From aff3745859bc3dc06d8dc9b7b757e652d95104a5 Mon Sep 17 00:00:00 2001 From: Matt Nadareski Date: Sat, 5 Nov 2022 00:17:26 -0700 Subject: [PATCH] Add PE COFF symbol table --- .../COFFSymbolTableEntry.cs | 70 +++++++++++++++++++ .../PortableExecutable/Executable.cs | 7 +- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 BurnOutSharp.Models/PortableExecutable/COFFSymbolTableEntry.cs diff --git a/BurnOutSharp.Models/PortableExecutable/COFFSymbolTableEntry.cs b/BurnOutSharp.Models/PortableExecutable/COFFSymbolTableEntry.cs new file mode 100644 index 00000000..2d8877f9 --- /dev/null +++ b/BurnOutSharp.Models/PortableExecutable/COFFSymbolTableEntry.cs @@ -0,0 +1,70 @@ +using System.Runtime.InteropServices; + +namespace BurnOutSharp.Models.PortableExecutable +{ + /// + /// The symbol table in this section is inherited from the traditional + /// COFF format. It is distinct from Microsoft Visual C++ debug information. + /// A file can contain both a COFF symbol table and Visual C++ debug + /// information, and the two are kept separate. Some Microsoft tools use + /// the symbol table for limited but important purposes, such as + /// communicating COMDAT information to the linker. Section names and file + /// names, as well as code and data symbols, are listed in the symbol table. + /// + /// The location of the symbol table is indicated in the COFF header. + /// + /// The symbol table is an array of records, each 18 bytes long. Each record + /// is either a standard or auxiliary symbol-table record. A standard record + /// defines a symbol or name. + /// + /// + [StructLayout(LayoutKind.Explicit)] + public class COFFSymbolTableEntry + { + /// + /// An array of 8 bytes. This array is padded with nulls on the right if + /// the name is less than 8 bytes long. + /// + [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)] + [FieldOffset(0)] public byte[] ShortName; + + /// + /// A field that is set to all zeros if the name is longer than 8 bytes. + /// + [FieldOffset(0)] public uint Zeroes; + + /// + /// An offset into the string table. + /// + [FieldOffset(4)] public uint Offset; + + /// + /// The value that is associated with the symbol. The interpretation of this + /// field depends on SectionNumber and StorageClass. A typical meaning is the + /// relocatable address. + /// + [FieldOffset(8)] public uint Value; + + /// + /// The signed integer that identifies the section, using a one-based index + /// into the section table. Some values have special meaning. + /// + [FieldOffset(12)] public ushort SectionNumber; + + /// + /// A number that represents type. Microsoft tools set this field to 0x20 + /// (function) or 0x0 (not a function). + /// + [FieldOffset(14)] public SymbolType SymbolType; + + /// + /// An enumerated value that represents storage class. + /// + [FieldOffset(16)] public StorageClass StorageClass; + + /// + /// The number of auxiliary symbol table entries that follow this record. + /// + [FieldOffset(17)] public byte NumberOfAuxSymbols; + } +} diff --git a/BurnOutSharp.Models/PortableExecutable/Executable.cs b/BurnOutSharp.Models/PortableExecutable/Executable.cs index 499c38f1..155af68c 100644 --- a/BurnOutSharp.Models/PortableExecutable/Executable.cs +++ b/BurnOutSharp.Models/PortableExecutable/Executable.cs @@ -36,6 +36,11 @@ namespace BurnOutSharp.Models.PortableExecutable /// public SectionHeader[] SectionTable { get; set; } - // TODO: Left off at "COFF Symbol Table" + /// + /// COFF symbol table + /// + public COFFSymbolTableEntry[] COFFSymbolTable { get; set; } + + // TODO: Left off at https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#section-number-values } }