w00tare Posted August 2, 2011 Posted August 2, 2011 (edited) Hey, I'm trying to build a program that shows me the flags of the .NET Directory of a file in C#. (This is from CFF Explorer) But I'm having a hard time finding some sort of Algorithm to find out when what checkbox needs to be checked. Hoping someone can help me, Thanks. Edited August 2, 2011 by w00tare
w00tare Posted August 2, 2011 Author Posted August 2, 2011 (edited) See ECMA-335, Partition II, 25.3.3.1 Runtime flagsThanks, I'm pretty sure it's a 'TinyFormat' since it only returns one value (with steps from 2). Although, I have now no idea on how to find the right flags with the given value.EDIT: Oh, I get what you meant now. But those are only for single values, you can select more options at once, that's the problem. Edited August 2, 2011 by w00tare
kao Posted August 2, 2011 Posted August 2, 2011 Although, I have now no idea on how to find the right flags with the given value. EDIT: Oh, I get what you meant now. But those are only for single values, you can select more options at once, that's the problem. Those are normal bit flags. See example how to decode them here: http://processhacker.sourceforge.net/doc/peprp_8c_source.html (lines 684-695).
w00tare Posted August 2, 2011 Author Posted August 2, 2011 (edited) Those are normal bit flags. See example how to decode them here: http://processhacker.sourceforge.net/doc/peprp_8c_source.html (lines 684-695). I forgot to mention I was attempting this in C#. I'm simply reading out the bytes where the data is stored. For example 1F0001 = 1000F1, meaning all flags where selected. Sorry for not mentioning it. Edited August 2, 2011 by w00tare
atom0s Posted August 2, 2011 Posted August 2, 2011 CorHdr.h has all the values you are looking for which you can find (if you have Visual Studio installed) at:C:\Program Files\Microsoft SDKs\Windows\v7.0APath might be different depending on if you use Express or Professional versions of VS as well as actual VS versions (2003, 2005, 2008, 2010 etc.) so you may need to search your HDD for it.In your case the flags are:// COM+ Header entry point flags. COMIMAGE_FLAGS_ILONLY =0x00000001, COMIMAGE_FLAGS_32BITREQUIRED =0x00000002, COMIMAGE_FLAGS_IL_LIBRARY =0x00000004, COMIMAGE_FLAGS_STRONGNAMESIGNED =0x00000008, COMIMAGE_FLAGS_NATIVE_ENTRYPOINT =0x00000010, COMIMAGE_FLAGS_TRACKDEBUGDATA =0x00010000, COMIMAGE_FLAGS_ISIBCOPTIMIZED =0x00020000, // NEWAs kao said they are a bit flags so you will need to check if a flag is set if you are trying to determine what is/isn't set.
Kurapica Posted August 2, 2011 Posted August 2, 2011 you have to use the "&" operator in C# to test for bit flags.
w00tare Posted August 2, 2011 Author Posted August 2, 2011 (edited) CorHdr.h has all the values you are looking for which you can find (if you have Visual Studio installed) at:C:\Program Files\Microsoft SDKs\Windows\v7.0APath might be different depending on if you use Express or Professional versions of VS as well as actual VS versions (2003, 2005, 2008, 2010 etc.) so you may need to search your HDD for it.In your case the flags are:// COM+ Header entry point flags. COMIMAGE_FLAGS_ILONLY =0x00000001, COMIMAGE_FLAGS_32BITREQUIRED =0x00000002, COMIMAGE_FLAGS_IL_LIBRARY =0x00000004, COMIMAGE_FLAGS_STRONGNAMESIGNED =0x00000008, COMIMAGE_FLAGS_NATIVE_ENTRYPOINT =0x00000010, COMIMAGE_FLAGS_TRACKDEBUGDATA =0x00010000, COMIMAGE_FLAGS_ISIBCOPTIMIZED =0x00020000, // NEWAs kao said they are a bit flags so you will need to check if a flag is set if you are trying to determine what is/isn't set.Hey, thanks I know that. But I get the value from the file it's bytes. So lets say its 1, then its easy. But if the file has more flags I can't find out how to determine which flag is selected. And that's my problem.you have to use the "&" operator in C# to test for bit flags.I know, I have it working, but I don't know how to find out if more flags are selected.This is what I'm using now:private void ReadFile(string p){ BinaryReader br = new BinaryReader(File.Open(txtPath.Text, FileMode.Open, FileAccess.Read)); string x416 = null; string x417 = null; string x418 = null; br.BaseStream.Seek(0x416, SeekOrigin.Begin); x416 = br.Read; br.BaseStream.Seek(0x417, SeekOrigin.Begin); x417 = br.Read; br.BaseStream.Seek(0x418, SeekOrigin.Begin); x418 = br.Read; br.Close(); SelectCheckboxes(x416, x417, x418);}It works, but I can only determine which flag is set if there is only one. Edited August 2, 2011 by w00tare
atom0s Posted August 2, 2011 Posted August 2, 2011 You can determine each one like this:Int32 nFlagsFromFile = ReadFlagsFromFile( .. );if( nFlagsFromFile & COMIMAGE_FLAGS_ILONLY ) { // COMIMAGE_FLAGS_ILONLY is set..}if( nFlagsFromFile & COMIMAGE_FLAGS_32BITREQUIRE ) { // COMIMAGE_FLAGS_32BITREQUIRE is set..}if( nFlagsFromFile & COMIMAGE_FLAGS_IL_LIBRARY ) { // COMIMAGE_FLAGS_IL_LIBRARY is set..}if( nFlagsFromFile & COMIMAGE_FLAGS_STRONGNAMESIGNED ) { // COMIMAGE_FLAGS_STRONGNAMESIGNED is set..}if( nFlagsFromFile & COMIMAGE_FLAGS_NATIVE_ENTRYPOINT ) { // COMIMAGE_FLAGS_NATIVE_ENTRYPOINT is set..}if( nFlagsFromFile & COMIMAGE_FLAGS_TRACKDEBUGDATA ) { // COMIMAGE_FLAGS_TRACKDEBUGDATA is set..}Mind you the first part is pseudo, replace it with how you are reading the flags from the file.
w00tare Posted August 2, 2011 Author Posted August 2, 2011 (edited) That is what I have (already), but you can select more then one flags. So lets say I have COMIMAGE_FLAGS_ILONLY and COMIMAGE_FLAGS_32BITREQUIRE, how would I verify then which flag is checked? Okay, lets say I choose these settings: then the read function I wrote will return 00000015, now how can I find out that COMIMAGE_FLAGS_ILONLY, COMIMAGE_FLAGS_IL_LIBRARY and COMIMAGE_FLAGS_NATIVEENTRYPOINT are set? Edited August 2, 2011 by w00tare
evlncrn8 Posted August 2, 2011 Posted August 2, 2011 If you actually read the pseudo code you would know...
w00tare Posted August 2, 2011 Author Posted August 2, 2011 (edited) I did, but that only works for one flag? Sorry for my stupidness, I'm completely new to this. Edited August 2, 2011 by w00tare
-Alex- Posted August 2, 2011 Posted August 2, 2011 you read flag 1 by 1, if the first is set, u set the first checkbox, and so on, untill u checked all flags.
w00tare Posted August 2, 2011 Author Posted August 2, 2011 (edited) you read flag 1 by 1, if the first is set, u set the first checkbox, and so on, untill u checked all flags.I think that's a problem. Mines read all at once. Since I read the bytes of a exe, I don't touch the header. Edited August 2, 2011 by w00tare
Kurapica Posted August 2, 2011 Posted August 2, 2011 You need some basic programming skills in any language.
w00tare Posted August 2, 2011 Author Posted August 2, 2011 You need some basic programming skills in any language.I can program in .NET, I just thought reading the bytes was enough to do this. So I have to access the header of a file to gain the information I want?
evlncrn8 Posted August 3, 2011 Posted August 3, 2011 I guess you dont understand what a bitflag is?Take the value you read and use calc or something to convert to BINARY...then check each bit. If its set (1) or unset (0)...This is rudimentary programming..try google or wikipedia if you still do not grasp the conceptCOMIMAGE_FLAGS_ILONLY =0x00000001 bit 1 COMIMAGE_FLAGS_32BITREQUIRED =0x00000002 bit 2COMIMAGE_FLAGS_IL_LIBRARY =0x00000004 bit 3COMIMAGE_FLAGS_STRONGNAMESIGNED =0x00000008 bit 4 COMIMAGE_FLAGS_NATIVE_ENTRYPOINT =0x00000010 bit 5 COMIMAGE_FLAGS_TRACKDEBUGDATA =0x00010000 bit 6and so on..also, its not a byte if i remember correctly..its a dword
atom0s Posted August 3, 2011 Posted August 3, 2011 Here's a full example of how to read the flags that I wrote. (Attached to this post.)Credits://////////////////////////////////////////////////////////////////////////////////////// Credits://// CorHdr.h // - Microsoft; definitions for COMIMAGE flags and IMAGE_COR20_HEADER.//// Image Directory Entry Information:// - http://msdn.microsoft.com/en-us/library/ms680149%28v=vs.85%29.aspx// // Some Structure Definitions:// - http://code.cheesydesign.com/?p=572// - Windows SDK// // y0da// - RVAToOffset method. From his old PE file stuff.//////////////////////////////////////////////////////////////////////////////////////Debug/Release exe's included. Drag and drop a file into the groupbox control to show which flags are set for it. (This is setup specifically for x86 files so if the file is x64 it wont work since the headers are not setup for it.)DotNetFileReader.rar 1
w00tare Posted August 3, 2011 Author Posted August 3, 2011 Here's a full example of how to read the flags that I wrote. (Attached to this post.)Credits://////////////////////////////////////////////////////////////////////////////////////// Credits://// CorHdr.h // - Microsoft; definitions for COMIMAGE flags and IMAGE_COR20_HEADER.//// Image Directory Entry Information:// - http://msdn.microsoft.com/en-us/library/ms680149%28v=vs.85%29.aspx// // Some Structure Definitions:// - http://code.cheesydesign.com/?p=572// - Windows SDK// // y0da// - RVAToOffset method. From his old PE file stuff.//////////////////////////////////////////////////////////////////////////////////////Debug/Release exe's included. Drag and drop a file into the groupbox control to show which flags are set for it. (This is setup specifically for x86 files so if the file is x64 it wont work since the headers are not setup for it.)Thanks I will look into this, I'm sure this will help me.
evlncrn8 Posted August 3, 2011 Posted August 3, 2011 You could have helped yourself by reserching instead of waiting to be spoonfed...seriously
w00tare Posted August 3, 2011 Author Posted August 3, 2011 You could have helped yourself by reserching instead of waiting to be spoonfed...seriouslyI hope they tell you that next time when you ask for help, you seriously think I just didn't do anything? You should be a clairvoyant!! You can make big money if you can just 'see' what people are doing /rage.
evlncrn8 Posted August 3, 2011 Posted August 3, 2011 Heh, raging is kinda pathetic, and i am self taught..i actually spent time researching, testing, debugging as i realised the old saying of. ."give someone a fish..." was incredibly accurate...And did you actually do anything...did you check google, programming books etc..i doubt it. ...then you call yourself a coder yet dont understand the basics, and read a dword as bytes.. Get the point? (Incase you dont.. The point is to stop being lazy and do some research yourself, otherwise you will never progress to become a better coder...)..As for me asking for help..i doubt that will happen..why? because i spent 25+ years learning my skills, researching, testing and learning multiple coding languages...And a clairvoyant is a circus act.. People pretending to be what they are not...oh wait.........what an amazing parallel 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now