PE/PE32+ Parser - VB.NET

1. '------------------
2. 'Creator: aeonhack
3. 'Site: elitevs.net
4. 'Created: 4/10/2011
5. 'Changed: 11/9/2011
6. 'Version: 1.0.1
7. '------------------
8. <Obfuscation(ApplyToMembers:=True, Exclude:=True)> _
9. Class PE
10.  
11. #Region " Properties "
12.  
13. Private _MACHINE_I386 As Boolean
14. ReadOnly Property MACHINE_I386() As Boolean
15. Get
16. Return _MACHINE_I386
17. End Get
18. End Property
19.  
20. Private _DOS_HEADER As IMAGE_DOS_HEADER
21. ReadOnly Property DOS_HEADER As IMAGE_DOS_HEADER
22. Get
23. Return _DOS_HEADER
24. End Get
25. End Property
26.  
27. Private _NT_SIGNATURE As UInteger
28. ReadOnly Property NT_SIGNATURE As UInteger
29. Get
30. Return _NT_SIGNATURE
31. End Get
32. End Property
33.  
34. Private _FILE_HEADER As IMAGE_FILE_HEADER
35. ReadOnly Property FILE_HEADER As IMAGE_FILE_HEADER
36. Get
37. Return _FILE_HEADER
38. End Get
39. End Property
40.  
41. Private _OPTIONAL_HEADER32 As IMAGE_OPTIONAL_HEADER32
42. ReadOnly Property OPTIONAL_HEADER32 As IMAGE_OPTIONAL_HEADER32
43. Get
44. Return _OPTIONAL_HEADER32
45. End Get
46. End Property
47. Private _OPTIONAL_HEADER64 As IMAGE_OPTIONAL_HEADER64
48. ReadOnly Property OPTIONAL_HEADER64 As IMAGE_OPTIONAL_HEADER64
49. Get
50. Return _OPTIONAL_HEADER64
51. End Get
52. End Property
53.  
54. Private _DATA_DIRECTORY As IMAGE_DATA_DIRECTORY()
55. ReadOnly Property DATA_DIRECTORY As IMAGE_DATA_DIRECTORY()
56. Get
57. Return _DATA_DIRECTORY
58. End Get
59. End Property
60.  
61. Private _SECTION_HEADERS As IMAGE_SECTION_HEADER()
62. ReadOnly Property SECTION_HEADERS() As IMAGE_SECTION_HEADER()
63. Get
64. Return _SECTION_HEADERS
65. End Get
66. End Property
67.  
68. #End Region
69.  
70. #Region " Offsets "
71.  
72. Function OS(Of T)() As Integer
73. Dim Base As Integer = CInt(_DOS_HEADER.e_lfanew)
74.  
75. Select Case GetType(T).GUID
76. Case GetType(IMAGE_DOS_HEADER).GUID
77. Base = 0
78. Case GetType(IMAGE_FILE_HEADER).GUID
79. Base += 4
80. Case GetType(IMAGE_OPTIONAL_HEADER32).GUID
81. Base += 24
82. Case GetType(IMAGE_OPTIONAL_HEADER64).GUID
83. Base += 24
84. Case GetType(IMAGE_DATA_DIRECTORY).GUID
85. Base += 24 + _FILE_HEADER.SizeOfOptionalHeader - Length
86. Case GetType(IMAGE_SECTION_HEADER).GUID
87. Base += 24 + _FILE_HEADER.SizeOfOptionalHeader - Length + (_DATA_DIRECTORY.Length * 8)
88. End Select
89.  
90. Return Base
91. End Function
92.  
93. Function OS(Of T)(ByVal name As String) As Integer
94. If name = "Signature" Then Return CInt(_DOS_HEADER.e_lfanew)
95. Return OS(Of T)() + Marshal.OffsetOf(GetType(T), name).ToInt32()
96. End Function
97.  
98. Function OS(Of T)(ByVal index As Integer, ByVal name As String) As Integer
99. Return OS(Of T)() + (index * (Marshal.SizeOf(GetType(T))) + Marshal.OffsetOf(GetType(T), name).ToInt32())
100. End Function
101.  
102. #End Region
103.  
104. #Region " Structures "
105.  
106. <StructLayout(LayoutKind.Sequential, Pack:=1)> _
107. Structure IMAGE_DOS_HEADER
108. ReadOnly e_magic As UInt16
109. ReadOnly e_cblp As UInt16
110. ReadOnly e_cp As UInt16
111. ReadOnly e_crlc As UInt16
112. ReadOnly e_cparhdr As UInt16
113. ReadOnly e_minalloc As UInt16
114. ReadOnly e_maxalloc As UInt16
115. ReadOnly e_ss As UInt16
116. ReadOnly e_sp As UInt16
117. ReadOnly e_csum As UInt16
118. ReadOnly e_ip As UInt16
119. ReadOnly e_cs As UInt16
120. ReadOnly e_lfarlc As UInt16
121. ReadOnly e_ovno As UInt16
122. <MarshalAs(UnmanagedType.ByValArray, SizeConst:=4)> _
123. ReadOnly e_res As UInt16()
124. ReadOnly e_oemid As UInt16
125. ReadOnly e_oeminfo As UInt16
126. <MarshalAs(UnmanagedType.ByValArray, SizeConst:=10)> _
127. ReadOnly e_res2 As UInt16()
128. ReadOnly e_lfanew As UInt32
129. End Structure
130.  
131. <StructLayout(LayoutKind.Sequential, Pack:=1)> _
132. Structure IMAGE_FILE_HEADER
133. ReadOnly Machine As UInt16
134. ReadOnly NumberOfSections As UInt16
135. ReadOnly TimeDateStamp As UInt32
136. ReadOnly PointerToSymbolTable As UInt32
137. ReadOnly NumberOfSymbols As UInt32
138. ReadOnly SizeOfOptionalHeader As UInt16
139. ReadOnly Characteristics As UInt16
140. End Structure
141.  
142. <StructLayout(LayoutKind.Sequential, Pack:=1)> _
143. Structure IMAGE_OPTIONAL_HEADER32
144. ReadOnly Magic As UInt16
145. ReadOnly MajorLinkerVersion As Byte
146. ReadOnly MinorLinkerVersion As Byte
147. ReadOnly SizeOfCode As UInt32
148. ReadOnly SizeOfInitializedData As UInt32
149. ReadOnly SizeOfUninitializedData As UInt32
150. ReadOnly AddressOfEntryPoint As UInt32
151. ReadOnly BaseOfCode As UInt32
152. ReadOnly BaseOfData As UInt32
153. ReadOnly ImageBase As UInt32
154. ReadOnly SectionAlignment As UInt32
155. ReadOnly FileAlignment As UInt32
156. ReadOnly MajorOperatingSystemVersion As UInt16
157. ReadOnly MinorOperatingSystemVersion As UInt16
158. ReadOnly MajorImageVersion As UInt16
159. ReadOnly MinorImageVersion As UInt16
160. ReadOnly MajorSubsystemVersion As UInt16
161. ReadOnly MinorSubsystemVersion As UInt16
162. ReadOnly Win32VersionValue As UInt32
163. ReadOnly SizeOfImage As UInt32
164. ReadOnly SizeOfHeaders As UInt32
165. ReadOnly CheckSum As UInt32
166. ReadOnly Subsystem As UInt16
167. ReadOnly DllCharacteristics As UInt16
168. ReadOnly SizeOfStackReserve As UInt32
169. ReadOnly SizeOfStackCommit As UInt32
170. ReadOnly SizeOfHeapReserve As UInt32
171. ReadOnly SizeOfHeapCommit As UInt32
172. ReadOnly LoaderFlags As UInt32
173. ReadOnly NumberOfRvaAndSizes As UInt32
174. End Structure
175. <StructLayout(LayoutKind.Sequential, Pack:=1)> _
176. Structure IMAGE_OPTIONAL_HEADER64
177. ReadOnly Magic As UInt16
178. ReadOnly MajorLinkerVersion As Byte
179. ReadOnly MinorLinkerVersion As Byte
180. ReadOnly SizeOfCode As UInt32
181. ReadOnly SizeOfInitializedData As UInt32
182. ReadOnly SizeOfUninitializedData As UInt32
183. ReadOnly AddressOfEntryPoint As UInt32
184. ReadOnly BaseOfCode As UInt32
185. ReadOnly ImageBase As UInt64
186. ReadOnly SectionAlignment As UInt32
187. ReadOnly FileAlignment As UInt32
188. ReadOnly MajorOperatingSystemVersion As UInt16
189. ReadOnly MinorOperatingSystemVersion As UInt16
190. ReadOnly MajorImageVersion As UInt16
191. ReadOnly MinorImageVersion As UInt16
192. ReadOnly MajorSubsystemVersion As UInt16
193. ReadOnly MinorSubsystemVersion As UInt16
194. ReadOnly Win32VersionValue As UInt32
195. ReadOnly SizeOfImage As UInt32
196. ReadOnly SizeOfHeaders As UInt32
197. ReadOnly CheckSum As UInt32
198. ReadOnly Subsystem As UInt16
199. ReadOnly DllCharacteristics As UInt16
200. ReadOnly SizeOfStackReserve As UInt64
201. ReadOnly SizeOfStackCommit As UInt64
202. ReadOnly SizeOfHeapReserve As UInt64
203. ReadOnly SizeOfHeapCommit As UInt64
204. ReadOnly LoaderFlags As UInt32
205. ReadOnly NumberOfRvaAndSizes As UInt32
206. End Structure
207.  
208. <StructLayout(LayoutKind.Sequential, Pack:=1)> _
209. Structure IMAGE_DATA_DIRECTORY
210. ReadOnly VirtualAddress As UInt32
211. ReadOnly Size As UInt32
212. End Structure
213.  
214. <StructLayout(LayoutKind.Sequential, Pack:=1)> _
215. Structure IMAGE_SECTION_HEADER
216. <MarshalAs(UnmanagedType.ByValTStr, SizeConst:=8)> _
217. ReadOnly Name As String
218. ReadOnly Misc As UInt32
219. ReadOnly VirtualAddress As UInt32
220. ReadOnly SizeOfRawData As UInt32
221. ReadOnly PointerToRawData As UInt32
222. ReadOnly PointerToRelocations As UInt32
223. ReadOnly PointerToLinenumbers As UInt32
224. ReadOnly NumberOfRelocations As UInt16
225. ReadOnly NumberOfLinenumbers As UInt16
226. ReadOnly Characteristics As UInt32
227. End Structure
228.  
229. #End Region
230.  
231. Private Stream As FileStream, Length As Integer
232. Sub Process(ByVal path As String)
233. Stream = New FileStream(path, FileMode.Open, FileAccess.Read)
234.  
235. Try
236. _DOS_HEADER = Scan(Of IMAGE_DOS_HEADER)()
237. Stream.Seek(_DOS_HEADER.e_lfanew, SeekOrigin.Begin)
238.  
239. _NT_SIGNATURE = Scan(Of UInt32)()
240. _FILE_HEADER = Scan(Of IMAGE_FILE_HEADER)()
241. _MACHINE_I386 = _FILE_HEADER.Machine = 332
242.  
243. Length = _FILE_HEADER.SizeOfOptionalHeader
244.  
245. If _MACHINE_I386 Then
246. _OPTIONAL_HEADER32 = Scan(Of IMAGE_OPTIONAL_HEADER32)()
247. Length -= 96
248. Else
249. _OPTIONAL_HEADER64 = Scan(Of IMAGE_OPTIONAL_HEADER64)()
250. Length -= 112
251. End If
252.  
253. Dim U1 As New List(Of IMAGE_DATA_DIRECTORY)
254. For I As Integer = 1 To Length \ 8
255. U1.Add(Scan(Of IMAGE_DATA_DIRECTORY))
256. Next
257. _DATA_DIRECTORY = U1.ToArray
258.  
259.  
260. Stream.Seek(OS(Of IMAGE_SECTION_HEADER), SeekOrigin.Begin)
261.  
262. Dim U2 As New List(Of IMAGE_SECTION_HEADER)
263. For I As UShort = 1 To _FILE_HEADER.NumberOfSections
264. U2.Add(Scan(Of IMAGE_SECTION_HEADER))
265. Next
266. _SECTION_HEADERS = U2.ToArray
267.  
268. Finally
269. Stream.Close()
270. End Try
271. End Sub
272.  
273. Private Function Scan(Of T As Structure)() As T
274. Dim Data(Marshal.SizeOf(GetType(T)) - 1) As Byte
275. Stream.Read(Data, 0, Data.Length)
276. Return Push(Of T)(Data)
277. End Function
278. Private Function Push(Of T As Structure)(ByVal data As Byte()) As T
279. Dim Item As New T
280. Dim U As IntPtr = Marshal.AllocCoTaskMem(Marshal.SizeOf(GetType(T)))
281.  
282. If Not U = IntPtr.Zero Then
283. Marshal.Copy(data, 0, U, data.Length)
284. Item = CType(Marshal.PtrToStructure(U, GetType(T)), T)
285. Marshal.FreeCoTaskMem(U)
286. End If
287.  
288. Return Item
289. End Function
290.  
291. End Class
292.