BaseOfCode;
-            public UInt32 _BaseOfData; // 32-but specific
-            public UInt32 _ImageBase;
-            public UInt32 _SectionAlignment;
-            public UInt32 _FileAlignment;
-            public UInt16 _MajorOperatingSystemVersion;
-            public UInt16 _MinorOperatingSystemVersion;
-            public UInt16 _MajorImageVersion;
-            public UInt16 _MinorImageVersion;
-            public UInt16 _MajorSubsystemVersion;
-            public UInt16 _MinorSubsystemVersion;
-            public UInt32 _Win32VersionValue;
-            public UInt32 _SizeOfImage;
-            public UInt32 _SizeOfHeaders;
-            public UInt32 _CheckSum;
-            public UInt16 _Subsystem;
-            public UInt16 _DllCharacteristics;
-            public UInt32 _SizeOfStackReserve;
-            public UInt32 _SizeOfStackCommit;
-            public UInt32 _SizeOfHeapReserve;
-            public UInt32 _SizeOfHeapCommit;
-            public UInt32 _LoaderFlags;
-            public UInt32 _NumberOfRvaAndSizes;
-            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
-            public IMAGE_DATA_DIRECTORY[] _DataDirectory;
-
-
-            public string Magic { get { return ((MagicType)_Magic).ToString(); } }
-            public string MajorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
-            public string MinorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
-
-            public string SizeOfCode { get { return string.Format("0x{0:x2}", _SizeOfCode); } }
-            public string SizeOfInitializedData { get { return string.Format("0x{0:x8}", _SizeOfInitializedData); } }
-            public string SizeOfUninitializedData { get { return string.Format("0x{0:x8}", _SizeOfUninitializedData); } }
-            public string AddressOfEntryPoint { get { return string.Format("0x{0:x8}", _AddressOfEntryPoint); } }
-            public string BaseOfCode { get { return string.Format("0x{0:x8}", _BaseOfCode); } }
-            public string BaseOfData { get { return string.Format("0x{0:x8}", _BaseOfData); } }
-            public string ImageBase { get { return string.Format("0x{0:x16}", _ImageBase); } }
-
-            public string SectionAlignment { get { return string.Format("0x{0:x8}", _SectionAlignment); } }
-            public string FileAlignment { get { return string.Format("0x{0:x8}", _FileAlignment); } }
-
-            public string MajorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MajorOperatingSystemVersion); } }
-            public string MinorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MinorOperatingSystemVersion); } }
-            public string MajorImageVersion { get { return string.Format("0x{0:x4}", _MajorImageVersion); } }
-            public string MinorImageVersion { get { return string.Format("0x{0:x4}", _MinorImageVersion); } }
-            public string MajorSubsystemVersion { get { return string.Format("0x{0:x4}", _MajorSubsystemVersion); } }
-            public string MinorSubsystemVersion { get { return string.Format("0x{0:x4}", _MinorSubsystemVersion); } }
-
-            public string Win32VersionValue { get { return string.Format("0x{0:x8}", _Win32VersionValue); } }
-            public string SizeOfImage { get { return string.Format("0x{0:x8}", _SizeOfImage); } }
-            public string SizeOfHeaders { get { return string.Format("0x{0:x8}", _SizeOfHeaders); } }
-            public string CheckSum { get { return string.Format("0x{0:x8}", _CheckSum); } }
-
-            public string Subsystem { get { return ((SubSystemType)_Subsystem).ToString(); } }
-            public string DllCharacteristics { get { return string.Format("0x{0:x4}", _DllCharacteristics); } }
-
-            public string SizeOfStackReserve { get { return string.Format("0x{0:x16}", _SizeOfStackReserve); } }
-            public string SizeOfStackCommit { get { return string.Format("0x{0:x16}", _SizeOfStackCommit); } }
-            public string SizeOfHeapReserve { get { return string.Format("0x{0:x16}", _SizeOfHeapReserve); } }
-            public string SizeOfHeapCommit { get { return string.Format("0x{0:x16}", _SizeOfHeapCommit); } }
-
-            public string LoaderFlags { get { return string.Format("0x{0:x8}", _LoaderFlags); } }
-            public string NumberOfRvaAndSizes { get { return string.Format("0x{0:x8}", _NumberOfRvaAndSizes); } }
-            public override string ToString()
-            {
-                return Magic;
-            }
+    }
+    [TypeConverter(typeof(ExpandableObjectConverter))]
+    [StructLayout(LayoutKind.Sequential)]
+    public struct IMAGE_DATA_DIRECTORY
+    {
+        public UInt32 _VirtualAddress;
+        public UInt32 _Size;
+
+        public string VirtualAddress { get { return string.Format("0x{0:x8}", _VirtualAddress); } }
+        public string Size { get { return string.Format("0x{0:x8}", _Size); } }
+    }
+    [TypeConverter(typeof(ExpandableObjectConverter))]
+    [StructLayout(LayoutKind.Sequential)]
+    public struct IMAGE_SECTION_HEADER
+    {
+        [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 8)]
+        public string _Name;
+        public Misc _Misc;
+        public UInt32 _VirtualAddress;
+        public UInt32 _SizeOfRawData;
+        public UInt32 _PointerToRawData;
+        public UInt32 _PointerToRelocations;
+        public UInt32 _PointerToLinenumbers;
+        public UInt16 _NumberOfRelocations;
+        public UInt16 _NumberOfLinenumbers;
+        public DataSectionFlags _Characteristics;
+
+        public string Name { get { return _Name; } }
+        public Misc Misc { get { return _Misc; } }
+        public string VirtualAddress { get { return string.Format("0x{0:x8}", _VirtualAddress); } }
+        public string SizeOfRawData { get { return string.Format("0x{0:x8}", _SizeOfRawData); } }
+        public string PointerToRawData { get { return string.Format("0x{0:x8}", _PointerToRawData); } }
+        public string PointerToRelocations { get { return string.Format("0x{0:x8}", _PointerToRelocations); } }
+        public string PointerToLinenumbers { get { return string.Format("0x{0:x8}", _PointerToLinenumbers); } }
+        public string NumberOfRelocations { get { return string.Format("0x{0:x4}", _NumberOfRelocations); } }
+        public string NumberOfLinenumbers { get { return string.Format("0x{0:x4}", _NumberOfLinenumbers); } }
+        public string Characteristics { get { return _Characteristics.ToString(); } }
+        public override string ToString()
+        {
+            return Name;
         }
-        [TypeConverter(typeof(ExpandableObjectConverter))]
-        [StructLayout(LayoutKind.Sequential)]
-        public struct IMAGE_OPTIONAL_HEADER64
-        {
-            public UInt16 _Magic;
-            public Byte _MajorLinkerVersion;
-            public Byte _MinorLinkerVersion;
-            public UInt32 _SizeOfCode;
-            public UInt32 _SizeOfInitializedData;
-            public UInt32 _SizeOfUninitializedData;
-            public UInt32 _AddressOfEntryPoint;
-            public UInt32 _BaseOfCode;
-            public UInt64 _ImageBase;
-            public UInt32 _SectionAlignment;
-            public UInt32 _FileAlignment;
-            public UInt16 _MajorOperatingSystemVersion;
-            public UInt16 _MinorOperatingSystemVersion;
-            public UInt16 _MajorImageVersion;
-            public UInt16 _MinorImageVersion;
-            public UInt16 _MajorSubsystemVersion;
-            public UInt16 _MinorSubsystemVersion;
-            public UInt32 _Win32VersionValue;
-            public UInt32 _SizeOfImage;
-            public UInt32 _SizeOfHeaders;
-            public UInt32 _CheckSum;
-            public UInt16 _Subsystem;
-            public UInt16 _DllCharacteristics;
-            public UInt64 _SizeOfStackReserve;
-            public UInt64 _SizeOfStackCommit;
-            public UInt64 _SizeOfHeapReserve;
-            public UInt64 _SizeOfHeapCommit;
-            public UInt32 _LoaderFlags;
-            public UInt32 _NumberOfRvaAndSizes;
-            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
-            public IMAGE_DATA_DIRECTORY[] _DataDirectory;
-
-
-            public string Magic { get { return ((MagicType)_Magic).ToString(); } }
-            public string MajorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
-            public string MinorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
-
-            public string SizeOfCode { get { return string.Format("0x{0:x2}", _SizeOfCode); } }
-            public string SizeOfInitializedData { get { return string.Format("0x{0:x8}", _SizeOfInitializedData); } }
-            public string SizeOfUninitializedData { get { return string.Format("0x{0:x8}", _SizeOfUninitializedData); } }
-            public string AddressOfEntryPoint { get { return string.Format("0x{0:x8}", _AddressOfEntryPoint); } }
-            public string BaseOfCode { get { return string.Format("0x{0:x8}", _BaseOfCode); } }
-
-            public string ImageBase { get { return string.Format("0x{0:x16}", _ImageBase); } }
-
-            public string SectionAlignment { get { return string.Format("0x{0:x8}", _SectionAlignment); } }
-            public string FileAlignment { get { return string.Format("0x{0:x8}", _FileAlignment); } }
-
-            public string MajorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MajorOperatingSystemVersion); } }
-            public string MinorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MinorOperatingSystemVersion); } }
-            public string MajorImageVersion { get { return string.Format("0x{0:x4}", _MajorImageVersion); } }
-            public string MinorImageVersion { get { return string.Format("0x{0:x4}", _MinorImageVersion); } }
-            public string MajorSubsystemVersion { get { return string.Format("0x{0:x4}", _MajorSubsystemVersion); } }
-            public string MinorSubsystemVersion { get { return string.Format("0x{0:x4}", _MinorSubsystemVersion); } }
-
-            public string Win32VersionValue { get { return string.Format("0x{0:x8}", _Win32VersionValue); } }
-            public string SizeOfImage { get { return string.Format("0x{0:x8}", _SizeOfImage); } }
-            public string SizeOfHeaders { get { return string.Format("0x{0:x8}", _SizeOfHeaders); } }
-            public string CheckSum { get { return string.Format("0x{0:x8}", _CheckSum); } }
-
-            public string Subsystem { get { return ((SubSystemType)_Subsystem).ToString(); } }
-            public string DllCharacteristics { get { return string.Format("0x{0:x4}", _DllCharacteristics); } }
-
-            public string SizeOfStackReserve { get { return string.Format("0x{0:x16}", _SizeOfStackReserve); } }
-            public string SizeOfStackCommit { get { return string.Format("0x{0:x16}", _SizeOfStackCommit); } }
-            public string SizeOfHeapReserve { get { return string.Format("0x{0:x16}", _SizeOfHeapReserve); } }
-            public string SizeOfHeapCommit { get { return string.Format("0x{0:x16}", _SizeOfHeapCommit); } }
+    }
+    [TypeConverter(typeof(ExpandableObjectConverter))]
+    [StructLayout(LayoutKind.Explicit)]
+    public struct Misc
+    {
+        [FieldOffset(0)]
+        public UInt32 _PhysicalAddress;
+        [FieldOffset(0)]
+        public UInt32 _VirtualSize;
 
-            public string LoaderFlags { get { return string.Format("0x{0:x8}", _LoaderFlags); } }
-            public string NumberOfRvaAndSizes { get { return string.Format("0x{0:x8}", _NumberOfRvaAndSizes); } }
+        public string PhysicalAddress { get { return string.Format("0x{0:x8}", _PhysicalAddress); } }
+        public string VirtualSize { get { return string.Format("0x{0:x8}", _VirtualSize); } }
 
-            public override string ToString()
-            {
-                return Magic;
-            }
+    }
+
+    #endregion
+    #region SECTION_DATA_ARRAY
+    [TypeConverter(typeof(ExpandableObjectConverter))]
+    public class SECTION_DATA_ARRAY
+    {
+        public SECTION_DATA_ARRAY() { Name = ""; Data = new byte[] { }; _Address = 0; _PointerToData = 0; }
+        public SECTION_DATA_ARRAY(string name, int address, int pointertodata, byte[] data)
+        {
+            Name = name;
+            _Address = address;
+            _PointerToData = pointertodata;
+            Data = data;
+        }
+
+        public string Name { get; private set; }
+        private int _Address;
+        public string Address { get { return string.Format("0x{0:x8}", _Address); } }
+        private int _PointerToData;
+        public string PointerToData { get { return string.Format("0x{0:x8}", _PointerToData); } }
+        public byte[] Data { get; set; }
+        public override string ToString()
+        {
+            return string.Format("{0} ({1}) ({2}) {3}", Name, Address, PointerToData, Data.Count());
+        }
+    }
+    #endregion
+    #region IMAGE_SECTION_DATA
+    public class IMAGE_SECTION_DATA
+    {
+        private List<SECTION_DATA_ARRAY> sdas = new List<SECTION_DATA_ARRAY>();
+        public IMAGE_SECTION_DATA() { }
+        public void AddData(string SectionName, int SectionAddress, int PointerToData, byte[] SectionData)
+        {
+            SECTION_DATA_ARRAY sda = new SECTION_DATA_ARRAY(SectionName, SectionAddress, PointerToData, SectionData);
+            sdas.Add(sda);
         }
-        [TypeConverter(typeof(ExpandableObjectConverter))]
-        [StructLayout(LayoutKind.Sequential)]
-        public struct IMAGE_DATA_DIRECTORY
-        {
-            public UInt32 _VirtualAddress;
-            public UInt32 _Size;
-
-            public string VirtualAddress { get { return string.Format("0x{0:x8}", _VirtualAddress); } }
-            public string Size { get { return string.Format("0x{0:x8}", _Size); } }
-        }
-        [TypeConverter(typeof(ExpandableObjectConverter))]
-        [StructLayout(LayoutKind.Sequential)]
-        public struct IMAGE_SECTION_HEADER
-        {
-            [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 8)]
-            public string _Name;
-            public Misc _Misc;
-            public UInt32 _VirtualAddress;
-            public UInt32 _SizeOfRawData;
-            public UInt32 _PointerToRawData;
-            public UInt32 _PointerToRelocations;
-            public UInt32 _PointerToLinenumbers;
-            public UInt16 _NumberOfRelocations;
-            public UInt16 _NumberOfLinenumbers;
-            public DataSectionFlags _Characteristics;
-
-            public string Name { get { return _Name; } }
-            public Misc Misc { get { return _Misc; } }
-            public string VirtualAddress { get { return string.Format("0x{0:x8}", _VirtualAddress); } }
-            public string SizeOfRawData { get { return string.Format("0x{0:x8}", _SizeOfRawData); } }
-            public string PointerToRawData { get { return string.Format("0x{0:x8}", _PointerToRawData); } }
-            public string PointerToRelocations { get { return string.Format("0x{0:x8}", _PointerToRelocations); } }
-            public string PointerToLinenumbers { get { return string.Format("0x{0:x8}", _PointerToLinenumbers); } }
-            public string NumberOfRelocations { get { return string.Format("0x{0:x4}", _NumberOfRelocations); } }
-            public string NumberOfLinenumbers { get { return string.Format("0x{0:x4}", _NumberOfLinenumbers); } }
-            public string Characteristics { get { return _Characteristics.ToString(); } }
-            public override string ToString()
+        public SECTION_DATA_ARRAY[] SectionData
+        {
+            get
             {
-                return Name;
+                return sdas.ToArray();
             }
         }
-        [TypeConverter(typeof(ExpandableObjectConverter))]
-        [StructLayout(LayoutKind.Explicit)]
-        public struct Misc
-        {
-            [FieldOffset(0)]
-            public UInt32 _PhysicalAddress;
-            [FieldOffset(0)]
-            public UInt32 _VirtualSize;
+    }
+    #endregion
 
-            public string PhysicalAddress { get { return string.Format("0x{0:x8}", _PhysicalAddress); } }
-            public string VirtualSize { get { return string.Format("0x{0:x8}", _VirtualSize); } }
 
+    #region PEData
+    public interface IPEDData
+    {
+        IMAGE_DOS_HEADER DosHeader { get; }
+        IMAGE_NT_HEADERS NTHeader { get; }
+        IMAGE_SECTION_HEADER[] SectionHeaders { get; }
+        SECTION_DATA_ARRAY[] SectionData { get; }
+        bool Is32bitAssembly();
+    }
+    public class PEDataWrapper
+    {
+        #region static members
+        public static IPEDData GetPEData(IAcceptsProcessAndConfig p) { return GetPEData((IAcceptsProcess)p.AcceptedProcess); }
+        public static IPEDData GetPEData(IAcceptsProcess p) { return GetPEData(p.AcceptedProcess); }
+        public static IPEDData GetPEData(Process p)
+        {
+            if (p == null)
+                return PEData.Empty;
+            return new PEData(p);
         }
-
+        public static IPEDData GetPEData()
+        {
+            return PEData.Empty;
+        }        
         #endregion
+    }
+    internal class PEData : IPEDData
+    {
+        //public PEData() : this(new IMAGE_DOS_HEADER(), new IMAGE_NT_HEADERS(), new IMAGE_SECTION_HEADER[] { }, new IMAGE_SECTION_DATA()) { }
+        //public PEData(IMAGE_DOS_HEADER DosHeader, IMAGE_NT_HEADERS NTHeader, IMAGE_SECTION_HEADER[] SectionHeaders, IMAGE_SECTION_DATA isd)
+        //{
+        //    this.DosHeader = DosHeader;
+        //    this.NTHeader = NTHeader;
+        //    this.SectionHeaders = SectionHeaders;
+        //    this.isd = isd;
+        //}
+        public static readonly IPEDData Empty = new PEData();
+        public PEData()
+        {
+            SourceProcess = null;
+            DosHeader = new IMAGE_DOS_HEADER();
+            NTHeader = new IMAGE_NT_HEADERS();
+            SectionHeaders = new IMAGE_SECTION_HEADER[] { };
+            isd = new IMAGE_SECTION_DATA();
+        }
+        public PEData(IAcceptsProcessAndConfig p) : this((IAcceptsProcess)p.AcceptedProcess) { }
+        public PEData(IAcceptsProcess p) : this(p.AcceptedProcess) { }
+        public PEData(Process p)
+        {
+            SourceProcess = p;
+            if (SourceProcess == null)
+                throw new NullReferenceException("Supplied process cannot be null");
+            PEReader reader = new PEReader(SourceProcess);
+            this.DosHeader = reader._dosHeader;
+            this.NTHeader = reader._ntHeaders;
+            this.SectionHeaders = reader._sectionHeaders.ToArray();
+            isd = reader._SectionData;
+        }
+        private Process SourceProcess { get; set; }
+        #region IPEDData members
+        public IMAGE_DOS_HEADER DosHeader { get; private set; }
+        public IMAGE_NT_HEADERS NTHeader { get; private set; }
+        public IMAGE_SECTION_HEADER[] SectionHeaders { get; private set; }
+        private IMAGE_SECTION_DATA isd;
+        public SECTION_DATA_ARRAY[] SectionData { get { return isd.SectionData; } }
+        public bool Is32bitAssembly()
+        {
+            return NTHeader.FileHeader._Characteristics.HasFlag(FileCharacteristicType.Supports32Bit);
+        }
+        #endregion      
+    }
+    #endregion
+
+    internal class PEReader
+    {
+        // Code (C) Sergey utilized from: http://www.sergeyakopov.com/2010/11/03/reading-pe-format-using-data-marshalling-in-net/
 
         #region Fields
 
-        private readonly IMAGE_DOS_HEADER _dosHeader;
-        private IMAGE_NT_HEADERS _ntHeaders;
-        private readonly IList<IMAGE_SECTION_HEADER> _sectionHeaders = new List<IMAGE_SECTION_HEADER>();
-        private readonly IMAGE_SECTION_DATA _SectionData = new IMAGE_SECTION_DATA();
+        internal readonly IMAGE_DOS_HEADER _dosHeader;
+        internal IMAGE_NT_HEADERS _ntHeaders;
+        internal readonly IList<IMAGE_SECTION_HEADER> _sectionHeaders = new List<IMAGE_SECTION_HEADER>();
+        internal readonly IMAGE_SECTION_DATA _SectionData = new IMAGE_SECTION_DATA();
         #endregion
-
-        [TypeConverter(typeof(ExpandableObjectConverter))]
-        public class SECTION_DATA_ARRAY
-        {
-            public SECTION_DATA_ARRAY() { Name = ""; Data = new byte[] { }; _Address = 0; _PointerToData = 0; }
-            public SECTION_DATA_ARRAY(string name, int address, int pointertodata, byte[] data) 
-            {
-                Name = name;
-                _Address = address;
-                _PointerToData = pointertodata;
-                Data = data;
-            }
-            
-            public string Name { get; private set; }
-            private int _Address;
-            public string Address { get { return string.Format("0x{0:x8}", _Address); }}
-            private int _PointerToData;
-            public string PointerToData { get { return string.Format("0x{0:x8}", _PointerToData); } }
-            public byte[] Data { get; set; }
-            public override string ToString()
-            {
-                return string.Format("{0} ({1}) ({2}) {3}", Name, Address, PointerToData, Data.Count());
-            }
-        }
-        public class IMAGE_SECTION_DATA
-        {
-            private List<SECTION_DATA_ARRAY> sdas = new List<SECTION_DATA_ARRAY>();
-            public IMAGE_SECTION_DATA() { }
-            public void AddData(string SectionName, int SectionAddress, int PointerToData, byte[] SectionData)
-            {
-                SECTION_DATA_ARRAY sda = new SECTION_DATA_ARRAY(SectionName, SectionAddress, PointerToData, SectionData);
-                sdas.Add(sda);
-            }
-            public SECTION_DATA_ARRAY[] SectionData
-            {
-                get
-                {
-                    return sdas.ToArray();
-                }
-            }
-        }
-
         #region logging implementation
         private static class log
         {
@@ -727,42 +805,9 @@
         #endregion
 
 
-        public PEData GetPEData
-        {
-            get
-            {
-                PEData _data = new PEData(_dosHeader, _ntHeaders, _sectionHeaders.ToArray(), _SectionData);
-                return _data;
-            }
-        }
-        #region PEData
-        public class PEData
-        {
-            public PEData() : this(new IMAGE_DOS_HEADER(), new IMAGE_NT_HEADERS(), new IMAGE_SECTION_HEADER[] { }, new IMAGE_SECTION_DATA()) { }
-            public PEData(IMAGE_DOS_HEADER DosHeader, IMAGE_NT_HEADERS NTHeader, IMAGE_SECTION_HEADER[] SectionHeaders, IMAGE_SECTION_DATA isd)
-            {
-                this.DosHeader = DosHeader;
-                this.NTHeader = NTHeader;
-                this.SectionHeaders = SectionHeaders;
-                this.isd = isd;
-            }
-            public IMAGE_DOS_HEADER DosHeader { get; private set; }
-            public IMAGE_NT_HEADERS NTHeader { get; private set; }
-            public IMAGE_SECTION_HEADER[] SectionHeaders { get; private set; }
-
-            private IMAGE_SECTION_DATA isd;
-            public SECTION_DATA_ARRAY[] SectionData { get { return isd.SectionData; } }
-            public bool Is32bitAssembly()
-            {
-                return NTHeader.FileHeader._Characteristics.HasFlag(FileCharacteristicType.Supports32Bit);
-            }
-        }
-
-        #endregion
-
-        public PEReader(FileInfo fi, IAcceptsProcessAndConfig pconfig) : this(fi.FullName, pconfig) { }
-        public PEReader(string filename, IAcceptsProcessAndConfig pconfig)
+        public PEReader(Process p)
         {
+            string filename = p.MainModule.FileName;
             Exception ErrorInfo = null;
             _SectionData = new IMAGE_SECTION_DATA();
             using (FileStream fs = new FileStream(filename, FileMode.Open, FileAccess.Read))
@@ -846,7 +891,7 @@
                         //provider.CloseProvider();
 
                         // Skip to beginning of a section
-                        reader.BaseStream.Seek(header._PointerToRawData, SeekOrigin.Begin);     
+                        reader.BaseStream.Seek(header._PointerToRawData, SeekOrigin.Begin);
                         // Read section data... and do something with it
                         byte[] sectiondata = reader.ReadBytes((int)header._SizeOfRawData);
                         _SectionData.AddData(header.Name, (int)header._VirtualAddress + image_base, (int)header._PointerToRawData, sectiondata);

 

  ViewVC Help
Powered by ViewVC 1.1.22