void CR_Module::DumpHeaders() { if (!IsModuleLoaded()) return; #ifdef _UNICODE printf("FileName: %ls, FileSize: 0x%08lX (%lu)\n", GetFileName(), GetFileSize(), GetFileSize()); #else printf("FileName: %s, FileSize: 0x%08lX (%lu)\n", GetFileName(), GetFileSize(), GetFileSize()); #endif if (DOSHeader()) { CrDumpDOSHeader(DOSHeader()); } if (FileHeader()) { CrDumpFileHeader(FileHeader()); } if (OptionalHeader32()) { CrDumpOptionalHeader32(OptionalHeader32(), CheckSum()); } else if (OptionalHeader64()) { CrDumpOptionalHeader64(OptionalHeader64(), CheckSum()); } if (SectionHeaders()) { DWORD size = NumberOfSections(); for (DWORD i = 0; i < size; ++i) { printf("\n### Section #%lu ###\n", i); CrDumpSectionHeader(SectionHeader(i)); } } }
void CPEReader::Parse() { if (_isParsed) return; // avoid double parsing from different branches of code // pass the msdos header, msdos stub and PE signature unsigned int startOffset = *((unsigned int*)(&_data->operator [](0x3c))); startOffset += 4; std::istrstream dataStream(reinterpret_cast<char*>(&(_data->operator[](0))), _data->size()); dataStream.seekg(startOffset); IMAGE_FILE_HEADER header; dataStream.read(reinterpret_cast<char*>(&header), sizeof(IMAGE_FILE_HEADER)); ParseImageFileHeader(header); IMAGE_DATA_DIRECTORY clrInfo = {0}; if (_bIs64) { IMAGE_OPTIONAL_HEADER64 optionalHeader64; dataStream.read(reinterpret_cast<char*>(&optionalHeader64), sizeof(IMAGE_OPTIONAL_HEADER64)); clrInfo = optionalHeader64.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]; } else { IMAGE_OPTIONAL_HEADER32 optionalHeader32; dataStream.read(reinterpret_cast<char*>(&optionalHeader32), sizeof(IMAGE_OPTIONAL_HEADER32)); clrInfo = optionalHeader32.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]; } if ((clrInfo.Size == 0) && (clrInfo.VirtualAddress == 0)) { throw net_protector::Exceptions::WrongFileFormatException("Cannot find CLR header. Probably not a .NET file"); } // search for .text section for(int i=0; i<header.NumberOfSections; i++) { IMAGE_SECTION_HEADER sectionHeader; dataStream.read(reinterpret_cast<char*>(§ionHeader), sizeof(IMAGE_SECTION_HEADER)); _sectionHeaders.push_back(sectionHeader); } IMAGE_SECTION_HEADER clrInfoSectionHeader = utils::PeHelper::GetHeaderByRVA(clrInfo.VirtualAddress, SectionHeaders()); if (clrInfoSectionHeader.VirtualAddress == 0) { throw Exceptions::TextSectionIsNotFoundException("Cannot locate the CLR header (section is not found)"); } _textSectionRawOffset = clrInfoSectionHeader.PointerToRawData; _textSectionRVA = clrInfoSectionHeader.VirtualAddress; _clrOffset = clrInfoSectionHeader.PointerToRawData + abs((long)(clrInfoSectionHeader.VirtualAddress - clrInfo.VirtualAddress)); dataStream.seekg(_clrOffset, dataStream.beg); ParseNetInformation(dataStream); if ((GetCor20Header().Flags & COMIMAGE_FLAGS_32BITREQUIRED) != 0) { _cpuVersion = CpuVersion::x86; } _isParsed = true; }