Advertisement
Guest User

PE Mapper structures

a guest
Mar 27th, 2017
35
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C# 9.48 KB | None | 0 0
  1. class Definitions
  2.     {
  3.         //Credits for some of the headers: https://www.joachim-bauch.de/tutorials/loading-a-dll-from-memory/
  4.  
  5.  
  6.         //~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  7.         // _IMAGE_DOS_HEADER
  8.         //~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  9.         #region Image Dos Header
  10.         [StructLayout(LayoutKind.Sequential, Pack = 1), Serializable]
  11.         public struct _IMAGE_DOS_HEADER
  12.         {
  13.             public UInt16 e_magic;                     // Magic number
  14.             public UInt16 e_cblp;                      // Bytes on last page of file
  15.             public UInt16 e_cp;                        // Pages in file
  16.             public UInt16 e_crlc;                      // Relocations
  17.             public UInt16 e_cparhdr;                   // Size of header in paragraphs
  18.             public UInt16 e_minalloc;                  // Minimum extra paragraphs needed
  19.             public UInt16 e_maxalloc;                  // Maximum extra paragraphs needed
  20.             public UInt16 e_ss;                        // Initial (relative) SS value
  21.             public UInt16 e_sp;                        // Initial SP value
  22.             public UInt16 e_csum;                      // Checksum
  23.             public UInt16 e_ip;                        // Initial IP value
  24.             public UInt16 e_cs;                        // Initial (relative) CS value
  25.             public UInt16 e_lfarlc;                    // File address of relocation table
  26.             public UInt16 e_ovno;                      // Overlay number
  27.             public UInt16 e_res_0;                     // Reserved words
  28.             public UInt16 e_res_1;
  29.             public UInt16 e_res_2;
  30.             public UInt16 e_res_3;
  31.             public UInt16 e_oemid;                     // OEM identifier (for e_oeminfo)
  32.             public UInt16 e_oeminfo;                   // OEM information; e_oemid specific
  33.             public UInt16 e_res2_0;                    // Reserved words
  34.             public UInt16 e_res2_1;
  35.             public UInt16 e_res2_2;
  36.             public UInt16 e_res2_3;
  37.             public UInt16 e_res2_4;
  38.             public UInt16 e_res2_5;
  39.             public UInt16 e_res2_6;
  40.             public UInt16 e_res2_7;
  41.             public UInt16 e_res2_8;
  42.             public UInt16 e_res2_9;
  43.             public UInt32 e_lfanew;                    // File address of new exe header
  44.         };
  45.         #endregion
  46.  
  47.  
  48.  
  49.         //~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  50.         // _IMAGE_FILE_HEADER
  51.         //~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  52.         #region Image File Header
  53.         [StructLayout(LayoutKind.Sequential, Pack = 1), Serializable]
  54.         public struct _IMAGE_FILE_HEADER
  55.         {
  56.             public UInt16 Machine;
  57.             public UInt16 NumberOfSections;
  58.             public UInt32 TimeDateStamp;
  59.             public UInt32 PointerToSymbolTable;
  60.             public UInt32 NumberOfSymbols;
  61.             public UInt16 SizeOfOptionalHeader;
  62.             public UInt16 Characteristics;
  63.         };
  64.         #region _IMAGE_FILE_HEADER Data Options
  65.         public static class IMAGE_FILE_HEADER
  66.         {
  67.             public enum Machine
  68.             {
  69.                 //Source: https://msdn.microsoft.com/en-us/library/windows/desktop/ms680313(v=vs.85).aspx
  70.                 IMAGE_FILE_MACHINE_I386 = (UInt16)0x014c,
  71.                 IMAGE_FILE_MACHINE_IA64 = (UInt16)0x0200,
  72.                 IMAGE_FILE_MACHINE_AMD64 = (UInt16)0x8664
  73.             };
  74.  
  75.             public enum Characteristics
  76.             {
  77.                 //Source: https://msdn.microsoft.com/en-us/library/windows/desktop/ms680313(v=vs.85).aspx
  78.                 IMAGE_FILE_RELOCS_STRIPPED = (UInt16)0x0001,
  79.                 IMAGE_FILE_EXECUTABLE_IMAGE = (UInt16)0x0002,
  80.                 IMAGE_FILE_LINE_NUMS_STRIPPED = (UInt16)0x0004,
  81.                 IMAGE_FILE_LOCAL_SYMS_STRIPPED = (UInt16)0x0008,
  82.                 IMAGE_FILE_AGGRESIVE_WS_TRIM = (UInt16)0x0010,
  83.                 IMAGE_FILE_LARGE_ADDRESS_AWARE = (UInt16)0x0020,
  84.                 IMAGE_FILE_BYTES_REVERSED_LO = (UInt16)0x0080,
  85.                 IMAGE_FILE_32BIT_MACHINE = (UInt16)0x0100,
  86.                 IMAGE_FILE_DEBUG_STRIPPED = (UInt16)0x0200,
  87.                 IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP = (UInt16)0x0400,
  88.                 IMAGE_FILE_NET_RUN_FROM_SWAP = (UInt16)0x0800,
  89.                 IMAGE_FILE_SYSTEM = (UInt16)0x1000,
  90.                 IMAGE_FILE_DLL = (UInt16)0x2000,
  91.                 IMAGE_FILE_UP_SYSTEM_ONLY = (UInt16)0x4000,
  92.                 IMAGE_FILE_BYTES_REVERSED_HI = (UInt16)0x8000
  93.             };
  94.         }
  95.         #endregion
  96.         #endregion
  97.  
  98.  
  99.  
  100.         //~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  101.         // _IMAGE_FILE_HEADER
  102.         //~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  103.         #region Image File Header
  104.         [StructLayout(LayoutKind.Sequential, Pack = 1), Serializable]
  105.         public struct _IMAGE_OPTIONAL_HEADER
  106.         {
  107.             public UInt16 Magic;
  108.             public Byte MajorLinkerVersion;
  109.             public Byte MinorLinkerVersion;
  110.             public UInt32 SizeOfCode;
  111.             public UInt32 SizeOfInitializedData;
  112.             public UInt32 SizeOfUninitializedData;
  113.             public UInt32 AddressOfEntryPoint;
  114.             public UInt32 BaseOfCode;
  115.             public UInt32 BaseOfData;
  116.             public UInt32 ImageBase;
  117.             public UInt32 SectionAlignment;
  118.             public UInt32 FileAlignment;
  119.             public UInt16 MajorOperatingSystemVersion;
  120.             public UInt16 MinorOperatingSystemVersion;
  121.             public UInt16 MajorImageVersion;
  122.             public UInt16 MinorImageVersion;
  123.             public UInt16 MajorSubsystemVersion;
  124.             public UInt16 MinorSubsystemVersion;
  125.             public UInt32 Win32VersionValue;
  126.             public UInt32 SizeOfImage;
  127.             public UInt32 SizeOfHeaders;
  128.             public UInt32 CheckSum;
  129.             public UInt16 Subsystem;
  130.             public UInt16 DllCharacteristics;
  131.             public UInt32 SizeOfStackReserve;
  132.             public UInt32 SizeOfStackCommit;
  133.             public UInt32 SizeOfHeapReserve;
  134.             public UInt32 SizeOfHeapCommit;
  135.             public UInt32 LoaderFlags;
  136.             public UInt32 NumberOfRvaAndSizes;
  137.             [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
  138.             IMAGE_OPTIONAL_HEADER_DATA._IMAGE_DATA_DIRECTORY[] DataDirectory;
  139.         };
  140.         #region _IMAGE_OPTIONAL_HEADER Data options
  141.         public static class IMAGE_OPTIONAL_HEADER_DATA
  142.         {
  143.             public enum Magic
  144.             {
  145.                 IMAGE_NT_OPTIONAL_HDR_MAGIC,
  146.                 IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b,
  147.                 IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b,
  148.                 IMAGE_ROM_OPTIONAL_HDR_MAGIC = 0x107
  149.             };
  150.  
  151.             public enum Subsystem
  152.             {
  153.                 IMAGE_SUBSYSTEM_UNKNOWN = 0,
  154.                 IMAGE_SUBSYSTEM_NATIVE = 1,
  155.                 IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
  156.                 IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
  157.                 IMAGE_SUBSYSTEM_OS2_CUI = 5,
  158.                 IMAGE_SUBSYSTEM_POSIX_CUI = 7,
  159.                 IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
  160.                 IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
  161.                 IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
  162.                 IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
  163.                 IMAGE_SUBSYSTEM_EFI_ROM = 13,
  164.                 IMAGE_SUBSYSTEM_XBOX = 14,
  165.                 IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION = 16,
  166.             };
  167.  
  168.             public enum DllCharacteristics
  169.             {
  170.                 Reserved = 0x0001,
  171.                 Reserved = 0x0002,
  172.                 Reserved = 0x0004,
  173.                 Reserved = 0x0008,
  174.                 IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE = 0x0040,
  175.                 IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
  176.                 IMAGE_DLLCHARACTERISTICS_NX_COMPAT = 0x0100,
  177.                 IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
  178.                 IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
  179.                 IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
  180.                 Reserved = 0x1000,
  181.                 IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x4000,
  182.                 IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000,
  183.             };
  184.  
  185.             [StructLayout(LayoutKind.Sequential, Pack = 1), Serializable]
  186.             public struct _IMAGE_DATA_DIRECTORY
  187.             {
  188.                 public UInt32 VirtualAddress;
  189.                 public UInt32 Size;
  190.             };
  191.  
  192.             public static class IMAGE_DATA_DIRECTORY_DATA
  193.             {
  194.                 public enum DataDirectory
  195.                 {
  196.                     //Source: https://msdn.microsoft.com/en-us/library/windows/desktop/ms680305(v=vs.85).aspx
  197.                     Export_table,
  198.                     Import_table,
  199.                     Resource_table,
  200.                     Exception_table,
  201.                     Certificate_table,
  202.                     Base_relocation_table,
  203.                     Debugging_information,
  204.                     Architecture,
  205.                     Global_pointer,
  206.                     Thread_local_storage,
  207.                     Load_configuration,
  208.                     Bound_import,
  209.                     Import_address_table,
  210.                     Delay_import_descriptor,
  211.                     CLR_header,
  212.                     Reserved
  213.                 };
  214.             }
  215.         }
  216.         #endregion
  217.         #endregion
  218.     }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement