using System; using System.Collections.Generic; using System.IO; using System.Linq; using System.Text; using System.Xml; using BurnOutSharp.ASN1; using BurnOutSharp.Utilities; using static BurnOutSharp.Builders.Extensions; namespace BurnOutSharp.Wrappers { public class PortableExecutable : WrapperBase { #region Pass-Through Properties #region MS-DOS Stub #region Standard Fields /// public byte[] Stub_Magic => _executable.Stub.Header.Magic; /// public ushort Stub_LastPageBytes => _executable.Stub.Header.LastPageBytes; /// public ushort Stub_Pages => _executable.Stub.Header.Pages; /// public ushort Stub_RelocationItems => _executable.Stub.Header.RelocationItems; /// public ushort Stub_HeaderParagraphSize => _executable.Stub.Header.HeaderParagraphSize; /// public ushort Stub_MinimumExtraParagraphs => _executable.Stub.Header.MinimumExtraParagraphs; /// public ushort Stub_MaximumExtraParagraphs => _executable.Stub.Header.MaximumExtraParagraphs; /// public ushort Stub_InitialSSValue => _executable.Stub.Header.InitialSSValue; /// public ushort Stub_InitialSPValue => _executable.Stub.Header.InitialSPValue; /// public ushort Stub_Checksum => _executable.Stub.Header.Checksum; /// public ushort Stub_InitialIPValue => _executable.Stub.Header.InitialIPValue; /// public ushort Stub_InitialCSValue => _executable.Stub.Header.InitialCSValue; /// public ushort Stub_RelocationTableAddr => _executable.Stub.Header.RelocationTableAddr; /// public ushort Stub_OverlayNumber => _executable.Stub.Header.OverlayNumber; #endregion #region PE Extensions /// public ushort[] Stub_Reserved1 => _executable.Stub.Header.Reserved1; /// public ushort Stub_OEMIdentifier => _executable.Stub.Header.OEMIdentifier; /// public ushort Stub_OEMInformation => _executable.Stub.Header.OEMInformation; /// public ushort[] Stub_Reserved2 => _executable.Stub.Header.Reserved2; /// public uint Stub_NewExeHeaderAddr => _executable.Stub.Header.NewExeHeaderAddr; #endregion #endregion /// public byte[] Signature => _executable.Signature; #region COFF File Header /// public Models.PortableExecutable.MachineType Machine => _executable.COFFFileHeader.Machine; /// public ushort NumberOfSections => _executable.COFFFileHeader.NumberOfSections; /// public uint TimeDateStamp => _executable.COFFFileHeader.TimeDateStamp; /// public uint PointerToSymbolTable => _executable.COFFFileHeader.PointerToSymbolTable; /// public uint NumberOfSymbols => _executable.COFFFileHeader.NumberOfSymbols; /// public uint SizeOfOptionalHeader => _executable.COFFFileHeader.SizeOfOptionalHeader; /// public Models.PortableExecutable.Characteristics Characteristics => _executable.COFFFileHeader.Characteristics; #endregion #region Optional Header #region Standard Fields /// public Models.PortableExecutable.OptionalHeaderMagicNumber OH_Magic => _executable.OptionalHeader.Magic; /// public byte OH_MajorLinkerVersion => _executable.OptionalHeader.MajorLinkerVersion; /// public byte OH_MinorLinkerVersion => _executable.OptionalHeader.MinorLinkerVersion; /// public uint OH_SizeOfCode => _executable.OptionalHeader.SizeOfCode; /// public uint OH_SizeOfInitializedData => _executable.OptionalHeader.SizeOfInitializedData; /// public uint OH_SizeOfUninitializedData => _executable.OptionalHeader.SizeOfUninitializedData; /// public uint OH_AddressOfEntryPoint => _executable.OptionalHeader.AddressOfEntryPoint; /// public uint OH_BaseOfCode => _executable.OptionalHeader.BaseOfCode; /// public uint? OH_BaseOfData => _executable.OptionalHeader.Magic == Models.PortableExecutable.OptionalHeaderMagicNumber.PE32 ? (uint?)_executable.OptionalHeader.BaseOfData : null; #endregion #region Windows-Specific Fields /// public ulong OH_ImageBase => _executable.OptionalHeader.Magic == Models.PortableExecutable.OptionalHeaderMagicNumber.PE32 ? _executable.OptionalHeader.ImageBase_PE32 : _executable.OptionalHeader.ImageBase_PE32Plus; /// public uint OH_SectionAlignment => _executable.OptionalHeader.SectionAlignment; /// public uint OH_FileAlignment => _executable.OptionalHeader.FileAlignment; /// public ushort OH_MajorOperatingSystemVersion => _executable.OptionalHeader.MajorOperatingSystemVersion; /// public ushort OH_MinorOperatingSystemVersion => _executable.OptionalHeader.MinorOperatingSystemVersion; /// public ushort OH_MajorImageVersion => _executable.OptionalHeader.MajorImageVersion; /// public ushort OH_MinorImageVersion => _executable.OptionalHeader.MinorImageVersion; /// public ushort OH_MajorSubsystemVersion => _executable.OptionalHeader.MajorSubsystemVersion; /// public ushort OH_MinorSubsystemVersion => _executable.OptionalHeader.MinorSubsystemVersion; /// public uint OH_Win32VersionValue => _executable.OptionalHeader.Win32VersionValue; /// public uint OH_SizeOfImage => _executable.OptionalHeader.SizeOfImage; /// public uint OH_SizeOfHeaders => _executable.OptionalHeader.SizeOfHeaders; /// public uint OH_CheckSum => _executable.OptionalHeader.CheckSum; /// public Models.PortableExecutable.WindowsSubsystem OH_Subsystem => _executable.OptionalHeader.Subsystem; /// public Models.PortableExecutable.DllCharacteristics OH_DllCharacteristics => _executable.OptionalHeader.DllCharacteristics; /// public ulong OH_SizeOfStackReserve => _executable.OptionalHeader.Magic == Models.PortableExecutable.OptionalHeaderMagicNumber.PE32 ? _executable.OptionalHeader.SizeOfStackReserve_PE32 : _executable.OptionalHeader.SizeOfStackReserve_PE32Plus; /// public ulong OH_SizeOfStackCommit => _executable.OptionalHeader.Magic == Models.PortableExecutable.OptionalHeaderMagicNumber.PE32 ? _executable.OptionalHeader.SizeOfStackCommit_PE32 : _executable.OptionalHeader.SizeOfStackCommit_PE32Plus; /// public ulong OH_SizeOfHeapReserve => _executable.OptionalHeader.Magic == Models.PortableExecutable.OptionalHeaderMagicNumber.PE32 ? _executable.OptionalHeader.SizeOfHeapReserve_PE32 : _executable.OptionalHeader.SizeOfHeapReserve_PE32Plus; /// public ulong OH_SizeOfHeapCommit => _executable.OptionalHeader.Magic == Models.PortableExecutable.OptionalHeaderMagicNumber.PE32 ? _executable.OptionalHeader.SizeOfHeapCommit_PE32 : _executable.OptionalHeader.SizeOfHeapCommit_PE32Plus; /// public uint OH_LoaderFlags => _executable.OptionalHeader.LoaderFlags; /// public uint OH_NumberOfRvaAndSizes => _executable.OptionalHeader.NumberOfRvaAndSizes; #endregion #region Data Directories /// public Models.PortableExecutable.DataDirectory OH_ExportTable => _executable.OptionalHeader.ExportTable; /// public Models.PortableExecutable.DataDirectory OH_ImportTable => _executable.OptionalHeader.ImportTable; /// public Models.PortableExecutable.DataDirectory OH_ResourceTable => _executable.OptionalHeader.ResourceTable; /// public Models.PortableExecutable.DataDirectory OH_ExceptionTable => _executable.OptionalHeader.ExceptionTable; /// public Models.PortableExecutable.DataDirectory OH_CertificateTable => _executable.OptionalHeader.CertificateTable; /// public Models.PortableExecutable.DataDirectory OH_BaseRelocationTable => _executable.OptionalHeader.BaseRelocationTable; /// public Models.PortableExecutable.DataDirectory OH_Debug => _executable.OptionalHeader.Debug; /// public ulong OH_Architecture => _executable.OptionalHeader.Architecture; /// public Models.PortableExecutable.DataDirectory OH_GlobalPtr => _executable.OptionalHeader.GlobalPtr; /// public Models.PortableExecutable.DataDirectory OH_ThreadLocalStorageTable => _executable.OptionalHeader.ThreadLocalStorageTable; /// public Models.PortableExecutable.DataDirectory OH_LoadConfigTable => _executable.OptionalHeader.LoadConfigTable; /// public Models.PortableExecutable.DataDirectory OH_BoundImport => _executable.OptionalHeader.BoundImport; /// public Models.PortableExecutable.DataDirectory OH_ImportAddressTable => _executable.OptionalHeader.ImportAddressTable; /// public Models.PortableExecutable.DataDirectory OH_DelayImportDescriptor => _executable.OptionalHeader.DelayImportDescriptor; /// public Models.PortableExecutable.DataDirectory OH_CLRRuntimeHeader => _executable.OptionalHeader.CLRRuntimeHeader; /// public ulong OH_Reserved => _executable.OptionalHeader.Reserved; #endregion #endregion #region Tables /// public Models.PortableExecutable.SectionHeader[] SectionTable => _executable.SectionTable; /// public Models.PortableExecutable.COFFSymbolTableEntry[] COFFSymbolTable => _executable.COFFSymbolTable; /// public Models.PortableExecutable.COFFStringTable COFFStringTable => _executable.COFFStringTable; /// public Models.PortableExecutable.AttributeCertificateTableEntry[] AttributeCertificateTable => _executable.AttributeCertificateTable; /// public Models.PortableExecutable.DelayLoadDirectoryTable DelayLoadDirectoryTable => _executable.DelayLoadDirectoryTable; #endregion #region Sections /// public Models.PortableExecutable.BaseRelocationBlock[] BaseRelocationTable => _executable.BaseRelocationTable; /// public Models.PortableExecutable.DebugTable DebugTable => _executable.DebugTable; /// public Models.PortableExecutable.ExportTable ExportTable => _executable.ExportTable; /// public string[] ExportNameTable => _executable.ExportTable?.ExportNameTable?.Strings; /// public Models.PortableExecutable.ImportTable ImportTable => _executable.ImportTable; /// public string[] ImportHintNameTable => _executable.ImportTable?.HintNameTable != null ? _executable.ImportTable.HintNameTable.Select(entry => entry.Name).ToArray() : null; /// public Models.PortableExecutable.ResourceDirectoryTable ResourceDirectoryTable => _executable.ResourceDirectoryTable; #endregion #endregion #region Extension Properties /// /// Header padding data, if it exists /// public byte[] HeaderPaddingData { get { // If we already have cached data, just use that immediately if (_headerPaddingData != null) return _headerPaddingData; lock (_sourceDataLock) { // TODO: Don't scan the known header data as well // Populate the raw header padding data based on the source uint headerStartAddress = Stub_NewExeHeaderAddr; uint firstSectionAddress = SectionTable.Select(s => s.PointerToRawData).Where(s => s != 0).OrderBy(s => s).First(); int headerLength = (int)(firstSectionAddress - headerStartAddress); _headerPaddingData = ReadFromDataSource((int)headerStartAddress, headerLength); // Cache and return the header padding data, even if null return _headerPaddingData; } } } /// /// Header padding strings, if they exist /// public List HeaderPaddingStrings { get { // If we already have cached data, just use that immediately if (_headerPaddingStrings != null) return _headerPaddingStrings; lock (_sourceDataLock) { // TODO: Don't scan the known header data as well // Populate the raw header padding data based on the source uint headerStartAddress = Stub_NewExeHeaderAddr; uint firstSectionAddress = SectionTable.Select(s => s.PointerToRawData).Where(s => s != 0).OrderBy(s => s).First(); int headerLength = (int)(firstSectionAddress - headerStartAddress); _headerPaddingStrings = ReadStringsFromDataSource((int)headerStartAddress, headerLength, charLimit: 3); // Cache and return the header padding data, even if null return _headerPaddingStrings; } } } /// /// Entry point data, if it exists /// public byte[] EntryPointData { get { // If we have no entry point int entryPointAddress = (int)OH_AddressOfEntryPoint.ConvertVirtualAddress(SectionTable); if (entryPointAddress == 0) return null; // If the entry point matches with the start of a section, use that int entryPointSection = FindEntryPointSectionIndex(); if (entryPointSection >= 0 && OH_AddressOfEntryPoint == SectionTable[entryPointSection].VirtualAddress) return GetSectionData(entryPointSection); // If we already have cached data, just use that immediately if (_entryPointData != null) return _entryPointData; lock (_sourceDataLock) { // Read the first 128 bytes of the entry point _entryPointData = ReadFromDataSource(entryPointAddress, length: 128); // Cache and return the entry point padding data, even if null return _entryPointData; } } } /// /// Overlay data, if it exists /// /// public byte[] OverlayData { get { // Use the cached data if possible if (_overlayData != null) return _overlayData; // Get the end of the file, if possible int endOfFile = GetEndOfFile(); if (endOfFile == -1) return null; lock (_sourceDataLock) { // If we have certificate data, use that as the end if (OH_CertificateTable != null) { var certificateTable = _executable.OptionalHeader.CertificateTable; int certificateTableAddress = (int)certificateTable.VirtualAddress.ConvertVirtualAddress(_executable.SectionTable); if (certificateTableAddress != 0 && certificateTableAddress < endOfFile) endOfFile = certificateTableAddress; } // Search through all sections and find the furthest a section goes int endOfSectionData = -1; foreach (var section in _executable.SectionTable) { // If we have an invalid section address int sectionAddress = (int)section.VirtualAddress.ConvertVirtualAddress(_executable.SectionTable); if (sectionAddress == 0) continue; // If we have an invalid section size if (section.SizeOfRawData == 0 && section.VirtualSize == 0) continue; // Get the real section size int sectionSize; if (section.SizeOfRawData < section.VirtualSize) sectionSize = (int)section.VirtualSize; else sectionSize = (int)section.SizeOfRawData; // Compare and set the end of section data if (sectionAddress + sectionSize > endOfSectionData) endOfSectionData = sectionAddress + sectionSize; } // If we didn't find the end of section data if (endOfSectionData <= 0) return null; // If we're at the end of the file, cache an empty byte array if (endOfSectionData >= endOfFile) { _overlayData = new byte[0]; return _overlayData; } // Otherwise, cache and return the data int overlayLength = endOfFile - endOfSectionData; _overlayData = ReadFromDataSource(endOfSectionData, overlayLength); return _overlayData; } } } /// /// Overlay strings, if they exist /// public List OverlayStrings { get { // Use the cached data if possible if (_overlayStrings != null) return _overlayStrings; // Get the end of the file, if possible int endOfFile = GetEndOfFile(); if (endOfFile == -1) return null; lock (_sourceDataLock) { // If we have certificate data, use that as the end if (OH_CertificateTable != null) { var certificateTable = _executable.OptionalHeader.CertificateTable; int certificateTableAddress = (int)certificateTable.VirtualAddress.ConvertVirtualAddress(_executable.SectionTable); if (certificateTableAddress != 0 && certificateTableAddress < endOfFile) endOfFile = certificateTableAddress; } // Search through all sections and find the furthest a section goes int endOfSectionData = -1; foreach (var section in _executable.SectionTable) { // If we have an invalid section address int sectionAddress = (int)section.VirtualAddress.ConvertVirtualAddress(_executable.SectionTable); if (sectionAddress == 0) continue; // If we have an invalid section size if (section.SizeOfRawData == 0 && section.VirtualSize == 0) continue; // Get the real section size int sectionSize; if (section.SizeOfRawData < section.VirtualSize) sectionSize = (int)section.VirtualSize; else sectionSize = (int)section.SizeOfRawData; // Compare and set the end of section data if (sectionAddress + sectionSize > endOfSectionData) endOfSectionData = sectionAddress + sectionSize; } // If we didn't find the end of section data if (endOfSectionData <= 0) return null; // If we're at the end of the file, cache an empty list if (endOfSectionData >= endOfFile) { _overlayStrings = new List(); return _overlayStrings; } // Otherwise, cache and return the strings int overlayLength = endOfFile - endOfSectionData; _overlayStrings = ReadStringsFromDataSource(endOfSectionData, overlayLength, charLimit: 3); return _overlayStrings; } } } /// /// Sanitized section names /// public string[] SectionNames { get { // Use the cached data if possible if (_sectionNames != null) return _sectionNames; // Otherwise, build and return the cached array _sectionNames = new string[_executable.SectionTable.Length]; for (int i = 0; i < _sectionNames.Length; i++) { var section = _executable.SectionTable[i]; // TODO: Handle long section names with leading `/` byte[] sectionNameBytes = section.Name; string sectionNameString = Encoding.UTF8.GetString(sectionNameBytes).TrimEnd('\0'); _sectionNames[i] = sectionNameString; } return _sectionNames; } } /// /// Stub executable data, if it exists /// public byte[] StubExecutableData { get { // If we already have cached data, just use that immediately if (_stubExecutableData != null) return _stubExecutableData; lock (_sourceDataLock) { // Populate the raw stub executable data based on the source int endOfStubHeader = 0x40; int lengthOfStubExecutableData = (int)_executable.Stub.Header.NewExeHeaderAddr - endOfStubHeader; _stubExecutableData = ReadFromDataSource(endOfStubHeader, lengthOfStubExecutableData); // Cache and return the stub executable data, even if null return _stubExecutableData; } } } /// /// Dictionary of debug data /// public Dictionary DebugData { get { // Use the cached data if possible if (_debugData != null && _debugData.Count != 0) return _debugData; // If we have no resource table, just return if (DebugTable?.DebugDirectoryTable == null || DebugTable.DebugDirectoryTable.Length == 0) return null; lock (_sourceDataLock) { // Otherwise, build and return the cached dictionary ParseDebugTable(); return _debugData; } } } /// /// Dictionary of resource data /// public Dictionary ResourceData { get { // Use the cached data if possible if (_resourceData != null && _resourceData.Count != 0) return _resourceData; // If we have no resource table, just return if (OH_ResourceTable == null || OH_ResourceTable.VirtualAddress == 0 || ResourceDirectoryTable == null) return null; lock (_sourceDataLock) { // Otherwise, build and return the cached dictionary ParseResourceDirectoryTable(ResourceDirectoryTable, types: new List()); return _resourceData; } } } #region Version Information /// /// "Build GUID" /// public string BuildGuid => GetVersionInfoString("BuildGuid"); /// /// "Build signature" /// public string BuildSignature => GetVersionInfoString("BuildSignature"); /// /// Additional information that should be displayed for diagnostic purposes. /// public string Comments => GetVersionInfoString("Comments"); /// /// Company that produced the file—for example, "Microsoft Corporation" or /// "Standard Microsystems Corporation, Inc." This string is required. /// public string CompanyName => GetVersionInfoString("CompanyName"); /// /// "Debug version" /// public string DebugVersion => GetVersionInfoString("DebugVersion"); /// /// File description to be presented to users. This string may be displayed in a /// list box when the user is choosing files to install—for example, "Keyboard /// Driver for AT-Style Keyboards". This string is required. /// public string FileDescription => GetVersionInfoString("FileDescription"); /// /// Version number of the file—for example, "3.10" or "5.00.RC2". This string /// is required. /// public string FileVersion => GetVersionInfoString("FileVersion"); /// /// Internal name of the file, if one exists—for example, a module name if the /// file is a dynamic-link library. If the file has no internal name, this /// string should be the original filename, without extension. This string is required. /// public string InternalName => GetVersionInfoString(key: "InternalName"); /// /// Copyright notices that apply to the file. This should include the full text of /// all notices, legal symbols, copyright dates, and so on. This string is optional. /// public string LegalCopyright => GetVersionInfoString(key: "LegalCopyright"); /// /// Trademarks and registered trademarks that apply to the file. This should include /// the full text of all notices, legal symbols, trademark numbers, and so on. This /// string is optional. /// public string LegalTrademarks => GetVersionInfoString(key: "LegalTrademarks"); /// /// Original name of the file, not including a path. This information enables an /// application to determine whether a file has been renamed by a user. The format of /// the name depends on the file system for which the file was created. This string /// is required. /// public string OriginalFilename => GetVersionInfoString(key: "OriginalFilename"); /// /// Information about a private version of the file—for example, "Built by TESTER1 on /// \TESTBED". This string should be present only if VS_FF_PRIVATEBUILD is specified in /// the fileflags parameter of the root block. /// public string PrivateBuild => GetVersionInfoString(key: "PrivateBuild"); /// /// "Product GUID" /// public string ProductGuid => GetVersionInfoString("ProductGuid"); /// /// Name of the product with which the file is distributed. This string is required. /// public string ProductName => GetVersionInfoString(key: "ProductName"); /// /// Version of the product with which the file is distributed—for example, "3.10" or /// "5.00.RC2". This string is required. /// public string ProductVersion => GetVersionInfoString(key: "ProductVersion"); /// /// Text that specifies how this version of the file differs from the standard /// version—for example, "Private build for TESTER1 solving mouse problems on M250 and /// M250E computers". This string should be present only if VS_FF_SPECIALBUILD is /// specified in the fileflags parameter of the root block. /// public string SpecialBuild => GetVersionInfoString(key: "SpecialBuild") ?? GetVersionInfoString(key: "Special Build"); /// /// "Trade name" /// public string TradeName => GetVersionInfoString(key: "TradeName"); #endregion #region Manifest Information /// /// Description as derived from the assembly manifest /// public string AssemblyDescription { get { var manifest = GetAssemblyManifest(); return manifest? .Description? .Value; } } /// /// Version as derived from the assembly manifest /// /// /// If there are multiple identities included in the manifest, /// this will only retrieve the value from the first that doesn't /// have a null or empty version. /// public string AssemblyVersion { get { var manifest = GetAssemblyManifest(); return manifest? .AssemblyIdentities? .FirstOrDefault(ai => !string.IsNullOrWhiteSpace(ai.Version))? .Version; } } #endregion #endregion #region Instance Variables /// /// Internal representation of the executable /// private Models.PortableExecutable.Executable _executable; /// /// Header padding data, if it exists /// private byte[] _headerPaddingData = null; /// /// Header padding strings, if they exist /// private List _headerPaddingStrings = null; /// /// Entry point data, if it exists and isn't aligned to a section /// private byte[] _entryPointData = null; /// /// Overlay data, if it exists /// private byte[] _overlayData = null; /// /// Overlay strings, if they exist /// private List _overlayStrings = null; /// /// Stub executable data, if it exists /// private byte[] _stubExecutableData = null; /// /// Sanitized section names /// private string[] _sectionNames = null; /// /// Cached raw section data /// private byte[][] _sectionData = null; /// /// Cached found string data in sections /// private List[] _sectionStringData = null; /// /// Cached raw table data /// private byte[][] _tableData = null; /// /// Cached found string data in tables /// private List[] _tableStringData = null; /// /// Cached debug data /// private readonly Dictionary _debugData = new Dictionary(); /// /// Cached resource data /// private readonly Dictionary _resourceData = new Dictionary(); /// /// Cached version info data /// private Models.PortableExecutable.VersionInfo _versionInfo = null; /// /// Cached assembly manifest data /// private Models.PortableExecutable.AssemblyManifest _assemblyManifest = null; /// /// Lock object for reading from the source /// private readonly object _sourceDataLock = new object(); #endregion #region Constructors /// /// Private constructor /// private PortableExecutable() { } /// /// Create a PE executable from a byte array and offset /// /// Byte array representing the executable /// Offset within the array to parse /// A PE executable wrapper on success, null on failure public static PortableExecutable Create(byte[] data, int offset) { // If the data is invalid if (data == null) return null; // If the offset is out of bounds if (offset < 0 || offset >= data.Length) return null; // Create a memory stream and use that MemoryStream dataStream = new MemoryStream(data, offset, data.Length - offset); return Create(dataStream); } /// /// Create a PE executable from a Stream /// /// Stream representing the executable /// A PE executable wrapper on success, null on failure public static PortableExecutable Create(Stream data) { // If the data is invalid if (data == null || data.Length == 0 || !data.CanSeek || !data.CanRead) return null; var executable = Builders.PortableExecutable.ParseExecutable(data); if (executable == null) return null; var wrapper = new PortableExecutable { _executable = executable, _dataSource = DataSource.Stream, _streamData = data, }; return wrapper; } #endregion #region Data // TODO: Cache all certificate objects /// /// Get the version info string associated with a key, if possible /// /// Case-insensitive key to find in the version info /// String representing the data, null on error /// /// This code does not take into account the locale and will find and return /// the first available value. This may not actually matter for version info, /// but it is worth mentioning. /// public string GetVersionInfoString(string key) { // If we have an invalid key, we can't do anything if (string.IsNullOrEmpty(key)) return null; // Ensure that we have the resource data cached if (ResourceData == null) return null; // If we don't have string version info in this executable var stringTable = _versionInfo?.StringFileInfo?.Children; if (stringTable == null || !stringTable.Any()) return null; // Try to find a key that matches var match = stringTable .SelectMany(st => st.Children) .FirstOrDefault(sd => key.Equals(sd.Key, StringComparison.OrdinalIgnoreCase)); // Return either the match or null return match?.Value?.TrimEnd('\0'); } /// /// Get the assembly manifest, if possible /// /// Assembly manifest object, null on error private Models.PortableExecutable.AssemblyManifest GetAssemblyManifest() { // Use the cached data if possible if (_assemblyManifest != null) return _assemblyManifest; // Ensure that we have the resource data cached if (ResourceData == null) return null; // Return the now-cached assembly manifest return _assemblyManifest; } #endregion #region Printing /// /// Print all sections, including their start and end addresses /// public void PrintAllSections() { foreach (var section in SectionTable) { // TODO: Handle long section names with leading `/` string sectionName = Encoding.UTF8.GetString(section.Name); uint sectionAddr = section.PointerToRawData; uint sectionEnd = sectionAddr + section.VirtualSize; Console.WriteLine($"{sectionName}: {sectionAddr} -> {sectionEnd}"); } } /// public override void Print() { Console.WriteLine("Portable Executable Information:"); Console.WriteLine("-------------------------"); Console.WriteLine(); // Stub PrintStubHeader(); PrintStubExtendedHeader(); // Header PrintCOFFFileHeader(); PrintOptionalHeader(); // Tables PrintSectionTable(); PrintCOFFSymbolTable(); PrintAttributeCertificateTable(); PrintDelayLoadDirectoryTable(); // Named Sections PrintBaseRelocationTable(); PrintDebugTable(); PrintExportTable(); PrintImportTable(); PrintResourceDirectoryTable(); } /// /// Print stub header information /// private void PrintStubHeader() { Console.WriteLine(" MS-DOS Stub Header Information:"); Console.WriteLine(" -------------------------"); Console.WriteLine($" Magic number: {BitConverter.ToString(Stub_Magic).Replace("-", string.Empty)}"); Console.WriteLine($" Last page bytes: {Stub_LastPageBytes}"); Console.WriteLine($" Pages: {Stub_Pages}"); Console.WriteLine($" Relocation items: {Stub_RelocationItems}"); Console.WriteLine($" Header paragraph size: {Stub_HeaderParagraphSize}"); Console.WriteLine($" Minimum extra paragraphs: {Stub_MinimumExtraParagraphs}"); Console.WriteLine($" Maximum extra paragraphs: {Stub_MaximumExtraParagraphs}"); Console.WriteLine($" Initial SS value: {Stub_InitialSSValue}"); Console.WriteLine($" Initial SP value: {Stub_InitialSPValue}"); Console.WriteLine($" Checksum: {Stub_Checksum}"); Console.WriteLine($" Initial IP value: {Stub_InitialIPValue}"); Console.WriteLine($" Initial CS value: {Stub_InitialCSValue}"); Console.WriteLine($" Relocation table address: {Stub_RelocationTableAddr}"); Console.WriteLine($" Overlay number: {Stub_OverlayNumber}"); Console.WriteLine(); } /// /// Print stub extended header information /// private void PrintStubExtendedHeader() { Console.WriteLine(" MS-DOS Stub Extended Header Information:"); Console.WriteLine(" -------------------------"); Console.WriteLine($" Reserved words: {string.Join(", ", Stub_Reserved1)}"); Console.WriteLine($" OEM identifier: {Stub_OEMIdentifier}"); Console.WriteLine($" OEM information: {Stub_OEMInformation}"); Console.WriteLine($" Reserved words: {string.Join(", ", Stub_Reserved2)}"); Console.WriteLine($" New EXE header address: {Stub_NewExeHeaderAddr}"); Console.WriteLine(); } /// /// Print COFF file header information /// private void PrintCOFFFileHeader() { Console.WriteLine(" COFF File Header Information:"); Console.WriteLine(" -------------------------"); Console.WriteLine($" Signature: {BitConverter.ToString(Signature).Replace("-", string.Empty)}"); Console.WriteLine($" Machine: {Machine}"); Console.WriteLine($" Number of sections: {NumberOfSections}"); Console.WriteLine($" Time/Date stamp: {TimeDateStamp}"); Console.WriteLine($" Pointer to symbol table: {PointerToSymbolTable}"); Console.WriteLine($" Number of symbols: {NumberOfSymbols}"); Console.WriteLine($" Size of optional header: {SizeOfOptionalHeader}"); Console.WriteLine($" Characteristics: {Characteristics}"); Console.WriteLine(); } /// /// Print optional header information /// private void PrintOptionalHeader() { Console.WriteLine(" Optional Header Information:"); Console.WriteLine(" -------------------------"); if (SizeOfOptionalHeader == 0) { Console.WriteLine(" No optional header present"); } else { Console.WriteLine($" Magic: {OH_Magic}"); Console.WriteLine($" Major linker version: {OH_MajorLinkerVersion}"); Console.WriteLine($" Minor linker version: {OH_MinorLinkerVersion}"); Console.WriteLine($" Size of code section: {OH_SizeOfCode}"); Console.WriteLine($" Size of initialized data: {OH_SizeOfInitializedData}"); Console.WriteLine($" Size of uninitialized data: {OH_SizeOfUninitializedData}"); Console.WriteLine($" Address of entry point: {OH_AddressOfEntryPoint}"); Console.WriteLine($" Base of code: {OH_BaseOfCode}"); if (OH_Magic == Models.PortableExecutable.OptionalHeaderMagicNumber.PE32) Console.WriteLine($" Base of data: {OH_BaseOfData}"); Console.WriteLine($" Image base: {OH_ImageBase}"); Console.WriteLine($" Section alignment: {OH_SectionAlignment}"); Console.WriteLine($" File alignment: {OH_FileAlignment}"); Console.WriteLine($" Major operating system version: {OH_MajorOperatingSystemVersion}"); Console.WriteLine($" Minor operating system version: {OH_MinorOperatingSystemVersion}"); Console.WriteLine($" Major image version: {OH_MajorImageVersion}"); Console.WriteLine($" Minor image version: {OH_MinorImageVersion}"); Console.WriteLine($" Major subsystem version: {OH_MajorSubsystemVersion}"); Console.WriteLine($" Minor subsystem version: {OH_MinorSubsystemVersion}"); Console.WriteLine($" Win32 version value: {OH_Win32VersionValue}"); Console.WriteLine($" Size of image: {OH_SizeOfImage}"); Console.WriteLine($" Size of headers: {OH_SizeOfHeaders}"); Console.WriteLine($" Checksum: {OH_CheckSum}"); Console.WriteLine($" Subsystem: {OH_Subsystem}"); Console.WriteLine($" DLL characteristics: {OH_DllCharacteristics}"); Console.WriteLine($" Size of stack reserve: {OH_SizeOfStackReserve}"); Console.WriteLine($" Size of stack commit: {OH_SizeOfStackCommit}"); Console.WriteLine($" Size of heap reserve: {OH_SizeOfHeapReserve}"); Console.WriteLine($" Size of heap commit: {OH_SizeOfHeapCommit}"); Console.WriteLine($" Loader flags: {OH_LoaderFlags}"); Console.WriteLine($" Number of data-directory entries: {OH_NumberOfRvaAndSizes}"); if (OH_ExportTable != null) { Console.WriteLine(" Export Table (1)"); Console.WriteLine($" Virtual address: {OH_ExportTable.VirtualAddress}"); Console.WriteLine($" Physical address: {OH_ExportTable.VirtualAddress.ConvertVirtualAddress(SectionTable)}"); Console.WriteLine($" Size: {OH_ExportTable.Size}"); } if (OH_ImportTable != null) { Console.WriteLine(" Import Table (2)"); Console.WriteLine($" Virtual address: {OH_ImportTable.VirtualAddress}"); Console.WriteLine($" Physical address: {OH_ImportTable.VirtualAddress.ConvertVirtualAddress(SectionTable)}"); Console.WriteLine($" Size: {OH_ImportTable.Size}"); } if (OH_ResourceTable != null) { Console.WriteLine(" Resource Table (3)"); Console.WriteLine($" Virtual address: {OH_ResourceTable.VirtualAddress}"); Console.WriteLine($" Physical address: {OH_ResourceTable.VirtualAddress.ConvertVirtualAddress(SectionTable)}"); Console.WriteLine($" Size: {OH_ResourceTable.Size}"); } if (OH_ExceptionTable != null) { Console.WriteLine(" Exception Table (4)"); Console.WriteLine($" Virtual address: {OH_ExceptionTable.VirtualAddress}"); Console.WriteLine($" Physical address: {OH_ExceptionTable.VirtualAddress.ConvertVirtualAddress(SectionTable)}"); Console.WriteLine($" Size: {OH_ExceptionTable.Size}"); } if (OH_CertificateTable != null) { Console.WriteLine(" Certificate Table (5)"); Console.WriteLine($" Virtual address: {OH_CertificateTable.VirtualAddress}"); Console.WriteLine($" Physical address: {OH_CertificateTable.VirtualAddress.ConvertVirtualAddress(SectionTable)}"); Console.WriteLine($" Size: {OH_CertificateTable.Size}"); } if (OH_BaseRelocationTable != null) { Console.WriteLine(" Base Relocation Table (6)"); Console.WriteLine($" Virtual address: {OH_BaseRelocationTable.VirtualAddress}"); Console.WriteLine($" Physical address: {OH_BaseRelocationTable.VirtualAddress.ConvertVirtualAddress(SectionTable)}"); Console.WriteLine($" Size: {OH_BaseRelocationTable.Size}"); } if (OH_Debug != null) { Console.WriteLine(" Debug Table (7)"); Console.WriteLine($" Virtual address: {OH_Debug.VirtualAddress}"); Console.WriteLine($" Physical address: {OH_Debug.VirtualAddress.ConvertVirtualAddress(SectionTable)}"); Console.WriteLine($" Size: {OH_Debug.Size}"); } if (OH_NumberOfRvaAndSizes >= 8) { Console.WriteLine(" Architecture Table (8)"); Console.WriteLine($" Virtual address: 0"); Console.WriteLine($" Physical address: 0"); Console.WriteLine($" Size: 0"); } if (OH_GlobalPtr != null) { Console.WriteLine(" Global Pointer Register (9)"); Console.WriteLine($" Virtual address: {OH_GlobalPtr.VirtualAddress}"); Console.WriteLine($" Physical address: {OH_GlobalPtr.VirtualAddress.ConvertVirtualAddress(SectionTable)}"); Console.WriteLine($" Size: {OH_GlobalPtr.Size}"); } if (OH_ThreadLocalStorageTable != null) { Console.WriteLine(" Thread Local Storage (TLS) Table (10)"); Console.WriteLine($" Virtual address: {OH_ThreadLocalStorageTable.VirtualAddress}"); Console.WriteLine($" Physical address: {OH_ThreadLocalStorageTable.VirtualAddress.ConvertVirtualAddress(SectionTable)}"); Console.WriteLine($" Size: {OH_ThreadLocalStorageTable.Size}"); } if (OH_LoadConfigTable != null) { Console.WriteLine(" Load Config Table (11)"); Console.WriteLine($" Virtual address: {OH_LoadConfigTable.VirtualAddress}"); Console.WriteLine($" Physical address: {OH_LoadConfigTable.VirtualAddress.ConvertVirtualAddress(SectionTable)}"); Console.WriteLine($" Size: {OH_LoadConfigTable.Size}"); } if (OH_BoundImport != null) { Console.WriteLine(" Bound Import Table (12)"); Console.WriteLine($" Virtual address: {OH_BoundImport.VirtualAddress}"); Console.WriteLine($" Physical address: {OH_BoundImport.VirtualAddress.ConvertVirtualAddress(SectionTable)}"); Console.WriteLine($" Size: {OH_BoundImport.Size}"); } if (OH_ImportAddressTable != null) { Console.WriteLine(" Import Address Table (13)"); Console.WriteLine($" Virtual address: {OH_ImportAddressTable.VirtualAddress}"); Console.WriteLine($" Physical address: {OH_ImportAddressTable.VirtualAddress.ConvertVirtualAddress(SectionTable)}"); Console.WriteLine($" Size: {OH_ImportAddressTable.Size}"); } if (OH_DelayImportDescriptor != null) { Console.WriteLine(" Delay Import Descriptior (14)"); Console.WriteLine($" Virtual address: {OH_DelayImportDescriptor.VirtualAddress}"); Console.WriteLine($" Physical address: {OH_DelayImportDescriptor.VirtualAddress.ConvertVirtualAddress(SectionTable)}"); Console.WriteLine($" Size: {OH_DelayImportDescriptor.Size}"); } if (OH_CLRRuntimeHeader != null) { Console.WriteLine(" CLR Runtime Header (15)"); Console.WriteLine($" Virtual address: {OH_CLRRuntimeHeader.VirtualAddress}"); Console.WriteLine($" Physical address: {OH_CLRRuntimeHeader.VirtualAddress.ConvertVirtualAddress(SectionTable)}"); Console.WriteLine($" Size: {OH_CLRRuntimeHeader.Size}"); } if (OH_NumberOfRvaAndSizes >= 16) { Console.WriteLine(" Reserved (16)"); Console.WriteLine($" Virtual address: 0"); Console.WriteLine($" Physical address: 0"); Console.WriteLine($" Size: 0"); } } Console.WriteLine(); } /// /// Print section table information /// private void PrintSectionTable() { Console.WriteLine(" Section Table Information:"); Console.WriteLine(" -------------------------"); if (NumberOfSections == 0 || SectionTable.Length == 0) { Console.WriteLine(" No section table items"); } else { for (int i = 0; i < SectionTable.Length; i++) { var entry = SectionTable[i]; Console.WriteLine($" Section Table Entry {i}"); Console.WriteLine($" Name = {Encoding.UTF8.GetString(entry.Name)}"); Console.WriteLine($" Virtual size = {entry.VirtualSize}"); Console.WriteLine($" Virtual address = {entry.VirtualAddress}"); Console.WriteLine($" Physical address: {entry.VirtualAddress.ConvertVirtualAddress(SectionTable)}"); Console.WriteLine($" Size of raw data = {entry.SizeOfRawData}"); Console.WriteLine($" Pointer to raw data = {entry.PointerToRawData}"); Console.WriteLine($" Pointer to relocations = {entry.PointerToRelocations}"); Console.WriteLine($" Pointer to linenumbers = {entry.PointerToLinenumbers}"); Console.WriteLine($" Number of relocations = {entry.NumberOfRelocations}"); Console.WriteLine($" Number of linenumbers = {entry.NumberOfLinenumbers}"); Console.WriteLine($" Characteristics = {entry.Characteristics}"); // TODO: Add COFFRelocations // TODO: Add COFFLineNumbers } } Console.WriteLine(); } /// /// Print COFF symbol table information /// private void PrintCOFFSymbolTable() { Console.WriteLine(" COFF Symbol Table Information:"); Console.WriteLine(" -------------------------"); if (PointerToSymbolTable == 0 || NumberOfSymbols == 0 || COFFSymbolTable == null || COFFSymbolTable.Length == 0) { Console.WriteLine(" No COFF symbol table items"); } else { int auxSymbolsRemaining = 0; int currentSymbolType = 0; for (int i = 0; i < COFFSymbolTable.Length; i++) { var entry = COFFSymbolTable[i]; Console.WriteLine($" COFF Symbol Table Entry {i} (Subtype {currentSymbolType})"); if (currentSymbolType == 0) { if (entry.ShortName != null) { Console.WriteLine($" Short name = {Encoding.UTF8.GetString(entry.ShortName)}"); } else { Console.WriteLine($" Zeroes = {entry.Zeroes}"); Console.WriteLine($" Offset = {entry.Offset}"); } Console.WriteLine($" Value = {entry.Value}"); Console.WriteLine($" Section number = {entry.SectionNumber}"); Console.WriteLine($" Symbol type = {entry.SymbolType}"); Console.WriteLine($" Storage class = {entry.StorageClass}"); Console.WriteLine($" Number of aux symbols = {entry.NumberOfAuxSymbols}"); auxSymbolsRemaining = entry.NumberOfAuxSymbols; if (auxSymbolsRemaining == 0) continue; if (entry.StorageClass == Models.PortableExecutable.StorageClass.IMAGE_SYM_CLASS_EXTERNAL && entry.SymbolType == Models.PortableExecutable.SymbolType.IMAGE_SYM_TYPE_FUNC && entry.SectionNumber > 0) { currentSymbolType = 1; } else if (entry.StorageClass == Models.PortableExecutable.StorageClass.IMAGE_SYM_CLASS_FUNCTION && entry.ShortName != null && ((entry.ShortName[0] == 0x2E && entry.ShortName[1] == 0x62 && entry.ShortName[2] == 0x66) // .bf || (entry.ShortName[0] == 0x2E && entry.ShortName[1] == 0x65 && entry.ShortName[2] == 0x66))) // .ef { currentSymbolType = 2; } else if (entry.StorageClass == Models.PortableExecutable.StorageClass.IMAGE_SYM_CLASS_EXTERNAL && entry.SectionNumber == (ushort)Models.PortableExecutable.SectionNumber.IMAGE_SYM_UNDEFINED && entry.Value == 0) { currentSymbolType = 3; } else if (entry.StorageClass == Models.PortableExecutable.StorageClass.IMAGE_SYM_CLASS_FILE) { // TODO: Symbol name should be ".file" currentSymbolType = 4; } else if (entry.StorageClass == Models.PortableExecutable.StorageClass.IMAGE_SYM_CLASS_STATIC) { // TODO: Should have the name of a section (like ".text") currentSymbolType = 5; } else if (entry.StorageClass == Models.PortableExecutable.StorageClass.IMAGE_SYM_CLASS_CLR_TOKEN) { currentSymbolType = 6; } } else if (currentSymbolType == 1) { Console.WriteLine($" Tag index = {entry.AuxFormat1TagIndex}"); Console.WriteLine($" Total size = {entry.AuxFormat1TotalSize}"); Console.WriteLine($" Pointer to linenumber = {entry.AuxFormat1PointerToLinenumber}"); Console.WriteLine($" Pointer to next function = {entry.AuxFormat1PointerToNextFunction}"); Console.WriteLine($" Unused = {entry.AuxFormat1Unused}"); auxSymbolsRemaining--; } else if (currentSymbolType == 2) { Console.WriteLine($" Unused = {entry.AuxFormat2Unused1}"); Console.WriteLine($" Linenumber = {entry.AuxFormat2Linenumber}"); Console.WriteLine($" Unused = {entry.AuxFormat2Unused2}"); Console.WriteLine($" Pointer to next function = {entry.AuxFormat2PointerToNextFunction}"); Console.WriteLine($" Unused = {entry.AuxFormat2Unused3}"); auxSymbolsRemaining--; } else if (currentSymbolType == 3) { Console.WriteLine($" Tag index = {entry.AuxFormat3TagIndex}"); Console.WriteLine($" Characteristics = {entry.AuxFormat3Characteristics}"); Console.WriteLine($" Unused = {BitConverter.ToString(entry.AuxFormat3Unused).Replace("-", string.Empty)}"); auxSymbolsRemaining--; } else if (currentSymbolType == 4) { Console.WriteLine($" File name = {Encoding.ASCII.GetString(entry.AuxFormat4FileName)}"); auxSymbolsRemaining--; } else if (currentSymbolType == 5) { Console.WriteLine($" Length = {entry.AuxFormat5Length}"); Console.WriteLine($" Number of relocations = {entry.AuxFormat5NumberOfRelocations}"); Console.WriteLine($" Number of linenumbers = {entry.AuxFormat5NumberOfLinenumbers}"); Console.WriteLine($" Checksum = {entry.AuxFormat5CheckSum}"); Console.WriteLine($" Number = {entry.AuxFormat5Number}"); Console.WriteLine($" Selection = {entry.AuxFormat5Selection}"); Console.WriteLine($" Unused = {BitConverter.ToString(entry.AuxFormat5Unused).Replace("-", string.Empty)}"); auxSymbolsRemaining--; } else if (currentSymbolType == 6) { Console.WriteLine($" Aux type = {entry.AuxFormat6AuxType}"); Console.WriteLine($" Reserved = {entry.AuxFormat6Reserved1}"); Console.WriteLine($" Symbol table index = {entry.AuxFormat6SymbolTableIndex}"); Console.WriteLine($" Reserved = {BitConverter.ToString(entry.AuxFormat6Reserved2).Replace("-", string.Empty)}"); auxSymbolsRemaining--; } // If we hit the last aux symbol, go back to normal format if (auxSymbolsRemaining == 0) currentSymbolType = 0; } Console.WriteLine(); Console.WriteLine(" COFF String Table Information:"); Console.WriteLine(" -------------------------"); if (COFFStringTable == null || COFFStringTable.Strings == null || COFFStringTable.Strings.Length == 0) { Console.WriteLine(" No COFF string table items"); } else { Console.WriteLine($" Total size: {COFFStringTable.TotalSize}"); for (int i = 0; i < COFFStringTable.Strings.Length; i++) { string entry = COFFStringTable.Strings[i]; Console.WriteLine($" COFF String Table Entry {i})"); Console.WriteLine($" Value = {entry}"); } } } Console.WriteLine(); } /// /// Print attribute certificate table information /// private void PrintAttributeCertificateTable() { Console.WriteLine(" Attribute Certificate Table Information:"); Console.WriteLine(" -------------------------"); if (OH_CertificateTable == null || OH_CertificateTable.VirtualAddress == 0 || AttributeCertificateTable.Length == 0) { Console.WriteLine(" No attribute certificate table items"); } else { for (int i = 0; i < AttributeCertificateTable.Length; i++) { var entry = AttributeCertificateTable[i]; Console.WriteLine($" Attribute Certificate Table Entry {i}"); Console.WriteLine($" Length = {entry.Length}"); Console.WriteLine($" Revision = {entry.Revision}"); Console.WriteLine($" Certificate type = {entry.CertificateType}"); Console.WriteLine(); if (entry.CertificateType == Models.PortableExecutable.WindowsCertificateType.WIN_CERT_TYPE_PKCS_SIGNED_DATA) { Console.WriteLine(" Certificate Data [Formatted]"); Console.WriteLine(" -------------------------"); var topLevelValues = AbstractSyntaxNotationOne.Parse(entry.Certificate, pointer: 0); if (topLevelValues == null) { Console.WriteLine(" INVALID DATA FOUND"); Console.WriteLine($" {BitConverter.ToString(entry.Certificate).Replace("-", string.Empty)}"); } else { foreach (TypeLengthValue tlv in topLevelValues) { string tlvString = tlv.Format(paddingLevel: 4); Console.WriteLine(tlvString); } } } else { Console.WriteLine($" Certificate Data [Binary]"); Console.WriteLine(" -------------------------"); try { Console.WriteLine($" {BitConverter.ToString(entry.Certificate).Replace("-", string.Empty)}"); } catch { Console.WriteLine($" [DATA TOO LARGE TO FORMAT]"); } } Console.WriteLine(); } } Console.WriteLine(); } /// /// Print delay-load directory table information /// private void PrintDelayLoadDirectoryTable() { Console.WriteLine(" Delay-Load Directory Table Information:"); Console.WriteLine(" -------------------------"); if (OH_DelayImportDescriptor == null || OH_DelayImportDescriptor.VirtualAddress == 0 || DelayLoadDirectoryTable == null) { Console.WriteLine(" No delay-load directory table items"); } else { Console.WriteLine($" Attributes = {DelayLoadDirectoryTable.Attributes}"); Console.WriteLine($" Name RVA = {DelayLoadDirectoryTable.Name}"); Console.WriteLine($" Module handle = {DelayLoadDirectoryTable.ModuleHandle}"); Console.WriteLine($" Delay import address table RVA = {DelayLoadDirectoryTable.DelayImportAddressTable}"); Console.WriteLine($" Delay import name table RVA = {DelayLoadDirectoryTable.DelayImportNameTable}"); Console.WriteLine($" Bound delay import table RVA = {DelayLoadDirectoryTable.BoundDelayImportTable}"); Console.WriteLine($" Unload delay import table RVA = {DelayLoadDirectoryTable.UnloadDelayImportTable}"); Console.WriteLine($" Timestamp = {DelayLoadDirectoryTable.TimeStamp}"); } Console.WriteLine(); } /// /// Print base relocation table information /// private void PrintBaseRelocationTable() { Console.WriteLine(" Base Relocation Table Information:"); Console.WriteLine(" -------------------------"); if (OH_BaseRelocationTable == null || OH_BaseRelocationTable.VirtualAddress == 0 || BaseRelocationTable == null) { Console.WriteLine(" No base relocation table items"); } else { for (int i = 0; i < BaseRelocationTable.Length; i++) { var baseRelocationTableEntry = BaseRelocationTable[i]; Console.WriteLine($" Base Relocation Table Entry {i}"); Console.WriteLine($" Page RVA: {baseRelocationTableEntry.PageRVA}"); Console.WriteLine($" Page physical address: {baseRelocationTableEntry.PageRVA.ConvertVirtualAddress(SectionTable)}"); Console.WriteLine($" Block size: {baseRelocationTableEntry.BlockSize}"); Console.WriteLine($" Base Relocation Table {i} Type and Offset Information:"); Console.WriteLine(" -------------------------"); if (baseRelocationTableEntry.TypeOffsetFieldEntries == null || baseRelocationTableEntry.TypeOffsetFieldEntries.Length == 0) { Console.WriteLine(" No base relocation table type and offset entries"); } else { for (int j = 0; j < baseRelocationTableEntry.TypeOffsetFieldEntries.Length; j++) { var typeOffsetFieldEntry = baseRelocationTableEntry.TypeOffsetFieldEntries[j]; Console.WriteLine($" Type and Offset Entry {j}"); Console.WriteLine($" Type: {typeOffsetFieldEntry.BaseRelocationType}"); Console.WriteLine($" Offset: {typeOffsetFieldEntry.Offset}"); } } } } Console.WriteLine(); } /// /// Print debug table information /// private void PrintDebugTable() { Console.WriteLine(" Debug Table Information:"); Console.WriteLine(" -------------------------"); if (OH_Debug == null || OH_Debug.VirtualAddress == 0 || DebugTable == null) { Console.WriteLine(" No debug table items"); } else { // TODO: If more sections added, model this after the Export Table for (int i = 0; i < DebugTable.DebugDirectoryTable.Length; i++) { var debugDirectoryEntry = DebugTable.DebugDirectoryTable[i]; Console.WriteLine($" Debug Directory Table Entry {i}"); Console.WriteLine($" Characteristics: {debugDirectoryEntry.Characteristics}"); Console.WriteLine($" Time/Date stamp: {debugDirectoryEntry.TimeDateStamp}"); Console.WriteLine($" Major version: {debugDirectoryEntry.MajorVersion}"); Console.WriteLine($" Minor version: {debugDirectoryEntry.MinorVersion}"); Console.WriteLine($" Debug type: {debugDirectoryEntry.DebugType}"); Console.WriteLine($" Size of data: {debugDirectoryEntry.SizeOfData}"); Console.WriteLine($" Address of raw data: {debugDirectoryEntry.AddressOfRawData}"); Console.WriteLine($" Pointer to raw data: {debugDirectoryEntry.PointerToRawData}"); } } Console.WriteLine(); } /// /// Print export table information /// private void PrintExportTable() { Console.WriteLine(" Export Table Information:"); Console.WriteLine(" -------------------------"); if (OH_ExportTable == null || OH_ExportTable.VirtualAddress == 0 || ExportTable == null) { Console.WriteLine(" No export table items"); } else { Console.WriteLine(); Console.WriteLine(" Export Directory Table Information:"); Console.WriteLine(" -------------------------"); Console.WriteLine($" Export flags: {ExportTable.ExportDirectoryTable.ExportFlags}"); Console.WriteLine($" Time/Date stamp: {ExportTable.ExportDirectoryTable.TimeDateStamp}"); Console.WriteLine($" Major version: {ExportTable.ExportDirectoryTable.MajorVersion}"); Console.WriteLine($" Minor version: {ExportTable.ExportDirectoryTable.MinorVersion}"); Console.WriteLine($" Name RVA: {ExportTable.ExportDirectoryTable.NameRVA}"); Console.WriteLine($" Name: {ExportTable.ExportDirectoryTable.Name}"); Console.WriteLine($" Ordinal base: {ExportTable.ExportDirectoryTable.OrdinalBase}"); Console.WriteLine($" Address table entries: {ExportTable.ExportDirectoryTable.AddressTableEntries}"); Console.WriteLine($" Number of name pointers: {ExportTable.ExportDirectoryTable.NumberOfNamePointers}"); Console.WriteLine($" Export address table RVA: {ExportTable.ExportDirectoryTable.ExportAddressTableRVA}"); Console.WriteLine($" Name pointer table RVA: {ExportTable.ExportDirectoryTable.NamePointerRVA}"); Console.WriteLine($" Ordinal table RVA: {ExportTable.ExportDirectoryTable.OrdinalTableRVA}"); Console.WriteLine(); Console.WriteLine(" Export Address Table Information:"); Console.WriteLine(" -------------------------"); if (ExportTable.ExportAddressTable == null || ExportTable.ExportAddressTable.Length == 0) { Console.WriteLine(" No export address table items"); } else { for (int i = 0; i < ExportTable.ExportAddressTable.Length; i++) { var exportAddressTableEntry = ExportTable.ExportAddressTable[i]; Console.WriteLine($" Export Address Table Entry {i}"); Console.WriteLine($" Export RVA / Forwarder RVA: {exportAddressTableEntry.ExportRVA}"); } } Console.WriteLine(); Console.WriteLine(" Name Pointer Table Information:"); Console.WriteLine(" -------------------------"); if (ExportTable.NamePointerTable?.Pointers == null || ExportTable.NamePointerTable.Pointers.Length == 0) { Console.WriteLine(" No name pointer table items"); } else { for (int i = 0; i < ExportTable.NamePointerTable.Pointers.Length; i++) { var namePointerTableEntry = ExportTable.NamePointerTable.Pointers[i]; Console.WriteLine($" Name Pointer Table Entry {i}"); Console.WriteLine($" Pointer: {namePointerTableEntry}"); } } Console.WriteLine(); Console.WriteLine(" Ordinal Table Information:"); Console.WriteLine(" -------------------------"); if (ExportTable.OrdinalTable?.Indexes == null || ExportTable.OrdinalTable.Indexes.Length == 0) { Console.WriteLine(" No ordinal table items"); } else { for (int i = 0; i < ExportTable.OrdinalTable.Indexes.Length; i++) { var ordinalTableEntry = ExportTable.OrdinalTable.Indexes[i]; Console.WriteLine($" Ordinal Table Entry {i}"); Console.WriteLine($" Index: {ordinalTableEntry}"); } } Console.WriteLine(); Console.WriteLine(" Export Name Table Information:"); Console.WriteLine(" -------------------------"); if (ExportTable.ExportNameTable?.Strings == null || ExportTable.ExportNameTable.Strings.Length == 0) { Console.WriteLine(" No export name table items"); } else { for (int i = 0; i < ExportTable.ExportNameTable.Strings.Length; i++) { var exportNameTableEntry = ExportTable.ExportNameTable.Strings[i]; Console.WriteLine($" Export Name Table Entry {i}"); Console.WriteLine($" String: {exportNameTableEntry}"); } } } Console.WriteLine(); } /// /// Print import table information /// private void PrintImportTable() { Console.WriteLine(" Import Table Information:"); Console.WriteLine(" -------------------------"); if (OH_ImportTable == null || OH_ImportTable.VirtualAddress == 0 || ImportTable == null) { Console.WriteLine(" No import table items"); } else { Console.WriteLine(); Console.WriteLine(" Import Directory Table Information:"); Console.WriteLine(" -------------------------"); if (ImportTable.ImportDirectoryTable == null || ImportTable.ImportDirectoryTable.Length == 0) { Console.WriteLine(" No import directory table items"); } else { for (int i = 0; i < ImportTable.ImportDirectoryTable.Length; i++) { var importDirectoryTableEntry = ImportTable.ImportDirectoryTable[i]; Console.WriteLine($" Import Directory Table Entry {i}"); Console.WriteLine($" Import lookup table RVA: {importDirectoryTableEntry.ImportLookupTableRVA}"); Console.WriteLine($" Import lookup table Physical Address: {importDirectoryTableEntry.ImportLookupTableRVA.ConvertVirtualAddress(SectionTable)}"); Console.WriteLine($" Time/Date stamp: {importDirectoryTableEntry.TimeDateStamp}"); Console.WriteLine($" Forwarder chain: {importDirectoryTableEntry.ForwarderChain}"); Console.WriteLine($" Name RVA: {importDirectoryTableEntry.NameRVA}"); Console.WriteLine($" Name: {importDirectoryTableEntry.Name}"); Console.WriteLine($" Import address table RVA: {importDirectoryTableEntry.ImportAddressTableRVA}"); Console.WriteLine($" Import address table Physical Address: {importDirectoryTableEntry.ImportAddressTableRVA.ConvertVirtualAddress(SectionTable)}"); } } Console.WriteLine(); Console.WriteLine(" Import Lookup Tables Information:"); Console.WriteLine(" -------------------------"); if (ImportTable.ImportLookupTables == null || ImportTable.ImportLookupTables.Count == 0) { Console.WriteLine(" No import lookup tables"); } else { foreach (var kvp in ImportTable.ImportLookupTables) { int index = kvp.Key; var importLookupTable = kvp.Value; Console.WriteLine(); Console.WriteLine($" Import Lookup Table {index} Information:"); Console.WriteLine(" -------------------------"); if (importLookupTable == null || importLookupTable.Length == 0) { Console.WriteLine(" No import lookup table items"); } else { for (int i = 0; i < importLookupTable.Length; i++) { var importLookupTableEntry = importLookupTable[i]; Console.WriteLine($" Import Lookup Table {index} Entry {i}"); Console.WriteLine($" Ordinal/Name flag: {importLookupTableEntry.OrdinalNameFlag}"); if (importLookupTableEntry.OrdinalNameFlag) { Console.WriteLine($" Ordinal number: {importLookupTableEntry.OrdinalNumber}"); } else { Console.WriteLine($" Hint/Name table RVA: {importLookupTableEntry.HintNameTableRVA}"); Console.WriteLine($" Hint/Name table Physical Address: {importLookupTableEntry.HintNameTableRVA.ConvertVirtualAddress(SectionTable)}"); } } } } } Console.WriteLine(); Console.WriteLine(" Import Address Tables Information:"); Console.WriteLine(" -------------------------"); if (ImportTable.ImportAddressTables == null || ImportTable.ImportAddressTables.Count == 0) { Console.WriteLine(" No import address tables"); } else { foreach (var kvp in ImportTable.ImportAddressTables) { int index = kvp.Key; var importAddressTable = kvp.Value; Console.WriteLine(); Console.WriteLine($" Import Address Table {index} Information:"); Console.WriteLine(" -------------------------"); if (importAddressTable == null || importAddressTable.Length == 0) { Console.WriteLine(" No import address table items"); } else { for (int i = 0; i < importAddressTable.Length; i++) { var importAddressTableEntry = importAddressTable[i]; Console.WriteLine($" Import Address Table {index} Entry {i}"); Console.WriteLine($" Ordinal/Name flag: {importAddressTableEntry.OrdinalNameFlag}"); if (importAddressTableEntry.OrdinalNameFlag) { Console.WriteLine($" Ordinal number: {importAddressTableEntry.OrdinalNumber}"); } else { Console.WriteLine($" Hint/Name table RVA: {importAddressTableEntry.HintNameTableRVA}"); Console.WriteLine($" Hint/Name table Physical Address: {importAddressTableEntry.HintNameTableRVA.ConvertVirtualAddress(SectionTable)}"); } } } } } Console.WriteLine(); Console.WriteLine(" Hint/Name Table Information:"); Console.WriteLine(" -------------------------"); if (ImportTable.HintNameTable == null || ImportTable.HintNameTable.Length == 0) { Console.WriteLine(" No hint/name table items"); } else { for (int i = 0; i < ImportTable.HintNameTable.Length; i++) { var hintNameTableEntry = ImportTable.HintNameTable[i]; Console.WriteLine($" Hint/Name Table Entry {i}"); Console.WriteLine($" Hint: {hintNameTableEntry.Hint}"); Console.WriteLine($" Name: {hintNameTableEntry.Name}"); } } } Console.WriteLine(); } /// /// Print resource directory table information /// private void PrintResourceDirectoryTable() { Console.WriteLine(" Resource Directory Table Information:"); Console.WriteLine(" -------------------------"); if (OH_ResourceTable == null || OH_ResourceTable.VirtualAddress == 0 || ResourceDirectoryTable == null) { Console.WriteLine(" No resource directory table items"); } else { PrintResourceDirectoryTable(ResourceDirectoryTable, level: 0, types: new List()); } Console.WriteLine(); } /// /// Pretty print the resource directory table information /// private static void PrintResourceDirectoryTable(Models.PortableExecutable.ResourceDirectoryTable table, int level, List types) { string padding = new string(' ', (level + 1) * 2); Console.WriteLine($"{padding}Table level: {level}"); Console.WriteLine($"{padding}Characteristics: {table.Characteristics}"); Console.WriteLine($"{padding}Time/Date stamp: {table.TimeDateStamp}"); Console.WriteLine($"{padding}Major version: {table.MajorVersion}"); Console.WriteLine($"{padding}Minor version: {table.MinorVersion}"); Console.WriteLine($"{padding}Number of name entries: {table.NumberOfNameEntries}"); Console.WriteLine($"{padding}Number of ID entries: {table.NumberOfIDEntries}"); Console.WriteLine(); Console.WriteLine($"{padding}Entries"); Console.WriteLine($"{padding}-------------------------"); if (table.NumberOfNameEntries == 0 && table.NumberOfIDEntries == 0) { Console.WriteLine($"{padding}No entries"); Console.WriteLine(); } else { for (int i = 0; i < table.Entries.Length; i++) { var entry = table.Entries[i]; var newTypes = new List(types ?? new List()); if (entry.Name != null) newTypes.Add(Encoding.UTF8.GetString(entry.Name.UnicodeString ?? new byte[0])); else newTypes.Add(entry.IntegerID); PrintResourceDirectoryEntry(entry, level + 1, newTypes); } } } /// /// Pretty print the resource directory entry information /// private static void PrintResourceDirectoryEntry(Models.PortableExecutable.ResourceDirectoryEntry entry, int level, List types) { string padding = new string(' ', (level + 1) * 2); Console.WriteLine($"{padding}Item level: {level}"); if (entry.NameOffset != default) { Console.WriteLine($"{padding}Name offset: {entry.NameOffset}"); Console.WriteLine($"{padding}Name ({entry.Name.Length}): {Encoding.UTF8.GetString(entry.Name.UnicodeString ?? new byte[0])}"); } else { Console.WriteLine($"{padding}Integer ID: {entry.IntegerID}"); } if (entry.DataEntry != null) PrintResourceDataEntry(entry.DataEntry, level: level + 1, types); else if (entry.Subdirectory != null) PrintResourceDirectoryTable(entry.Subdirectory, level: level + 1, types); } /// /// Pretty print the resource data entry information /// private static void PrintResourceDataEntry(Models.PortableExecutable.ResourceDataEntry entry, int level, List types) { string padding = new string(' ', (level + 1) * 2); // TODO: Use ordered list of base types to determine the shape of the data Console.WriteLine($"{padding}Base types: {string.Join(", ", types)}"); Console.WriteLine($"{padding}Entry level: {level}"); Console.WriteLine($"{padding}Data RVA: {entry.DataRVA}"); Console.WriteLine($"{padding}Size: {entry.Size}"); Console.WriteLine($"{padding}Codepage: {entry.Codepage}"); Console.WriteLine($"{padding}Reserved: {entry.Reserved}"); // TODO: Print out per-type data if (types != null && types.Count > 0 && types[0] is uint resourceType) { switch ((Models.PortableExecutable.ResourceType)resourceType) { case Models.PortableExecutable.ResourceType.RT_CURSOR: PrintResourceRT_CURSOR(entry, level); break; case Models.PortableExecutable.ResourceType.RT_BITMAP: PrintResourceRT_BITMAP(entry, level); break; case Models.PortableExecutable.ResourceType.RT_ICON: PrintResourceRT_ICON(entry, level); break; case Models.PortableExecutable.ResourceType.RT_MENU: PrintResourceRT_MENU(entry, level); break; case Models.PortableExecutable.ResourceType.RT_DIALOG: PrintResourceRT_DIALOG(entry, level); break; case Models.PortableExecutable.ResourceType.RT_STRING: PrintResourceRT_STRING(entry, level); break; case Models.PortableExecutable.ResourceType.RT_FONTDIR: PrintResourceRT_FONTDIR(entry, level); break; case Models.PortableExecutable.ResourceType.RT_FONT: PrintResourceRT_FONT(entry, level); break; case Models.PortableExecutable.ResourceType.RT_ACCELERATOR: PrintResourceRT_ACCELERATOR(entry, level); break; case Models.PortableExecutable.ResourceType.RT_RCDATA: PrintResourceRT_RCDATA(entry, level); break; case Models.PortableExecutable.ResourceType.RT_MESSAGETABLE: PrintResourceRT_MESSAGETABLE(entry, level); break; case Models.PortableExecutable.ResourceType.RT_GROUP_CURSOR: PrintResourceRT_GROUP_CURSOR(entry, level); break; case Models.PortableExecutable.ResourceType.RT_GROUP_ICON: PrintResourceRT_GROUP_ICON(entry, level); break; case Models.PortableExecutable.ResourceType.RT_VERSION: PrintResourceRT_VERSION(entry, level); break; case Models.PortableExecutable.ResourceType.RT_DLGINCLUDE: PrintResourceRT_DLGINCLUDE(entry, level); break; case Models.PortableExecutable.ResourceType.RT_PLUGPLAY: PrintResourceRT_PLUGPLAY(entry, level); break; case Models.PortableExecutable.ResourceType.RT_VXD: PrintResourceRT_VXD(entry, level); break; case Models.PortableExecutable.ResourceType.RT_ANICURSOR: PrintResourceRT_ANICURSOR(entry, level); break; case Models.PortableExecutable.ResourceType.RT_ANIICON: PrintResourceRT_ANIICON(entry, level); break; case Models.PortableExecutable.ResourceType.RT_HTML: PrintResourceRT_HTML(entry, level); break; case Models.PortableExecutable.ResourceType.RT_MANIFEST: PrintResourceRT_MANIFEST(entry, level); break; default: PrintResourceUNKNOWN(entry, level, types[0]); break; } } else if (types != null && types.Count > 0 && types[0] is string resourceString) { PrintResourceUNKNOWN(entry, level, types[0]); } Console.WriteLine(); } /// /// Print an RT_CURSOR resource /// private static void PrintResourceRT_CURSOR(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Console.WriteLine($"{padding}Hardware-dependent cursor resource found, not parsed yet"); } /// /// Print an RT_BITMAP resource /// private static void PrintResourceRT_BITMAP(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Console.WriteLine($"{padding}Bitmap resource found, not parsed yet"); } /// /// Print an RT_ICON resource /// private static void PrintResourceRT_ICON(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Console.WriteLine($"{padding}Hardware-dependent icon resource found, not parsed yet"); } /// /// Print an RT_MENU resource /// private static void PrintResourceRT_MENU(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Models.PortableExecutable.MenuResource menu = null; try { menu = entry.AsMenu(); } catch { } if (menu == null) { Console.WriteLine($"{padding}Menu resource found, but malformed"); return; } if (menu.MenuHeader != null) { Console.WriteLine($"{padding}Version: {menu.MenuHeader.Version}"); Console.WriteLine($"{padding}Header size: {menu.MenuHeader.HeaderSize}"); Console.WriteLine(); Console.WriteLine($"{padding}Menu items"); Console.WriteLine($"{padding}-------------------------"); if (menu.MenuItems == null || menu.MenuItems.Length == 0) { Console.WriteLine($"{padding}No menu items"); return; } for (int i = 0; i < menu.MenuItems.Length; i++) { var menuItem = menu.MenuItems[i]; Console.WriteLine($"{padding}Menu item {i}"); if (menuItem.NormalMenuText != null) { Console.WriteLine($"{padding} Resource info: {menuItem.NormalResInfo}"); Console.WriteLine($"{padding} Menu text: {menuItem.NormalMenuText}"); } else { Console.WriteLine($"{padding} Item type: {menuItem.PopupItemType}"); Console.WriteLine($"{padding} State: {menuItem.PopupState}"); Console.WriteLine($"{padding} ID: {menuItem.PopupID}"); Console.WriteLine($"{padding} Resource info: {menuItem.PopupResInfo}"); Console.WriteLine($"{padding} Menu text: {menuItem.PopupMenuText}"); } } } else if (menu.ExtendedMenuHeader != null) { Console.WriteLine($"{padding}Version: {menu.ExtendedMenuHeader.Version}"); Console.WriteLine($"{padding}Offset: {menu.ExtendedMenuHeader.Offset}"); Console.WriteLine($"{padding}Help ID: {menu.ExtendedMenuHeader.HelpID}"); Console.WriteLine(); Console.WriteLine($"{padding}Menu items"); Console.WriteLine($"{padding}-------------------------"); if (menu.ExtendedMenuHeader.Offset == 0 || menu.ExtendedMenuItems == null || menu.ExtendedMenuItems.Length == 0) { Console.WriteLine($"{padding}No menu items"); return; } for (int i = 0; i < menu.ExtendedMenuItems.Length; i++) { var menuItem = menu.ExtendedMenuItems[i]; Console.WriteLine($"{padding}Dialog item template {i}"); Console.WriteLine($"{padding} Item type: {menuItem.ItemType}"); Console.WriteLine($"{padding} State: {menuItem.State}"); Console.WriteLine($"{padding} ID: {menuItem.ID}"); Console.WriteLine($"{padding} Flags: {menuItem.Flags}"); Console.WriteLine($"{padding} Menu text: {menuItem.MenuText}"); } } else { Console.WriteLine($"{padding}Menu resource found, but malformed"); } } /// /// Print an RT_DIALOG resource /// private static void PrintResourceRT_DIALOG(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Models.PortableExecutable.DialogBoxResource dialogBox = null; try { dialogBox = entry.AsDialogBox(); } catch { } if (dialogBox == null) { Console.WriteLine($"{padding}Dialog box resource found, but malformed"); return; } if (dialogBox.DialogTemplate != null) { Console.WriteLine($"{padding}Style: {dialogBox.DialogTemplate.Style}"); Console.WriteLine($"{padding}Extended style: {dialogBox.DialogTemplate.ExtendedStyle}"); Console.WriteLine($"{padding}Item count: {dialogBox.DialogTemplate.ItemCount}"); Console.WriteLine($"{padding}X-coordinate of upper-left corner: {dialogBox.DialogTemplate.PositionX}"); Console.WriteLine($"{padding}Y-coordinate of upper-left corner: {dialogBox.DialogTemplate.PositionY}"); Console.WriteLine($"{padding}Width of the dialog box: {dialogBox.DialogTemplate.WidthX}"); Console.WriteLine($"{padding}Height of the dialog box: {dialogBox.DialogTemplate.HeightY}"); Console.WriteLine($"{padding}Menu resource: {dialogBox.DialogTemplate.MenuResource ?? "[EMPTY]"}"); Console.WriteLine($"{padding}Menu resource ordinal: {dialogBox.DialogTemplate.MenuResourceOrdinal}"); Console.WriteLine($"{padding}Class resource: {dialogBox.DialogTemplate.ClassResource ?? "[EMPTY]"}"); Console.WriteLine($"{padding}Class resource ordinal: {dialogBox.DialogTemplate.ClassResourceOrdinal}"); Console.WriteLine($"{padding}Title resource: {dialogBox.DialogTemplate.TitleResource ?? "[EMPTY]"}"); Console.WriteLine($"{padding}Point size value: {dialogBox.DialogTemplate.PointSizeValue}"); Console.WriteLine($"{padding}Typeface: {dialogBox.DialogTemplate.Typeface ?? "[EMPTY]"}"); Console.WriteLine(); Console.WriteLine($"{padding}Dialog item templates"); Console.WriteLine($"{padding}-------------------------"); if (dialogBox.DialogTemplate.ItemCount == 0 || dialogBox.DialogItemTemplates == null || dialogBox.DialogItemTemplates.Length == 0) { Console.WriteLine($"{padding}No dialog item templates"); return; } for (int i = 0; i < dialogBox.DialogItemTemplates.Length; i++) { var dialogItemTemplate = dialogBox.DialogItemTemplates[i]; Console.WriteLine($"{padding}Dialog item template {i}"); Console.WriteLine($"{padding} Style: {dialogItemTemplate.Style}"); Console.WriteLine($"{padding} Extended style: {dialogItemTemplate.ExtendedStyle}"); Console.WriteLine($"{padding} X-coordinate of upper-left corner: {dialogItemTemplate.PositionX}"); Console.WriteLine($"{padding} Y-coordinate of upper-left corner: {dialogItemTemplate.PositionY}"); Console.WriteLine($"{padding} Width of the control: {dialogItemTemplate.WidthX}"); Console.WriteLine($"{padding} Height of the control: {dialogItemTemplate.HeightY}"); Console.WriteLine($"{padding} ID: {dialogItemTemplate.ID}"); Console.WriteLine($"{padding} Class resource: {dialogItemTemplate.ClassResource ?? "[EMPTY]"}"); Console.WriteLine($"{padding} Class resource ordinal: {dialogItemTemplate.ClassResourceOrdinal}"); Console.WriteLine($"{padding} Title resource: {dialogItemTemplate.TitleResource ?? "[EMPTY]"}"); Console.WriteLine($"{padding} Title resource ordinal: {dialogItemTemplate.TitleResourceOrdinal}"); Console.WriteLine($"{padding} Creation data size: {dialogItemTemplate.CreationDataSize}"); if (dialogItemTemplate.CreationData != null && dialogItemTemplate.CreationData.Length != 0) Console.WriteLine($"{padding} Creation data: {BitConverter.ToString(dialogItemTemplate.CreationData).Replace("-", string.Empty)}"); else Console.WriteLine($"{padding} Creation data: [EMPTY]"); } } else if (dialogBox.ExtendedDialogTemplate != null) { Console.WriteLine($"{padding}Version: {dialogBox.ExtendedDialogTemplate.Version}"); Console.WriteLine($"{padding}Signature: {dialogBox.ExtendedDialogTemplate.Signature}"); Console.WriteLine($"{padding}Help ID: {dialogBox.ExtendedDialogTemplate.HelpID}"); Console.WriteLine($"{padding}Extended style: {dialogBox.ExtendedDialogTemplate.ExtendedStyle}"); Console.WriteLine($"{padding}Style: {dialogBox.ExtendedDialogTemplate.Style}"); Console.WriteLine($"{padding}Item count: {dialogBox.ExtendedDialogTemplate.DialogItems}"); Console.WriteLine($"{padding}X-coordinate of upper-left corner: {dialogBox.ExtendedDialogTemplate.PositionX}"); Console.WriteLine($"{padding}Y-coordinate of upper-left corner: {dialogBox.ExtendedDialogTemplate.PositionY}"); Console.WriteLine($"{padding}Width of the dialog box: {dialogBox.ExtendedDialogTemplate.WidthX}"); Console.WriteLine($"{padding}Height of the dialog box: {dialogBox.ExtendedDialogTemplate.HeightY}"); Console.WriteLine($"{padding}Menu resource: {dialogBox.ExtendedDialogTemplate.MenuResource ?? "[EMPTY]"}"); Console.WriteLine($"{padding}Menu resource ordinal: {dialogBox.ExtendedDialogTemplate.MenuResourceOrdinal}"); Console.WriteLine($"{padding}Class resource: {dialogBox.ExtendedDialogTemplate.ClassResource ?? "[EMPTY]"}"); Console.WriteLine($"{padding}Class resource ordinal: {dialogBox.ExtendedDialogTemplate.ClassResourceOrdinal}"); Console.WriteLine($"{padding}Title resource: {dialogBox.ExtendedDialogTemplate.TitleResource ?? "[EMPTY]"}"); Console.WriteLine($"{padding}Point size: {dialogBox.ExtendedDialogTemplate.PointSize}"); Console.WriteLine($"{padding}Weight: {dialogBox.ExtendedDialogTemplate.Weight}"); Console.WriteLine($"{padding}Italic: {dialogBox.ExtendedDialogTemplate.Italic}"); Console.WriteLine($"{padding}Character set: {dialogBox.ExtendedDialogTemplate.CharSet}"); Console.WriteLine($"{padding}Typeface: {dialogBox.ExtendedDialogTemplate.Typeface ?? "[EMPTY]"}"); Console.WriteLine(); Console.WriteLine($"{padding}Dialog item templates"); Console.WriteLine($"{padding}-------------------------"); if (dialogBox.ExtendedDialogTemplate.DialogItems == 0 || dialogBox.ExtendedDialogItemTemplates == null || dialogBox.ExtendedDialogItemTemplates.Length == 0) { Console.WriteLine($"{padding}No dialog item templates"); return; } for (int i = 0; i < dialogBox.ExtendedDialogItemTemplates.Length; i++) { var dialogItemTemplate = dialogBox.ExtendedDialogItemTemplates[i]; Console.WriteLine($"{padding}Dialog item template {i}"); Console.WriteLine($"{padding} Help ID: {dialogItemTemplate.HelpID}"); Console.WriteLine($"{padding} Extended style: {dialogItemTemplate.ExtendedStyle}"); Console.WriteLine($"{padding} Style: {dialogItemTemplate.Style}"); Console.WriteLine($"{padding} X-coordinate of upper-left corner: {dialogItemTemplate.PositionX}"); Console.WriteLine($"{padding} Y-coordinate of upper-left corner: {dialogItemTemplate.PositionY}"); Console.WriteLine($"{padding} Width of the control: {dialogItemTemplate.WidthX}"); Console.WriteLine($"{padding} Height of the control: {dialogItemTemplate.HeightY}"); Console.WriteLine($"{padding} ID: {dialogItemTemplate.ID}"); Console.WriteLine($"{padding} Class resource: {dialogItemTemplate.ClassResource ?? "[EMPTY]"}"); Console.WriteLine($"{padding} Class resource ordinal: {dialogItemTemplate.ClassResourceOrdinal}"); Console.WriteLine($"{padding} Title resource: {dialogItemTemplate.TitleResource ?? "[EMPTY]"}"); Console.WriteLine($"{padding} Title resource ordinal: {dialogItemTemplate.TitleResourceOrdinal}"); Console.WriteLine($"{padding} Creation data size: {dialogItemTemplate.CreationDataSize}"); if (dialogItemTemplate.CreationData != null && dialogItemTemplate.CreationData.Length != 0) Console.WriteLine($"{padding} Creation data: {BitConverter.ToString(dialogItemTemplate.CreationData).Replace("-", string.Empty)}"); else Console.WriteLine($"{padding} Creation data: [EMPTY]"); } } else { Console.WriteLine($"{padding}Dialog box resource found, but malformed"); } } /// /// Print an RT_STRING resource /// private static void PrintResourceRT_STRING(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Dictionary stringTable = null; try { stringTable = entry.AsStringTable(); } catch { } if (stringTable == null) { Console.WriteLine($"{padding}String table resource found, but malformed"); return; } foreach (var kvp in stringTable) { int index = kvp.Key; string stringValue = kvp.Value; Console.WriteLine($"{padding}String entry {index}: {stringValue}"); } } /// /// Print an RT_FONTDIR resource /// private static void PrintResourceRT_FONTDIR(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Console.WriteLine($"{padding}Font directory resource found, not parsed yet"); } /// /// Print an RT_FONT resource /// private static void PrintResourceRT_FONT(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Console.WriteLine($"{padding}Font resource found, not parsed yet"); } /// /// Print an RT_ACCELERATOR resource /// private static void PrintResourceRT_ACCELERATOR(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Models.PortableExecutable.AcceleratorTableEntry[] acceleratorTable = null; try { acceleratorTable = entry.AsAcceleratorTableResource(); } catch { } if (acceleratorTable == null) { Console.WriteLine($"{padding}Accelerator table resource found, but malformed"); return; } for (int i = 0; i < acceleratorTable.Length; i++) { var acceleratorTableEntry = acceleratorTable[i]; Console.WriteLine($"{padding}Accelerator Table Entry {i}:"); Console.WriteLine($"{padding} Flags: {acceleratorTableEntry.Flags}"); Console.WriteLine($"{padding} Ansi: {acceleratorTableEntry.Ansi}"); Console.WriteLine($"{padding} Id: {acceleratorTableEntry.Id}"); Console.WriteLine($"{padding} Padding: {acceleratorTableEntry.Padding}"); } } /// /// Print an RT_RCDATA resource /// private static void PrintResourceRT_RCDATA(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Console.WriteLine($"{padding}Application-defined resource found, not parsed yet"); // Then print the data, if needed if (entry.Data[0] == 0x4D && entry.Data[1] == 0x5A) { Console.WriteLine($"{padding}Data: [Embedded Executable File]"); // TODO: Parse this out and print separately } else if (entry.Data[0] == 0x4D && entry.Data[1] == 0x53 && entry.Data[2] == 0x46 && entry.Data[3] == 0x54) { Console.WriteLine($"{padding}Data: [Embedded OLE Library File]"); // TODO: Parse this out and print separately } else { //if (entry.Data != null) // Console.WriteLine($"{padding}Value (Byte Data): {BitConverter.ToString(entry.Data).Replace('-', ' ')}"); //if (entry.Data != null) // Console.WriteLine($"{padding}Value (ASCII): {Encoding.ASCII.GetString(entry.Data)}"); //if (entry.Data != null) // Console.WriteLine($"{padding}Value (UTF-8): {Encoding.UTF8.GetString(entry.Data)}"); //if (entry.Data != null) // Console.WriteLine($"{padding}Value (Unicode): {Encoding.Unicode.GetString(entry.Data)}"); } } /// /// Print an RT_MESSAGETABLE resource /// private static void PrintResourceRT_MESSAGETABLE(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Models.PortableExecutable.MessageResourceData messageTable = null; try { messageTable = entry.AsMessageResourceData(); } catch { } if (messageTable == null) { Console.WriteLine($"{padding}Message resource data found, but malformed"); return; } Console.WriteLine($"{padding}Number of blocks: {messageTable.NumberOfBlocks}"); Console.WriteLine(); Console.WriteLine($"{padding}Message resource blocks"); Console.WriteLine($"{padding}-------------------------"); if (messageTable.NumberOfBlocks == 0 || messageTable.Blocks == null || messageTable.Blocks.Length == 0) { Console.WriteLine($"{padding}No message resource blocks"); } else { for (int i = 0; i < messageTable.Blocks.Length; i++) { var messageResourceBlock = messageTable.Blocks[i]; Console.WriteLine($"{padding}Message resource block {i}"); Console.WriteLine($"{padding} Low ID: {messageResourceBlock.LowId}"); Console.WriteLine($"{padding} High ID: {messageResourceBlock.HighId}"); Console.WriteLine($"{padding} Offset to entries: {messageResourceBlock.OffsetToEntries}"); } } Console.WriteLine(); Console.WriteLine($"{padding}Message resource entries"); Console.WriteLine($"{padding}-------------------------"); if (messageTable.Entries == null || messageTable.Entries.Count == 0) { Console.WriteLine($"{padding}No message resource entries"); } else { foreach (var kvp in messageTable.Entries) { uint index = kvp.Key; var messageResourceEntry = kvp.Value; Console.WriteLine($"{padding}Message resource entry {index}"); Console.WriteLine($"{padding} Length: {messageResourceEntry.Length}"); Console.WriteLine($"{padding} Flags: {messageResourceEntry.Flags}"); Console.WriteLine($"{padding} Text: {messageResourceEntry.Text}"); } } } /// /// Print an RT_GROUP_CURSOR resource /// private static void PrintResourceRT_GROUP_CURSOR(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Console.WriteLine($"{padding}Hardware-independent cursor resource found, not parsed yet"); } /// /// Print an RT_GROUP_ICON resource /// private static void PrintResourceRT_GROUP_ICON(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Console.WriteLine($"{padding}Hardware-independent icon resource found, not parsed yet"); } /// /// Print an RT_VERSION resource /// private static void PrintResourceRT_VERSION(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Models.PortableExecutable.VersionInfo versionInfo = null; try { versionInfo = entry.AsVersionInfo(); } catch { } if (versionInfo == null) { Console.WriteLine($"{padding}Version info resource found, but malformed"); return; } Console.WriteLine($"{padding}Length: {versionInfo.Length}"); Console.WriteLine($"{padding}Value length: {versionInfo.ValueLength}"); Console.WriteLine($"{padding}Resource type: {versionInfo.ResourceType}"); Console.WriteLine($"{padding}Key: {versionInfo.Key}"); if (versionInfo.ValueLength != 0 && versionInfo.Value != null) { Console.WriteLine($"{padding}[Fixed File Info] Signature: {versionInfo.Value.Signature}"); Console.WriteLine($"{padding}[Fixed File Info] Struct version: {versionInfo.Value.StrucVersion}"); Console.WriteLine($"{padding}[Fixed File Info] File version (MS): {versionInfo.Value.FileVersionMS}"); Console.WriteLine($"{padding}[Fixed File Info] File version (LS): {versionInfo.Value.FileVersionLS}"); Console.WriteLine($"{padding}[Fixed File Info] Product version (MS): {versionInfo.Value.ProductVersionMS}"); Console.WriteLine($"{padding}[Fixed File Info] Product version (LS): {versionInfo.Value.ProductVersionLS}"); Console.WriteLine($"{padding}[Fixed File Info] File flags mask: {versionInfo.Value.FileFlagsMask}"); Console.WriteLine($"{padding}[Fixed File Info] File flags: {versionInfo.Value.FileFlags}"); Console.WriteLine($"{padding}[Fixed File Info] File OS: {versionInfo.Value.FileOS}"); Console.WriteLine($"{padding}[Fixed File Info] Type: {versionInfo.Value.FileType}"); Console.WriteLine($"{padding}[Fixed File Info] Subtype: {versionInfo.Value.FileSubtype}"); Console.WriteLine($"{padding}[Fixed File Info] File date (MS): {versionInfo.Value.FileDateMS}"); Console.WriteLine($"{padding}[Fixed File Info] File date (LS): {versionInfo.Value.FileDateLS}"); } if (versionInfo.StringFileInfo != null) { Console.WriteLine($"{padding}[String File Info] Length: {versionInfo.StringFileInfo.Length}"); Console.WriteLine($"{padding}[String File Info] Value length: {versionInfo.StringFileInfo.ValueLength}"); Console.WriteLine($"{padding}[String File Info] Resource type: {versionInfo.StringFileInfo.ResourceType}"); Console.WriteLine($"{padding}[String File Info] Key: {versionInfo.StringFileInfo.Key}"); Console.WriteLine($"{padding}Children:"); Console.WriteLine($"{padding}-------------------------"); if (versionInfo.StringFileInfo.Children == null || versionInfo.StringFileInfo.Children.Length == 0) { Console.WriteLine($"{padding}No string file info children"); } else { for (int i = 0; i < versionInfo.StringFileInfo.Children.Length; i++) { var stringFileInfoChildEntry = versionInfo.StringFileInfo.Children[i]; Console.WriteLine($"{padding} [String Table {i}] Length: {stringFileInfoChildEntry.Length}"); Console.WriteLine($"{padding} [String Table {i}] Value length: {stringFileInfoChildEntry.ValueLength}"); Console.WriteLine($"{padding} [String Table {i}] ResourceType: {stringFileInfoChildEntry.ResourceType}"); Console.WriteLine($"{padding} [String Table {i}] Key: {stringFileInfoChildEntry.Key}"); Console.WriteLine($"{padding} [String Table {i}] Children:"); Console.WriteLine($"{padding} -------------------------"); if (stringFileInfoChildEntry.Children == null || stringFileInfoChildEntry.Children.Length == 0) { Console.WriteLine($"{padding} No string table {i} children"); } else { for (int j = 0; j < stringFileInfoChildEntry.Children.Length; j++) { var stringDataEntry = stringFileInfoChildEntry.Children[j]; Console.WriteLine($"{padding} [String Data {j}] Length: {stringDataEntry.Length}"); Console.WriteLine($"{padding} [String Data {j}] Value length: {stringDataEntry.ValueLength}"); Console.WriteLine($"{padding} [String Data {j}] ResourceType: {stringDataEntry.ResourceType}"); Console.WriteLine($"{padding} [String Data {j}] Key: {stringDataEntry.Key}"); Console.WriteLine($"{padding} [String Data {j}] Value: {stringDataEntry.Value}"); } } } } } if (versionInfo.VarFileInfo != null) { Console.WriteLine($"{padding}[Var File Info] Length: {versionInfo.VarFileInfo.Length}"); Console.WriteLine($"{padding}[Var File Info] Value length: {versionInfo.VarFileInfo.ValueLength}"); Console.WriteLine($"{padding}[Var File Info] Resource type: {versionInfo.VarFileInfo.ResourceType}"); Console.WriteLine($"{padding}[Var File Info] Key: {versionInfo.VarFileInfo.Key}"); Console.WriteLine($"{padding}Children:"); Console.WriteLine($"{padding}-------------------------"); if (versionInfo.VarFileInfo.Children == null || versionInfo.VarFileInfo.Children.Length == 0) { Console.WriteLine($"{padding}No var file info children"); } else { for (int i = 0; i < versionInfo.VarFileInfo.Children.Length; i++) { var varFileInfoChildEntry = versionInfo.VarFileInfo.Children[i]; Console.WriteLine($"{padding} [String Table {i}] Length: {varFileInfoChildEntry.Length}"); Console.WriteLine($"{padding} [String Table {i}] Value length: {varFileInfoChildEntry.ValueLength}"); Console.WriteLine($"{padding} [String Table {i}] ResourceType: {varFileInfoChildEntry.ResourceType}"); Console.WriteLine($"{padding} [String Table {i}] Key: {varFileInfoChildEntry.Key}"); Console.WriteLine($"{padding} [String Table {i}] Value: {string.Join(",", varFileInfoChildEntry.Value)}"); } } } } /// /// Print an RT_DLGINCLUDE resource /// private static void PrintResourceRT_DLGINCLUDE(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Console.WriteLine($"{padding}External header resource found, not parsed yet"); } /// /// Print an RT_PLUGPLAY resource /// private static void PrintResourceRT_PLUGPLAY(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Console.WriteLine($"{padding}Plug and Play resource found, not parsed yet"); } /// /// Print an RT_VXD resource /// private static void PrintResourceRT_VXD(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Console.WriteLine($"{padding}VXD found, not parsed yet"); } /// /// Print an RT_ANICURSOR resource /// private static void PrintResourceRT_ANICURSOR(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Console.WriteLine($"{padding}Animated cursor found, not parsed yet"); } /// /// Print an RT_ANIICON resource /// private static void PrintResourceRT_ANIICON(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Console.WriteLine($"{padding}Animated icon found, not parsed yet"); } /// /// Print an RT_HTML resource /// private static void PrintResourceRT_HTML(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Console.WriteLine($"{padding}HTML resource found, not parsed yet"); //if (entry.Data != null) // Console.WriteLine($"{padding}Value (ASCII): {Encoding.ASCII.GetString(entry.Data)}"); //if (entry.Data != null) // Console.WriteLine($"{padding}Value (UTF-8): {Encoding.UTF8.GetString(entry.Data)}"); //if (entry.Data != null) // Console.WriteLine($"{padding}Value (Unicode): {Encoding.Unicode.GetString(entry.Data)}"); } /// /// Print an RT_MANIFEST resource /// private static void PrintResourceRT_MANIFEST(Models.PortableExecutable.ResourceDataEntry entry, int level) { string padding = new string(' ', (level + 1) * 2); Models.PortableExecutable.AssemblyManifest assemblyManifest = null; try { assemblyManifest = entry.AsAssemblyManifest(); } catch { } if (assemblyManifest == null) { Console.WriteLine($"{padding}Assembly manifest found, but malformed"); return; } Console.WriteLine($"{padding}Manifest version: {assemblyManifest.ManifestVersion}"); if (assemblyManifest.AssemblyIdentities != null && assemblyManifest.AssemblyIdentities.Length > 0) { for (int i = 0; i < assemblyManifest.AssemblyIdentities.Length; i++) { var assemblyIdentity = assemblyManifest.AssemblyIdentities[i]; Console.WriteLine($"{padding}[Assembly Identity {i}] Name: {assemblyIdentity.Name}"); Console.WriteLine($"{padding}[Assembly Identity {i}] Version: {assemblyIdentity.Version}"); Console.WriteLine($"{padding}[Assembly Identity {i}] Type: {assemblyIdentity.Type}"); Console.WriteLine($"{padding}[Assembly Identity {i}] Processor architecture: {assemblyIdentity.ProcessorArchitecture}"); Console.WriteLine($"{padding}[Assembly Identity {i}] Public key token: {assemblyIdentity.PublicKeyToken}"); Console.WriteLine($"{padding}[Assembly Identity {i}] Language: {assemblyIdentity.Language}"); } } if (assemblyManifest.Description != null) Console.WriteLine($"{padding}[Assembly Description] Value: {assemblyManifest.Description.Value}"); if (assemblyManifest.COMInterfaceExternalProxyStub != null && assemblyManifest.COMInterfaceExternalProxyStub.Length > 0) { for (int i = 0; i < assemblyManifest.COMInterfaceExternalProxyStub.Length; i++) { var comInterfaceExternalProxyStub = assemblyManifest.COMInterfaceExternalProxyStub[i]; Console.WriteLine($"{padding}[COM Interface External Proxy Stub {i}] IID: {comInterfaceExternalProxyStub.IID}"); Console.WriteLine($"{padding}[COM Interface External Proxy Stub {i}] Name: {comInterfaceExternalProxyStub.Name}"); Console.WriteLine($"{padding}[COM Interface External Proxy Stub {i}] TLBID: {comInterfaceExternalProxyStub.TLBID}"); Console.WriteLine($"{padding}[COM Interface External Proxy Stub {i}] Number of methods: {comInterfaceExternalProxyStub.NumMethods}"); Console.WriteLine($"{padding}[COM Interface External Proxy Stub {i}] Proxy stub (CLSID32): {comInterfaceExternalProxyStub.ProxyStubClsid32}"); Console.WriteLine($"{padding}[COM Interface External Proxy Stub {i}] Base interface: {comInterfaceExternalProxyStub.BaseInterface}"); } } if (assemblyManifest.Dependency != null && assemblyManifest.Dependency.Length > 0) { for (int i = 0; i < assemblyManifest.Dependency.Length; i++) { var dependency = assemblyManifest.Dependency[i]; if (dependency.DependentAssembly != null) { if (dependency.DependentAssembly.AssemblyIdentity != null) { Console.WriteLine($"{padding}[Dependency {i} Assembly Identity] Name: {dependency.DependentAssembly.AssemblyIdentity.Name}"); Console.WriteLine($"{padding}[Dependency {i} Assembly Identity] Version: {dependency.DependentAssembly.AssemblyIdentity.Version}"); Console.WriteLine($"{padding}[Dependency {i} Assembly Identity] Type: {dependency.DependentAssembly.AssemblyIdentity.Type}"); Console.WriteLine($"{padding}[Dependency {i} Assembly Identity] Processor architecture: {dependency.DependentAssembly.AssemblyIdentity.ProcessorArchitecture}"); Console.WriteLine($"{padding}[Dependency {i} Assembly Identity] Public key token: {dependency.DependentAssembly.AssemblyIdentity.PublicKeyToken}"); Console.WriteLine($"{padding}[Dependency {i} Assembly Identity] Language: {dependency.DependentAssembly.AssemblyIdentity.Language}"); } if (dependency.DependentAssembly.BindingRedirect != null && dependency.DependentAssembly.BindingRedirect.Length > 0) { for (int j = 0; j < dependency.DependentAssembly.BindingRedirect.Length; j++) { var bindingRedirect = dependency.DependentAssembly.BindingRedirect[j]; Console.WriteLine($"{padding}[Dependency {i} Binding Redirect {j}] Old version: {bindingRedirect.OldVersion}"); Console.WriteLine($"{padding}[Dependency {i} Binding Redirect {j}] New version: {bindingRedirect.NewVersion}"); } } } Console.WriteLine($"{padding}[Dependency {i}] Optional: {dependency.Optional}"); } } if (assemblyManifest.File != null && assemblyManifest.File.Length > 0) { for (int i = 0; i < assemblyManifest.File.Length; i++) { var file = assemblyManifest.File[i]; Console.WriteLine($"{padding}[File {i}] Name: {file.Name}"); Console.WriteLine($"{padding}[File {i}] Hash: {file.Hash}"); Console.WriteLine($"{padding}[File {i}] Hash algorithm: {file.HashAlgorithm}"); Console.WriteLine($"{padding}[File {i}] Size: {file.Size}"); if (file.COMClass != null && file.COMClass.Length > 0) { for (int j = 0; j < file.COMClass.Length; j++) { var comClass = file.COMClass[j]; Console.WriteLine($"{padding}[File {i} COM Class {j}] CLSID: {comClass.CLSID}"); Console.WriteLine($"{padding}[File {i} COM Class {j}] Threading model: {comClass.ThreadingModel}"); Console.WriteLine($"{padding}[File {i} COM Class {j}] Prog ID: {comClass.ProgID}"); Console.WriteLine($"{padding}[File {i} COM Class {j}] TLBID: {comClass.TLBID}"); Console.WriteLine($"{padding}[File {i} COM Class {j}] Description: {comClass.Description}"); if (comClass.ProgIDs != null && comClass.ProgIDs.Length > 0) { for (int k = 0; k < comClass.ProgIDs.Length; k++) { var progId = comClass.ProgIDs[k]; Console.WriteLine($"{padding}[File {i} COM Class {j} Prog ID {k}] Value: {progId.Value}"); } } } } if (file.COMInterfaceProxyStub != null && file.COMInterfaceProxyStub.Length > 0) { for (int j = 0; j < file.COMInterfaceProxyStub.Length; j++) { var comInterfaceProxyStub = file.COMInterfaceProxyStub[j]; Console.WriteLine($"{padding}[File {i} COM Interface Proxy Stub {j}] IID: {comInterfaceProxyStub.IID}"); Console.WriteLine($"{padding}[File {i} COM Interface Proxy Stub {j}] Name: {comInterfaceProxyStub.Name}"); Console.WriteLine($"{padding}[File {i} COM Interface Proxy Stub {j}] TLBID: {comInterfaceProxyStub.TLBID}"); Console.WriteLine($"{padding}[File {i} COM Interface Proxy Stub {j}] Number of methods: {comInterfaceProxyStub.NumMethods}"); Console.WriteLine($"{padding}[File {i} COM Interface Proxy Stub {j}] Proxy stub (CLSID32): {comInterfaceProxyStub.ProxyStubClsid32}"); Console.WriteLine($"{padding}[File {i} COM Interface Proxy Stub {j}] Base interface: {comInterfaceProxyStub.BaseInterface}"); } } if (file.Typelib != null && file.Typelib.Length > 0) { for (int j = 0; j < file.Typelib.Length; j++) { var typeLib = file.Typelib[j]; Console.WriteLine($"{padding}[File {i} Type Lib {j}] TLBID: {typeLib.TLBID}"); Console.WriteLine($"{padding}[File {i} Type Lib {j}] Version: {typeLib.Version}"); Console.WriteLine($"{padding}[File {i} Type Lib {j}] Help directory: {typeLib.HelpDir}"); Console.WriteLine($"{padding}[File {i} Type Lib {j}] Resource ID: {typeLib.ResourceID}"); Console.WriteLine($"{padding}[File {i} Type Lib {j}] Flags: {typeLib.Flags}"); } } if (file.WindowClass != null && file.WindowClass.Length > 0) { for (int j = 0; j < file.WindowClass.Length; j++) { var windowClass = file.WindowClass[j]; Console.WriteLine($"{padding}[File {i} Window Class {j}] Versioned: {windowClass.Versioned}"); Console.WriteLine($"{padding}[File {i} Window Class {j}] Value: {windowClass.Value}"); } } } } if (assemblyManifest.EverythingElse != null && assemblyManifest.EverythingElse.Length > 0) { for (int i = 0; i < assemblyManifest.EverythingElse.Length; i++) { var thing = assemblyManifest.EverythingElse[i]; if (thing is XmlElement element) { Console.WriteLine($"{padding}Unparsed XML Element {i}: {element.OuterXml}"); } else { Console.WriteLine($"{padding}Unparsed Item {i}: {thing}"); } } } } /// /// Print an UNKNOWN or custom resource /// private static void PrintResourceUNKNOWN(Models.PortableExecutable.ResourceDataEntry entry, int level, object resourceType) { string padding = new string(' ', (level + 1) * 2); // Print the type first if (resourceType is uint numericType) Console.WriteLine($"{padding}Type {(Models.PortableExecutable.ResourceType)numericType} found, not parsed yet"); else if (resourceType is string stringType) Console.WriteLine($"{padding}Type {stringType} found, not parsed yet"); else Console.WriteLine($"{padding}Unknown type {resourceType} found, not parsed yet"); // Then print the data, if needed if (entry.Data[0] == 0x4D && entry.Data[1] == 0x5A) { Console.WriteLine($"{padding}Data: [Embedded Executable File]"); // TODO: Parse this out and print separately } else if (entry.Data[0] == 0x4D && entry.Data[1] == 0x53 && entry.Data[2] == 0x46 && entry.Data[3] == 0x54) { Console.WriteLine($"{padding}Data: [Embedded OLE Library File]"); // TODO: Parse this out and print separately } else { //if (entry.Data != null) // Console.WriteLine($"{padding}Value (Byte Data): {BitConverter.ToString(entry.Data).Replace('-', ' ')}"); //if (entry.Data != null) // Console.WriteLine($"{padding}Value (ASCII): {Encoding.ASCII.GetString(entry.Data)}"); //if (entry.Data != null) // Console.WriteLine($"{padding}Value (UTF-8): {Encoding.UTF8.GetString(entry.Data)}"); //if (entry.Data != null) // Console.WriteLine($"{padding}Value (Unicode): {Encoding.Unicode.GetString(entry.Data)}"); } } #endregion #region Debug Data /// /// Find CodeView debug data by path /// /// Partial path to check for /// Enumerable of matching debug data public IEnumerable FindCodeViewDebugTableByPath(string path) { // Ensure that we have the debug data cached if (DebugData == null) return Enumerable.Empty(); var nb10Found = DebugData.Select(r => r.Value) .Select(r => r as Models.PortableExecutable.NB10ProgramDatabase) .Where(n => n != null) .Where(n => n.PdbFileName.Contains(path)) .Select(n => (object)n); var rsdsFound = DebugData.Select(r => r.Value) .Select(r => r as Models.PortableExecutable.RSDSProgramDatabase) .Where(r => r != null) .Where(r => r.PathAndFileName.Contains(path)) .Select(r => (object)r); return nb10Found.Concat(rsdsFound); } /// /// Find unparsed debug data by string value /// /// String value to check for /// Enumerable of matching debug data public IEnumerable FindGenericDebugTableByValue(string value) { // Ensure that we have the resource data cached if (DebugData == null) return Enumerable.Empty(); return DebugData.Select(r => r.Value) .Select(b => b as byte[]) .Where(b => b != null) .Where(b => { try { string arrayAsASCII = Encoding.ASCII.GetString(b); if (arrayAsASCII.Contains(value)) return true; } catch { } try { string arrayAsUTF8 = Encoding.UTF8.GetString(b); if (arrayAsUTF8.Contains(value)) return true; } catch { } try { string arrayAsUnicode = Encoding.Unicode.GetString(b); if (arrayAsUnicode.Contains(value)) return true; } catch { } return false; }); } #endregion #region Debug Parsing /// /// Parse the debug directory table information /// private void ParseDebugTable() { // Loop through all debug table entries for (int i = 0; i < DebugTable.DebugDirectoryTable.Length; i++) { var entry = DebugTable.DebugDirectoryTable[i]; uint address = entry.PointerToRawData; uint size = entry.SizeOfData; byte[] entryData = ReadFromDataSource((int)address, (int)size); // If we have CodeView debug data, try to parse it if (entry.DebugType == Models.PortableExecutable.DebugType.IMAGE_DEBUG_TYPE_CODEVIEW) { // Read the signature int offset = 0; uint signature = entryData.ReadUInt32(ref offset); // Reset the offset offset = 0; // NB10 if (signature == 0x3031424E) { var nb10ProgramDatabase = entryData.AsNB10ProgramDatabase(ref offset); if (nb10ProgramDatabase != null) { _debugData[i] = nb10ProgramDatabase; continue; } } // RSDS else if (signature == 0x53445352) { var rsdsProgramDatabase = entryData.AsRSDSProgramDatabase(ref offset); if (rsdsProgramDatabase != null) { _debugData[i] = rsdsProgramDatabase; continue; } } } else { _debugData[i] = entryData; } } } #endregion #region Resource Data /// /// Find dialog box resources by title /// /// Dialog box title to check for /// Enumerable of matching resources public IEnumerable FindDialogByTitle(string title) { // Ensure that we have the resource data cached if (ResourceData == null) return Enumerable.Empty(); return ResourceData.Select(r => r.Value) .Select(r => r as Models.PortableExecutable.DialogBoxResource) .Where(d => d != null) .Where(d => { return (d.DialogTemplate?.TitleResource?.Contains(title) ?? false) || (d.ExtendedDialogTemplate?.TitleResource?.Contains(title) ?? false); }); } /// /// Find dialog box resources by contained item title /// /// Dialog box item title to check for /// Enumerable of matching resources public IEnumerable FindDialogBoxByItemTitle(string title) { // Ensure that we have the resource data cached if (ResourceData == null) return Enumerable.Empty(); return ResourceData.Select(r => r.Value) .Select(r => r as Models.PortableExecutable.DialogBoxResource) .Where(d => d != null) .Where(d => { if (d.DialogItemTemplates != null) { return d.DialogItemTemplates .Where(dit => dit?.TitleResource != null) .Any(dit => dit.TitleResource.Contains(title)); } else if (d.ExtendedDialogItemTemplates != null) { return d.ExtendedDialogItemTemplates .Where(edit => edit?.TitleResource != null) .Any(edit => edit.TitleResource.Contains(title)); } return false; }); } /// /// Find string table resources by contained string entry /// /// String entry to check for /// Enumerable of matching resources public IEnumerable> FindStringTableByEntry(string entry) { // Ensure that we have the resource data cached if (ResourceData == null) return Enumerable.Empty>(); return ResourceData.Select(r => r.Value) .Select(r => r as Dictionary) .Where(st => st != null) .Where(st => st.Select(kvp => kvp.Value) .Any(s => s.Contains(entry))); } /// /// Find unparsed resources by type name /// /// Type name to check for /// Enumerable of matching resources public IEnumerable FindResourceByNamedType(string typeName) { // Ensure that we have the resource data cached if (ResourceData == null) return Enumerable.Empty(); return ResourceData.Where(kvp => kvp.Key.Contains(typeName)) .Select(kvp => kvp.Value as byte[]) .Where(b => b != null); } /// /// Find unparsed resources by string value /// /// String value to check for /// Enumerable of matching resources public IEnumerable FindGenericResource(string value) { // Ensure that we have the resource data cached if (ResourceData == null) return Enumerable.Empty(); return ResourceData.Select(r => r.Value) .Select(r => r as byte[]) .Where(b => b != null) .Where(b => { try { string arrayAsASCII = Encoding.ASCII.GetString(b); if (arrayAsASCII.Contains(value)) return true; } catch { } try { string arrayAsUTF8 = Encoding.UTF8.GetString(b); if (arrayAsUTF8.Contains(value)) return true; } catch { } try { string arrayAsUnicode = Encoding.Unicode.GetString(b); if (arrayAsUnicode.Contains(value)) return true; } catch { } return false; }); } #endregion #region Resource Parsing /// /// Parse the resource directory table information /// private void ParseResourceDirectoryTable(Models.PortableExecutable.ResourceDirectoryTable table, List types) { int totalEntries = table.NumberOfNameEntries + table.NumberOfIDEntries; for (int i = 0; i < totalEntries; i++) { var entry = table.Entries[i]; var newTypes = new List(types ?? new List()); if (entry.Name != null) newTypes.Add(Encoding.UTF8.GetString(entry.Name.UnicodeString ?? new byte[0])); else newTypes.Add(entry.IntegerID); ParseResourceDirectoryEntry(entry, newTypes); } } /// /// Parse the name resource directory entry information /// private void ParseResourceDirectoryEntry(Models.PortableExecutable.ResourceDirectoryEntry entry, List types) { if (entry.DataEntry != null) ParseResourceDataEntry(entry.DataEntry, types); else if (entry.Subdirectory != null) ParseResourceDirectoryTable(entry.Subdirectory, types); } /// /// Parse the resource data entry information /// /// /// When caching the version information and assembly manifest, this code assumes that there is only one of each /// of those resources in the entire exectuable. This means that only the last found version or manifest will /// ever be cached. /// private void ParseResourceDataEntry(Models.PortableExecutable.ResourceDataEntry entry, List types) { // Create the key and value objects string key = types == null ? $"UNKNOWN_{Guid.NewGuid()}" : string.Join(", ", types); object value = entry.Data; // If we have a known resource type if (types != null && types.Count > 0 && types[0] is uint resourceType) { try { switch ((Models.PortableExecutable.ResourceType)resourceType) { case Models.PortableExecutable.ResourceType.RT_CURSOR: value = entry.Data; break; case Models.PortableExecutable.ResourceType.RT_BITMAP: value = entry.Data; break; case Models.PortableExecutable.ResourceType.RT_ICON: value = entry.Data; break; case Models.PortableExecutable.ResourceType.RT_MENU: value = entry.AsMenu(); break; case Models.PortableExecutable.ResourceType.RT_DIALOG: value = entry.AsDialogBox(); break; case Models.PortableExecutable.ResourceType.RT_STRING: value = entry.AsStringTable(); break; case Models.PortableExecutable.ResourceType.RT_FONTDIR: value = entry.Data; break; case Models.PortableExecutable.ResourceType.RT_FONT: value = entry.Data; break; case Models.PortableExecutable.ResourceType.RT_ACCELERATOR: value = entry.AsAcceleratorTableResource(); break; case Models.PortableExecutable.ResourceType.RT_RCDATA: value = entry.Data; break; case Models.PortableExecutable.ResourceType.RT_MESSAGETABLE: value = entry.AsMessageResourceData(); break; case Models.PortableExecutable.ResourceType.RT_GROUP_CURSOR: value = entry.Data; break; case Models.PortableExecutable.ResourceType.RT_GROUP_ICON: value = entry.Data; break; case Models.PortableExecutable.ResourceType.RT_VERSION: _versionInfo = entry.AsVersionInfo(); value = _versionInfo; break; case Models.PortableExecutable.ResourceType.RT_DLGINCLUDE: value = entry.Data; break; case Models.PortableExecutable.ResourceType.RT_PLUGPLAY: value = entry.Data; break; case Models.PortableExecutable.ResourceType.RT_VXD: value = entry.Data; break; case Models.PortableExecutable.ResourceType.RT_ANICURSOR: value = entry.Data; break; case Models.PortableExecutable.ResourceType.RT_ANIICON: value = entry.Data; break; case Models.PortableExecutable.ResourceType.RT_HTML: value = entry.Data; break; case Models.PortableExecutable.ResourceType.RT_MANIFEST: _assemblyManifest = entry.AsAssemblyManifest(); value = _versionInfo; break; default: value = entry.Data; break; } } catch { // Fall back on byte array data for malformed items value = entry.Data; } } // If we have a custom resource type else if (types != null && types.Count > 0 && types[0] is string) { value = entry.Data; } // Add the key and value to the cache _resourceData[key] = value; } #endregion #region Sections /// /// Determine if a section is contained within the section table /// /// Name of the section to check for /// True to enable exact matching of names, false for starts-with /// True if the section is in the executable, false otherwise public bool ContainsSection(string sectionName, bool exact = false) { // Get all section names first if (SectionNames == null) return false; // If we're checking exactly, return only exact matches if (exact) return SectionNames.Any(n => n.Equals(sectionName)); // Otherwise, check if section name starts with the value else return SectionNames.Any(n => n.StartsWith(sectionName)); } /// /// Get the section index corresponding to the entry point, if possible /// /// Section index on success, null on error public int FindEntryPointSectionIndex() { // If we don't have an entry point if (OH_AddressOfEntryPoint.ConvertVirtualAddress(SectionTable) == 0) return -1; // Otherwise, find the section it exists within return OH_AddressOfEntryPoint.ContainingSectionIndex(SectionTable); } /// /// Get the first section based on name, if possible /// /// Name of the section to check for /// True to enable exact matching of names, false for starts-with /// Section data on success, null on error public Models.PortableExecutable.SectionHeader GetFirstSection(string name, bool exact = false) { // If we have no sections if (SectionTable == null || !SectionTable.Any()) return null; // If the section doesn't exist if (!ContainsSection(name, exact)) return null; // Get the first index of the section int index = Array.IndexOf(SectionNames, name); if (index == -1) return null; // Return the section return SectionTable[index]; } /// /// Get the last section based on name, if possible /// /// Name of the section to check for /// True to enable exact matching of names, false for starts-with /// Section data on success, null on error public Models.PortableExecutable.SectionHeader GetLastSection(string name, bool exact = false) { // If we have no sections if (SectionTable == null || !SectionTable.Any()) return null; // If the section doesn't exist if (!ContainsSection(name, exact)) return null; // Get the last index of the section int index = Array.LastIndexOf(SectionNames, name); if (index == -1) return null; // Return the section return SectionTable[index]; } /// /// Get the section based on index, if possible /// /// Index of the section to check for /// Section data on success, null on error public Models.PortableExecutable.SectionHeader GetSection(int index) { // If we have no sections if (SectionTable == null || !SectionTable.Any()) return null; // If the section doesn't exist if (index < 0 || index >= SectionTable.Length) return null; // Return the section return SectionTable[index]; } /// /// Get the first section data based on name, if possible /// /// Name of the section to check for /// True to enable exact matching of names, false for starts-with /// Section data on success, null on error public byte[] GetFirstSectionData(string name, bool exact = false) { // If we have no sections if (SectionTable == null || !SectionTable.Any()) return null; // If the section doesn't exist if (!ContainsSection(name, exact)) return null; // Get the first index of the section int index = Array.IndexOf(SectionNames, name); return GetSectionData(index); } /// /// Get the last section data based on name, if possible /// /// Name of the section to check for /// True to enable exact matching of names, false for starts-with /// Section data on success, null on error public byte[] GetLastSectionData(string name, bool exact = false) { // If we have no sections if (SectionTable == null || !SectionTable.Any()) return null; // If the section doesn't exist if (!ContainsSection(name, exact)) return null; // Get the last index of the section int index = Array.LastIndexOf(SectionNames, name); return GetSectionData(index); } /// /// Get the section data based on index, if possible /// /// Index of the section to check for /// Section data on success, null on error public byte[] GetSectionData(int index) { // If we have no sections if (SectionTable == null || !SectionTable.Any()) return null; // If the section doesn't exist if (index < 0 || index >= SectionTable.Length) return null; // Get the section data from the table var section = SectionTable[index]; uint address = section.VirtualAddress.ConvertVirtualAddress(SectionTable); if (address == 0) return null; // Set the section size uint size = section.SizeOfRawData; lock (_sourceDataLock) { // Create the section data array if we have to if (_sectionData == null) _sectionData = new byte[SectionNames.Length][]; // If we already have cached data, just use that immediately if (_sectionData[index] != null) return _sectionData[index]; // Populate the raw section data based on the source byte[] sectionData = ReadFromDataSource((int)address, (int)size); // Cache and return the section data, even if null _sectionData[index] = sectionData; return sectionData; } } /// /// Get the first section strings based on name, if possible /// /// Name of the section to check for /// True to enable exact matching of names, false for starts-with /// Section strings on success, null on error public List GetFirstSectionStrings(string name, bool exact = false) { // If we have no sections if (SectionTable == null || !SectionTable.Any()) return null; // If the section doesn't exist if (!ContainsSection(name, exact)) return null; // Get the first index of the section int index = Array.IndexOf(SectionNames, name); return GetSectionStrings(index); } /// /// Get the last section strings based on name, if possible /// /// Name of the section to check for /// True to enable exact matching of names, false for starts-with /// Section strings on success, null on error public List GetLastSectionStrings(string name, bool exact = false) { // If we have no sections if (SectionTable == null || !SectionTable.Any()) return null; // If the section doesn't exist if (!ContainsSection(name, exact)) return null; // Get the last index of the section int index = Array.LastIndexOf(SectionNames, name); return GetSectionStrings(index); } /// /// Get the section strings based on index, if possible /// /// Index of the section to check for /// Section strings on success, null on error public List GetSectionStrings(int index) { // If we have no sections if (SectionTable == null || !SectionTable.Any()) return null; // If the section doesn't exist if (index < 0 || index >= SectionTable.Length) return null; // Get the section data from the table var section = SectionTable[index]; uint address = section.VirtualAddress.ConvertVirtualAddress(SectionTable); if (address == 0) return null; // Set the section size uint size = section.SizeOfRawData; lock (_sourceDataLock) { // Create the section string array if we have to if (_sectionStringData == null) _sectionStringData = new List[SectionNames.Length]; // If we already have cached data, just use that immediately if (_sectionStringData[index] != null) return _sectionStringData[index]; // Populate the section string data based on the source List sectionStringData = ReadStringsFromDataSource((int)address, (int)size); // Cache and return the section string data, even if null _sectionStringData[index] = sectionStringData; return sectionStringData; } } #endregion #region Tables /// /// Get the table data based on index, if possible /// /// Index of the table to check for /// Table data on success, null on error public byte[] GetTableData(int index) { // If the table doesn't exist if (index < 0 || index > 16) return null; // Get the virtual address and size from the entries uint virtualAddress = 0, size = 0; switch (index) { case 1: virtualAddress = OH_ExportTable.VirtualAddress; size = OH_ExportTable.Size; break; case 2: virtualAddress = OH_ImportTable.VirtualAddress; size = OH_ImportTable.Size; break; case 3: virtualAddress = OH_ResourceTable.VirtualAddress; size = OH_ResourceTable.Size; break; case 4: virtualAddress = OH_ExceptionTable.VirtualAddress; size = OH_ExceptionTable.Size; break; case 5: virtualAddress = OH_CertificateTable.VirtualAddress; size = OH_CertificateTable.Size; break; case 6: virtualAddress = OH_BaseRelocationTable.VirtualAddress; size = OH_BaseRelocationTable.Size; break; case 7: virtualAddress = OH_Debug.VirtualAddress; size = OH_Debug.Size; break; case 8: // Architecture Table virtualAddress = 0; size = 0; break; case 9: virtualAddress = OH_GlobalPtr.VirtualAddress; size = OH_GlobalPtr.Size; break; case 10: virtualAddress = OH_ThreadLocalStorageTable.VirtualAddress; size = OH_ThreadLocalStorageTable.Size; break; case 11: virtualAddress = OH_LoadConfigTable.VirtualAddress; size = OH_LoadConfigTable.Size; break; case 12: virtualAddress = OH_BoundImport.VirtualAddress; size = OH_BoundImport.Size; break; case 13: virtualAddress = OH_ImportAddressTable.VirtualAddress; size = OH_ImportAddressTable.Size; break; case 14: virtualAddress = OH_DelayImportDescriptor.VirtualAddress; size = OH_DelayImportDescriptor.Size; break; case 15: virtualAddress = OH_CLRRuntimeHeader.VirtualAddress; size = OH_CLRRuntimeHeader.Size; break; case 16: // Reserved virtualAddress = 0; size = 0; break; } // Get the physical address from the virtual one uint address = virtualAddress.ConvertVirtualAddress(SectionTable); if (address == 0 || size == 0) return null; lock (_sourceDataLock) { // Create the table data array if we have to if (_tableData == null) _tableData = new byte[16][]; // If we already have cached data, just use that immediately if (_tableData[index] != null) return _tableData[index]; // Populate the raw table data based on the source byte[] tableData = ReadFromDataSource((int)address, (int)size); // Cache and return the table data, even if null _tableData[index] = tableData; return tableData; } } /// /// Get the table strings based on index, if possible /// /// Index of the table to check for /// Table strings on success, null on error public List GetTableStrings(int index) { // If the table doesn't exist if (index < 0 || index > 16) return null; // Get the virtual address and size from the entries uint virtualAddress = 0, size = 0; switch (index) { case 1: virtualAddress = OH_ExportTable.VirtualAddress; size = OH_ExportTable.Size; break; case 2: virtualAddress = OH_ImportTable.VirtualAddress; size = OH_ImportTable.Size; break; case 3: virtualAddress = OH_ResourceTable.VirtualAddress; size = OH_ResourceTable.Size; break; case 4: virtualAddress = OH_ExceptionTable.VirtualAddress; size = OH_ExceptionTable.Size; break; case 5: virtualAddress = OH_CertificateTable.VirtualAddress; size = OH_CertificateTable.Size; break; case 6: virtualAddress = OH_BaseRelocationTable.VirtualAddress; size = OH_BaseRelocationTable.Size; break; case 7: virtualAddress = OH_Debug.VirtualAddress; size = OH_Debug.Size; break; case 8: // Architecture Table virtualAddress = 0; size = 0; break; case 9: virtualAddress = OH_GlobalPtr.VirtualAddress; size = OH_GlobalPtr.Size; break; case 10: virtualAddress = OH_ThreadLocalStorageTable.VirtualAddress; size = OH_ThreadLocalStorageTable.Size; break; case 11: virtualAddress = OH_LoadConfigTable.VirtualAddress; size = OH_LoadConfigTable.Size; break; case 12: virtualAddress = OH_BoundImport.VirtualAddress; size = OH_BoundImport.Size; break; case 13: virtualAddress = OH_ImportAddressTable.VirtualAddress; size = OH_ImportAddressTable.Size; break; case 14: virtualAddress = OH_DelayImportDescriptor.VirtualAddress; size = OH_DelayImportDescriptor.Size; break; case 15: virtualAddress = OH_CLRRuntimeHeader.VirtualAddress; size = OH_CLRRuntimeHeader.Size; break; case 16: // Reserved virtualAddress = 0; size = 0; break; } // Get the physical address from the virtual one uint address = virtualAddress.ConvertVirtualAddress(SectionTable); if (address == 0 || size == 0) return null; lock (_sourceDataLock) { // Create the table string array if we have to if (_tableStringData == null) _tableStringData = new List[16]; // If we already have cached data, just use that immediately if (_tableStringData[index] != null) return _tableStringData[index]; // Populate the table string data based on the source List tableStringData = ReadStringsFromDataSource((int)address, (int)size); // Cache and return the table string data, even if null _tableStringData[index] = tableStringData; return tableStringData; } } #endregion } }