代码拉取完成,页面将自动刷新
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Runtime.InteropServices;
namespace ArchiveUnpack
{
/// <summary>
/// Dos头-64字节(byte)
/// </summary>
public struct DosHeader
{
public short e_magic; //DOS头的标识,为4Dh和5Ah。分别为字母MZ
public short e_cblp;
public short e_cp;
public short e_crlc;
public short e_cparhdr;
public short e_minalloc;
public short e_maxalloc;
public short e_ss;
public short e_sp;
public short e_csum;
public short e_ip;
public short e_cs;
public short e_lfarlc;
public short e_ovno;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
public short[] e_res;
public short e_oemid;
public short e_oeminfo;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
public short[] e_res2;
public Int32 e_lfanew; //指向IMAGE_NT_HEADERS的所在
}
public struct NtHeader
{
/// <summary>
/// PE字符
/// </summary>
public Int32 Signature;
public FileHeader FileHeader;
public OptionHeader OptionalHeader;
}
public struct FileHeader
{
public short Machine; //运行平台
public short NumberOfSections; //文件的区块数目
public Int32 TimeDateStamp; //文件创建日期和时间
public Int32 PointerToSymbolTable; //指向符号表(用于调试)
public Int32 NumberOfSymbols; //符号表中符号个数(用于调试)
public short SizeOfOptionalHeader; //IMAGE_OPTIONAL_HEADER32结构大小
public short Characteristics;
}
/// <summary>
/// 可选映像头
/// </summary>
public struct OptionHeader
{
public short Magic; //标志字
public byte MajorLinkerVersion; //链接器主版本号
public byte MinorLinkerVersion; //链接器次版本号
public Int32 SizeOfCode; //所有含有代码表的总大小
public Int32 SizeOfInitializedData; //所有初始化数据表总大小
public Int32 SizeOfUninitializedData; //所有未初始化数据表总大小
public Int32 AddressOfEntryPoint; //程序执行入口RVA
public Int32 BaseOfCode; //代码表其实RVA
public Int32 BaseOfData; //数据表其实RVA
public Int32 ImageBase; //程序默认装入基地址
public Int32 SectionAlignment; //内存中表的对齐值
public Int32 FileAlignment; //文件中表的对齐值
public short MajorOperatingSystemVersion; //操作系统主版本号
public short MinorOperatingSystemVersion; //操作系统次版本号
public short MajorImageVersion; //用户自定义主版本号
public short MinorImageVersion; //用户自定义次版本号
public short MajorSubsystemVersion; //所需要子系统主版本号
public short MinorSubsystemVersion; //所需要子系统次版本号
public Int32 Win32VersionValue; //保留,通常设置为0
public Int32 SizeOfImage; //映像装入内存后的总大小
public Int32 SizeOfHeaders; //DOS头、PE头、区块表总大小
public Int32 CheckSum; //映像校验和
public short Subsystem; //文件子系统
public short DllCharacteristics; //显示DLL特性的旗标
public Int32 SizeOfStackReserve; //初始化堆栈大小
public Int32 SizeOfStackCommit; //初始化实际提交堆栈大小
public Int32 SizeOfHeapReserve; //初始化保留堆栈大小
public Int32 SizeOfHeapCommit; //初始化实际保留堆栈大小
public Int32 LoaderFlags; //与调试相关,默认值为0
public Int32 NumberOfRvaAndSizes; //数据目录表的项数
/// <summary>
/// 数据目录(128字节,共16个表)
/// </summary>
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
public DataDirectory[] DataDirectory;
}
public struct DataDirectory
{
public Int32 VirtualAddress; //数据块的起始RVA
public Int32 Size; //数据块的长度
}
/// <summary>
/// 节表头(实测只有32字节)
/// </summary>
public struct SectionHeader
{
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 8)]
public string Name; //8个字节的块名
//public Int32 PhysicalAddress; //物理地址,可能读入内存后会存在(实测中没有)
public Int32 VirtualSize; //区块尺寸</span>
public Int32 VirtualAddress; //区块的RVA地址
public Int32 SizeOfRawData; //在文件中对齐后的尺寸
public Int32 PointerToRawData; //在文件中偏移
public Int32 PointerToRelocations; //在OBJ文件中使用,重定位的偏移
public Int32 PointerToLinenumbers; //行号表的偏移(供调试使用地)
public short NumberOfRelocations; //在OBJ文件中使用,重定位项数目 (EFF中没有看到,可能打包DLL后也没有)
public short NumberOfLinenumbers; //行号表中行号的数目
public Int32 Characteristics; //区块属性如可读,可写,可执行等
}
public struct CLRHeader
{
public Int32 cb;
public short MajorRuntimeVersion;
public short MinorRuntimeVersion;
//符号表和开始信息
public DataDirectory MetaData;
Int32 Flags;
Int32 EntryPointToken;
Int32 EntryPointRVA;
//绑定信息
public DataDirectory Resource;
public DataDirectory StrongNameSignature;
//常规的定位和绑定信息
public DataDirectory CodeMagagerTable;
public DataDirectory VTableFixups;
public DataDirectory ExprotAddressTableJumps;
public DataDirectory MagageNativeHeader;
}
public struct MetaData
{
/// <summary>
/// 固定的ASCII码,BSJB
/// </summary>
public Int32 lSignature;
/// <summary>
/// 元数据的主版本,一般为1
/// </summary>
public short iMajorVersion;
/// <summary>
/// 元数据的副版本,一般为1
/// </summary>
public short iMinorVersion;
/// <summary>
/// 保留字节
/// </summary>
public Int32 iExtraData;
/// <summary>
/// 接下来版本字符串的长度,包含尾部0,且按4字节对齐
/// </summary>
public Int32 iLength;
/// <summary>
/// UTF8格式的编译环境版本号
/// </summary>
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 11)]
//public byte[] iVersionString;
public string iVersionString;
/// <summary>
/// 保留为0
/// </summary>
public byte fFlags;
/// <summary>
/// 无意义字节(对齐用)
/// </summary>
public byte padding;
/// <summary>
/// NStream的个数(流的个数)
/// </summary>
public short iStreams;
}
public struct NStreamHeader
{
/// <summary>
/// 该流的存储位置相对于MetaData Root的偏移
/// </summary>
public Int32 iOffset;
/// <summary>
/// 该流占多少字节
/// </summary>
public Int32 iSize;
/// <summary>
/// 流的名称,与4字节对齐
/// </summary>
public char[] rcName;
}
public struct NStreamData
{
/// <summary>
/// 保留字节,为0
/// </summary>
public Int32 Reserved;
/// <summary>
/// 元数据表的主版本号,于.NET主版本号一致
/// </summary>
public byte Major;
/// <summary>
/// 元数据的副版本号,一般为0
/// </summary>
public byte Minor;
/// <summary>
/// Heap中定义数据时的索引的大小,为0表示16位索引值,若堆中数据超出16位数据表示范围,则使用32位索引值。01代表strings堆,02h代表GUID堆04h代表blob堆
/// </summary>
public byte Heaps;
/// <summary>
/// 所有元数据表中记录最大索引值,在运行时有.NET计算,文件中通常为1
/// </summary>
public byte Rid;
/// <summary>
/// 8字节长度的掩码,每个为代表一个表,为1表示该表有效,为0表示该表无效
/// </summary>
public Int64 MaskValid;
/// <summary>
/// 8字节长度的掩码,每个为代表一个表,为1表示该表已排序,反之为0
/// </summary>
public Int64 Sorted;
}
public class PEFormat
{
/// <summary>
/// 64字节
/// </summary>
protected DosHeader _DosHeader;
/// <summary>
/// 一般也是64字节
/// </summary>
protected byte[] _DosStub;
protected NtHeader _NtHeader;
/// <summary>
/// 节表块(最后一个必为一个全空节头)
/// </summary>
protected SectionHeader[] _SetctionBlocks;
/// <summary>
/// 节段总数
/// </summary>
public int SectionCount
{
get
{
return _NtHeader.FileHeader.NumberOfSections + 1;
}
}
}
}
举报
请认真填写举报原因,尽可能描述详细。
请选择举报类型
误判申诉
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化