2011-10-26 20:20:38 +08:00
|
|
|
|
/*
|
2012-01-10 06:02:47 +08:00
|
|
|
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
2011-10-26 20:20:38 +08:00
|
|
|
|
|
|
|
|
|
This file is part of de4dot.
|
|
|
|
|
|
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
using System;
|
|
|
|
|
using System.IO;
|
|
|
|
|
|
2012-04-10 22:32:15 +08:00
|
|
|
|
namespace de4dot.PE {
|
2011-12-09 16:02:06 +08:00
|
|
|
|
public class PeImage {
|
2011-10-26 20:20:38 +08:00
|
|
|
|
BinaryReader reader;
|
|
|
|
|
BinaryWriter writer;
|
|
|
|
|
FileHeader fileHeader;
|
|
|
|
|
OptionalHeader optionalHeader;
|
|
|
|
|
SectionHeader[] sectionHeaders;
|
2011-10-28 04:21:45 +08:00
|
|
|
|
Cor20Header cor20Header;
|
|
|
|
|
SectionHeader dotNetSection;
|
2011-12-01 01:23:47 +08:00
|
|
|
|
Resources resources;
|
2011-10-26 20:20:38 +08:00
|
|
|
|
|
2011-10-29 08:20:44 +08:00
|
|
|
|
public BinaryReader Reader {
|
|
|
|
|
get { return reader; }
|
|
|
|
|
}
|
|
|
|
|
|
2011-12-21 03:11:32 +08:00
|
|
|
|
public uint ImageLength {
|
|
|
|
|
get { return (uint)reader.BaseStream.Length; }
|
|
|
|
|
}
|
|
|
|
|
|
2012-04-10 21:09:59 +08:00
|
|
|
|
public Cor20Header Cor20Header {
|
2011-10-29 08:20:44 +08:00
|
|
|
|
get { return cor20Header; }
|
|
|
|
|
}
|
|
|
|
|
|
2012-04-10 21:09:59 +08:00
|
|
|
|
public Resources Resources {
|
2011-12-01 01:23:47 +08:00
|
|
|
|
get { return resources; }
|
|
|
|
|
}
|
|
|
|
|
|
2012-04-23 08:01:27 +08:00
|
|
|
|
public OptionalHeader OptionalHeader {
|
|
|
|
|
get { return optionalHeader; }
|
|
|
|
|
}
|
|
|
|
|
|
2012-04-10 21:09:59 +08:00
|
|
|
|
public SectionHeader[] Sections {
|
2012-02-05 23:14:46 +08:00
|
|
|
|
get { return sectionHeaders; }
|
|
|
|
|
}
|
|
|
|
|
|
2011-12-21 13:38:44 +08:00
|
|
|
|
public uint FileHeaderOffset {
|
|
|
|
|
get { return fileHeader.Offset; }
|
|
|
|
|
}
|
|
|
|
|
|
2011-10-26 20:20:38 +08:00
|
|
|
|
public PeImage(byte[] data)
|
|
|
|
|
: this(new MemoryStream(data)) {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public PeImage(Stream stream) {
|
|
|
|
|
reader = new BinaryReader(stream);
|
2011-12-01 01:23:47 +08:00
|
|
|
|
if (stream.CanWrite)
|
|
|
|
|
writer = new BinaryWriter(stream);
|
2011-10-26 20:20:38 +08:00
|
|
|
|
|
|
|
|
|
init();
|
|
|
|
|
}
|
|
|
|
|
|
2012-04-25 05:00:36 +08:00
|
|
|
|
public SectionHeader findSection(string displayName) {
|
|
|
|
|
foreach (var section in sectionHeaders) {
|
|
|
|
|
if (section.displayName == displayName)
|
|
|
|
|
return section;
|
|
|
|
|
}
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
2011-10-26 20:20:38 +08:00
|
|
|
|
void seek(uint position) {
|
|
|
|
|
reader.BaseStream.Position = position;
|
|
|
|
|
}
|
|
|
|
|
|
2011-10-28 04:21:45 +08:00
|
|
|
|
void seekRva(uint rva) {
|
|
|
|
|
seek(rvaToOffset(rva));
|
|
|
|
|
}
|
|
|
|
|
|
2011-10-26 20:20:38 +08:00
|
|
|
|
void skip(int bytes) {
|
|
|
|
|
reader.BaseStream.Position += bytes;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void init() {
|
|
|
|
|
seek(0);
|
|
|
|
|
if (reader.ReadUInt16() != 0x5A4D)
|
|
|
|
|
throw new BadImageFormatException("Not a PE file");
|
|
|
|
|
skip(29 * 2);
|
|
|
|
|
seek(reader.ReadUInt32());
|
|
|
|
|
|
|
|
|
|
if (reader.ReadUInt32() != 0x4550)
|
|
|
|
|
throw new BadImageFormatException("Not a PE file");
|
|
|
|
|
fileHeader = new FileHeader(reader);
|
|
|
|
|
optionalHeader = new OptionalHeader(reader);
|
|
|
|
|
|
|
|
|
|
sectionHeaders = new SectionHeader[fileHeader.numberOfSections];
|
|
|
|
|
for (int i = 0; i < sectionHeaders.Length; i++)
|
|
|
|
|
sectionHeaders[i] = new SectionHeader(reader);
|
2011-10-28 04:21:45 +08:00
|
|
|
|
|
2011-12-01 01:23:47 +08:00
|
|
|
|
uint netRva = optionalHeader.dataDirectories[14].virtualAddress;
|
|
|
|
|
if (netRva != 0) {
|
|
|
|
|
seekRva(netRva);
|
2011-10-28 04:21:45 +08:00
|
|
|
|
cor20Header = new Cor20Header(reader);
|
2012-04-10 21:09:59 +08:00
|
|
|
|
dotNetSection = getSectionHeaderRva(netRva);
|
2011-11-06 19:13:31 +08:00
|
|
|
|
seekRva(cor20Header.metadataDirectory.virtualAddress);
|
2011-10-29 08:20:44 +08:00
|
|
|
|
cor20Header.initMetadataTable();
|
2011-10-28 04:21:45 +08:00
|
|
|
|
}
|
2011-12-01 01:23:47 +08:00
|
|
|
|
|
|
|
|
|
uint resourceRva = optionalHeader.dataDirectories[2].virtualAddress;
|
|
|
|
|
uint resourceOffset = 0;
|
|
|
|
|
if (resourceRva != 0)
|
|
|
|
|
resourceOffset = rvaToOffset(resourceRva);
|
|
|
|
|
resources = new Resources(reader, resourceOffset, optionalHeader.dataDirectories[2].size);
|
2011-10-26 20:20:38 +08:00
|
|
|
|
}
|
|
|
|
|
|
2012-04-10 21:09:59 +08:00
|
|
|
|
SectionHeader getSectionHeaderRva(uint rva) {
|
2011-10-26 20:20:38 +08:00
|
|
|
|
for (int i = 0; i < sectionHeaders.Length; i++) {
|
|
|
|
|
var section = sectionHeaders[i];
|
2012-03-25 02:13:58 +08:00
|
|
|
|
if (section.virtualAddress <= rva && rva < section.virtualAddress + Math.Max(section.virtualSize, section.sizeOfRawData))
|
2011-10-26 20:20:38 +08:00
|
|
|
|
return section;
|
|
|
|
|
}
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
2012-04-10 21:09:59 +08:00
|
|
|
|
SectionHeader getSectionHeaderOffset(uint offset) {
|
|
|
|
|
for (int i = 0; i < sectionHeaders.Length; i++) {
|
|
|
|
|
var section = sectionHeaders[i];
|
|
|
|
|
if (section.pointerToRawData <= offset && offset < section.pointerToRawData + section.sizeOfRawData)
|
|
|
|
|
return section;
|
|
|
|
|
}
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-06 19:13:31 +08:00
|
|
|
|
public uint rvaToOffset(uint rva) {
|
2012-04-10 21:09:59 +08:00
|
|
|
|
var section = getSectionHeaderRva(rva);
|
2011-10-26 20:20:38 +08:00
|
|
|
|
if (section == null)
|
|
|
|
|
throw new ApplicationException(string.Format("Invalid RVA {0:X8}", rva));
|
|
|
|
|
return rva - section.virtualAddress + section.pointerToRawData;
|
|
|
|
|
}
|
|
|
|
|
|
2012-04-10 21:09:59 +08:00
|
|
|
|
public uint offsetToRva(uint offset) {
|
|
|
|
|
var section = getSectionHeaderOffset(offset);
|
|
|
|
|
if (section == null)
|
|
|
|
|
throw new ApplicationException(string.Format("Invalid offset {0:X8}", offset));
|
|
|
|
|
return offset - section.pointerToRawData + section.virtualAddress;
|
|
|
|
|
}
|
|
|
|
|
|
2011-10-28 04:21:45 +08:00
|
|
|
|
bool intersect(uint offset1, uint length1, uint offset2, uint length2) {
|
|
|
|
|
return !(offset1 + length1 <= offset2 || offset2 + length2 <= offset1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool intersect(uint offset, uint length, IFileLocation location) {
|
|
|
|
|
return intersect(offset, length, location.Offset, location.Length);
|
|
|
|
|
}
|
|
|
|
|
|
2011-12-21 03:11:32 +08:00
|
|
|
|
public bool dotNetSafeWriteOffset(uint offset, byte[] data) {
|
2011-10-28 04:21:45 +08:00
|
|
|
|
if (cor20Header != null) {
|
|
|
|
|
uint length = (uint)data.Length;
|
|
|
|
|
|
|
|
|
|
if (!dotNetSection.isInside(offset, length))
|
|
|
|
|
return false;
|
|
|
|
|
if (intersect(offset, length, cor20Header))
|
|
|
|
|
return false;
|
|
|
|
|
if (intersect(offset, length, cor20Header.MetadataOffset, cor20Header.MetadataHeaderLength))
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2011-12-21 03:11:32 +08:00
|
|
|
|
offsetWrite(offset, data);
|
2011-10-28 04:21:45 +08:00
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2011-12-21 03:11:32 +08:00
|
|
|
|
public bool dotNetSafeWrite(uint rva, byte[] data) {
|
|
|
|
|
return dotNetSafeWriteOffset(rvaToOffset(rva), data);
|
|
|
|
|
}
|
|
|
|
|
|
2011-10-26 20:20:38 +08:00
|
|
|
|
public void write(uint rva, byte[] data) {
|
2011-10-28 04:21:45 +08:00
|
|
|
|
seekRva(rva);
|
2011-10-26 20:20:38 +08:00
|
|
|
|
writer.Write(data);
|
|
|
|
|
}
|
2011-10-27 01:41:23 +08:00
|
|
|
|
|
2012-04-23 20:47:05 +08:00
|
|
|
|
public void writeUInt16(uint rva, ushort data) {
|
2011-11-06 19:13:31 +08:00
|
|
|
|
seekRva(rva);
|
|
|
|
|
writer.Write(data);
|
|
|
|
|
}
|
|
|
|
|
|
2012-04-23 20:47:05 +08:00
|
|
|
|
public void writeUInt32(uint rva, uint data) {
|
2011-11-06 19:13:31 +08:00
|
|
|
|
seekRva(rva);
|
|
|
|
|
writer.Write(data);
|
|
|
|
|
}
|
|
|
|
|
|
2011-10-29 08:20:44 +08:00
|
|
|
|
public byte readByte(uint rva) {
|
|
|
|
|
seekRva(rva);
|
|
|
|
|
return reader.ReadByte();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public ushort readUInt16(uint rva) {
|
|
|
|
|
seekRva(rva);
|
|
|
|
|
return reader.ReadUInt16();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public uint readUInt32(uint rva) {
|
|
|
|
|
seekRva(rva);
|
|
|
|
|
return reader.ReadUInt32();
|
|
|
|
|
}
|
|
|
|
|
|
2011-10-27 01:41:23 +08:00
|
|
|
|
public int readInt32(uint rva) {
|
2011-10-28 04:21:45 +08:00
|
|
|
|
seekRva(rva);
|
2011-10-27 01:41:23 +08:00
|
|
|
|
return reader.ReadInt32();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public byte[] readBytes(uint rva, int size) {
|
2011-10-28 04:21:45 +08:00
|
|
|
|
seekRva(rva);
|
2011-10-27 01:41:23 +08:00
|
|
|
|
return reader.ReadBytes(size);
|
|
|
|
|
}
|
2011-10-29 08:20:44 +08:00
|
|
|
|
|
2011-12-21 03:11:32 +08:00
|
|
|
|
public void offsetWrite(uint offset, byte[] data) {
|
|
|
|
|
seek(offset);
|
|
|
|
|
writer.Write(data);
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-06 19:13:31 +08:00
|
|
|
|
public byte[] offsetReadBytes(uint offset, int size) {
|
|
|
|
|
seek(offset);
|
|
|
|
|
return reader.ReadBytes(size);
|
|
|
|
|
}
|
|
|
|
|
|
2011-10-29 08:20:44 +08:00
|
|
|
|
public uint offsetRead(uint offset, int size) {
|
|
|
|
|
if (size == 2) return offsetReadUInt16(offset);
|
|
|
|
|
if (size == 4) return offsetReadUInt32(offset);
|
|
|
|
|
throw new NotImplementedException();
|
|
|
|
|
}
|
|
|
|
|
|
2011-12-01 01:23:47 +08:00
|
|
|
|
public byte offsetReadByte(uint offset) {
|
|
|
|
|
seek(offset);
|
|
|
|
|
return reader.ReadByte();
|
|
|
|
|
}
|
|
|
|
|
|
2011-10-29 08:20:44 +08:00
|
|
|
|
public ushort offsetReadUInt16(uint offset) {
|
|
|
|
|
seek(offset);
|
|
|
|
|
return reader.ReadUInt16();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public uint offsetReadUInt32(uint offset) {
|
|
|
|
|
seek(offset);
|
|
|
|
|
return reader.ReadUInt32();
|
|
|
|
|
}
|
2011-11-06 19:13:31 +08:00
|
|
|
|
|
|
|
|
|
public void offsetWrite(uint offset, uint data, int size) {
|
|
|
|
|
if (size == 2)
|
|
|
|
|
offsetWriteUInt16(offset, (ushort)data);
|
|
|
|
|
else if (size == 4)
|
|
|
|
|
offsetWriteUInt32(offset, data);
|
|
|
|
|
else
|
|
|
|
|
throw new NotImplementedException();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public void offsetWriteUInt16(uint offset, ushort data) {
|
|
|
|
|
seek(offset);
|
|
|
|
|
writer.Write(data);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public void offsetWriteUInt32(uint offset, uint data) {
|
|
|
|
|
seek(offset);
|
|
|
|
|
writer.Write(data);
|
|
|
|
|
}
|
2012-04-23 08:01:27 +08:00
|
|
|
|
|
|
|
|
|
public byte[] readAllBytes() {
|
|
|
|
|
seek(0);
|
|
|
|
|
return reader.ReadBytes((int)reader.BaseStream.Length);
|
|
|
|
|
}
|
2011-10-26 20:20:38 +08:00
|
|
|
|
}
|
|
|
|
|
}
|