代码拉取完成,页面将自动刷新
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IO;
using System.Runtime.InteropServices;
namespace ArchiveUnpack
{
public class PECheck
{
public static void Check(Stream s,long startIndex)
{
byte[] _DWORDBUFFER = new byte[4];
byte[] _WORDBUFFER = new byte[2];
int ReadCount = 0;
s.Position = startIndex;
ReadCount = s.Read(_DWORDBUFFER,0,4);
int DosHeaderMagic = BitConverter.ToInt32(_DWORDBUFFER, 0);
if (DosHeaderMagic == 9460301)
{
Console.WriteLine("Find MZ on " + (s.Position-4).ToString() );
}
#if DEBUG
else
{
Console.WriteLine(string.Format("Find {0} on {1}.",DosHeaderMagic,s.Position-4));
}
#endif
s.Position = 0;
PEFormat pefile = new PEFormat();
DosHeader dh = Read<DosHeader>(s);
s.Position = dh.e_lfanew;
NtHeader nh = Read<NtHeader>(s);
SectionHeader[] shs = new SectionHeader[nh.FileHeader.NumberOfSections];
for (int i = 0; i < shs.Length; i++)
{
shs[i] = Read<SectionHeader>(s);
}
int offsetCLRHeader = nh.OptionalHeader.DataDirectory[14].VirtualAddress - shs[0].VirtualAddress + shs[0].PointerToRawData;
s.Position = offsetCLRHeader;
CLRHeader clh = Read<CLRHeader>(s);
int offsetMetaData = clh.MetaData.VirtualAddress - shs[0].VirtualAddress + shs[0].PointerToRawData;
s.Position = offsetMetaData;
MetaData md = Read<MetaData>(s);
NStreamHeader[] streams = new NStreamHeader[md.iStreams];
Dictionary<string, NStreamHeader> streamheaders = new Dictionary<string, NStreamHeader>();
for(int i =0;i<md.iStreams;i++)
{
streams[i] = new NStreamHeader
{
iOffset = ReadInt(s),
iSize = ReadInt(s),
};
List<char> chars = new List<char>();
char c = (char)s.ReadByte();
while(c>0)
{
chars.Add(c);
c = (char)s.ReadByte();
}
streams[i].rcName = chars.ToArray();
////对齐
int remain = streams[i].rcName.Length <= 3?3- streams[i].rcName.Length:4 - (streams[i].rcName.Length + 1) % 4;
s.Position += remain;
streamheaders.Add(new string(streams[i].rcName), streams[i] );
}
////获取元字节流的文件偏移
int offsetStreamData = offsetMetaData + streamheaders["#~"].iOffset;
s.Position = offsetStreamData;
NStreamData nsd = Read<NStreamData>(s);
////检测有效表的总数
int index = 0;
int TableCount = 0;
while(index < 64)
{
int b = (int)(nsd.MaskValid >> index & 1);
if(b == 1) { TableCount++; }
TableCheck(b, index);
index++;
}
////跳过每个表的项目统计
s.Position += TableCount * 4;
////直接读取Module的第一项
s.Position += 2;
int nMoudleNameOffset = ReadShort(s);
////获取字符串流的文件偏移
offsetStreamData = offsetMetaData + streamheaders["#Strings"].iOffset;
s.Position = offsetStreamData;
////开始进行读入字符串流
////以0开始,先读入一位起始位
s.ReadByte();
List<string> Strings = new List<string>();
while (s.Position<offsetStreamData + streamheaders["#Strings"].iSize)
{
Strings.Add(ReadString(s));
}
////测试用,获取Module表第一项的名称
s.Position = offsetStreamData + nMoudleNameOffset;
Console.WriteLine(ReadString(s));
Console.WriteLine("");
}
/// <summary>
/// 检验有效表
/// </summary>
/// <param name="对应的二进制位"></param>
/// <param name="二进制位游标"></param>
public static void TableCheck(int r,int index)
{
if(r == 0)
{
return;
}
switch(index)
{
default:
Console.WriteLine("Undefine " + index);
break;
case 0:
Console.WriteLine(string.Format("Find Module"));
break;
case 1:
Console.WriteLine(string.Format("Find TypeRef"));
break;
case 2:
Console.WriteLine(string.Format("Find TypeDef"));
break;
case 3:
Console.WriteLine(string.Format("Find FiledPtr"));
break;
case 4:
Console.WriteLine(string.Format("Find Filed"));
break;
case 5:
Console.WriteLine(string.Format("Find MethodPtr"));
break;
case 6:
Console.WriteLine(string.Format("Find MethodDef"));
break;
case 7:
Console.WriteLine(string.Format("Find ParamPtr"));
break;
case 8:
Console.WriteLine(string.Format("Find Param"));
break;
case 9:
Console.WriteLine(string.Format("Find MethodImpl"));
break;
case 10:
Console.WriteLine(string.Format("Find MemberRef"));
break;
case 11:
Console.WriteLine(string.Format("Find Constant"));
break;
case 12:
Console.WriteLine(string.Format("Find CustomAttribute"));
break;
case 13:
Console.WriteLine(string.Format("Find FieldMarshal"));
break;
case 14:
Console.WriteLine(string.Format("Find DeclSecurity"));
break;
case 15:
Console.WriteLine(string.Format("Find ClassLayout"));
break;
case 16:
Console.WriteLine(string.Format("Find FieldLayout"));
break;
case 17:
Console.WriteLine(string.Format("Find StandAloneSig"));
break;
case 18:
Console.WriteLine(string.Format("Find EventMap"));
break;
case 19:
Console.WriteLine(string.Format("Find EventPtr"));
break;
case 20:
Console.WriteLine(string.Format("Find Event"));
break;
case 21:
Console.WriteLine(string.Format("Find PropertyMap"));
break;
case 22:
Console.WriteLine(string.Format("Find PropertyPtr"));
break;
case 23:
Console.WriteLine(string.Format("Find Property"));
break;
case 24:
Console.WriteLine(string.Format("Find MethodSemantics"));
break;
case 25:
Console.WriteLine(string.Format("Find MethodImpl"));
break;
case 26:
Console.WriteLine(string.Format("Find ModuleRef"));
break;
case 27:
Console.WriteLine(string.Format("Find TypeSpec"));
break;
case 28:
Console.WriteLine(string.Format("Find ImplMap"));
break;
case 29:
Console.WriteLine(string.Format("Find FiledRVA"));
break;
case 30:
Console.WriteLine(string.Format("Find ENCLog"));
break;
case 31:
Console.WriteLine(string.Format("Find ENCMap"));
break;
case 32:
Console.WriteLine(string.Format("Find AssemblyRef"));
break;
case 33:
Console.WriteLine(string.Format("Find AssemblyProcessor"));
break;
case 34:
Console.WriteLine(string.Format("Find AssemblyOS"));
break;
case 35:
Console.WriteLine(string.Format("Find Assembly"));
break;
case 36:
Console.WriteLine(string.Format("Find AssemblyRefProcessor"));
break;
case 37:
Console.WriteLine(string.Format("Find AssemblyRefOS"));
break;
case 38:
Console.WriteLine(string.Format("Find File"));
break;
case 39:
Console.WriteLine(string.Format("Find ExportedType"));
break;
case 40:
Console.WriteLine(string.Format("Find ManifestResource"));
break;
case 41:
Console.WriteLine(string.Format("Find NestedClass"));
break;
case 42:
Console.WriteLine(string.Format("Find GenericParam"));
break;
case 43:
Console.WriteLine(string.Format("Find MethodSpec"));
break;
case 44:
Console.WriteLine(string.Format("Find GenericParamConstraint"));
break;
}
}
public static string ReadString(Stream s)
{
string r = "";
char c;
do
{
c = (char)s.ReadByte();
if (c > 0) { r += c; }
} while (c > 0);
return r;
}
public static int ReadShort(Stream s)
{
byte[] buffer = ReadBytes(s, 2);
return BitConverter.ToInt16(buffer, 0);
}
public static int ReadInt(Stream s)
{
byte[] buffer = ReadBytes(s, 4);
return BitConverter.ToInt32(buffer,0);
}
public static byte[] ReadBytes(Stream s, int count)
{
byte[] data = new byte[count];
s.Read(data, 0, count);
return data;
}
public static T Read<T>(Stream s ) where T : struct
{
try
{
int _SIZE = Marshal.SizeOf(typeof(T));
byte[] data = ReadBytes(s,_SIZE);
IntPtr ptr = Marshal.AllocHGlobal(data.Length);
Marshal.Copy(data, 0, ptr, data.Length);
//Marshal.FreeHGlobal(ptr);
return (T)Marshal.PtrToStructure(ptr, typeof(T));
}
catch (Exception e)
{
Console.WriteLine(string.Format("{0}.Read {1} fail.{2}", "PECheck", typeof(T), e.Message));
return default(T);
}
}
}
}
举报
请认真填写举报原因,尽可能描述详细。
请选择举报类型
误判申诉
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化