Jump to content
Tuts 4 You

.NET Directory Flags


w00tare

Recommended Posts

Posted (edited)

Hey,

I'm trying to build a program that shows me the flags of the .NET Directory of a file in C#.

(This is from CFF Explorer)

di-BU3A.png

But I'm having a hard time finding some sort of Algorithm to find out when what checkbox needs to be checked.

Hoping someone can help me,

Thanks.

Edited by w00tare
Posted

See ECMA-335, Partition II, 25.3.3.1 Runtime flags

Posted (edited)

See ECMA-335, Partition II, 25.3.3.1 Runtime flags

Thanks, I'm pretty sure it's a 'TinyFormat' since it only returns one value (with steps from 2). Although, I have now no idea on how to find the right flags with the given value.

EDIT: Oh, I get what you meant now. But those are only for single values, you can select more options at once, that's the problem.

Edited by w00tare
Posted

Although, I have now no idea on how to find the right flags with the given value.

EDIT: Oh, I get what you meant now. But those are only for single values, you can select more options at once, that's the problem.

:kick: Those are normal bit flags. See example how to decode them here: http://processhacker.sourceforge.net/doc/peprp_8c_source.html (lines 684-695).

Posted (edited)

:kick: Those are normal bit flags. See example how to decode them here: http://processhacker.sourceforge.net/doc/peprp_8c_source.html (lines 684-695).

I forgot to mention I was attempting this in C#. I'm simply reading out the bytes where the data is stored. For example 1F0001 = 1000F1, meaning all flags where selected. Sorry for not mentioning it.

Edited by w00tare
Posted

CorHdr.h has all the values you are looking for which you can find (if you have Visual Studio installed) at:

C:\Program Files\Microsoft SDKs\Windows\v7.0A

Path might be different depending on if you use Express or Professional versions of VS as well as actual VS versions (2003, 2005, 2008, 2010 etc.) so you may need to search your HDD for it.

In your case the flags are:


// COM+ Header entry point flags.
COMIMAGE_FLAGS_ILONLY =0x00000001,
COMIMAGE_FLAGS_32BITREQUIRED =0x00000002,
COMIMAGE_FLAGS_IL_LIBRARY =0x00000004,
COMIMAGE_FLAGS_STRONGNAMESIGNED =0x00000008,
COMIMAGE_FLAGS_NATIVE_ENTRYPOINT =0x00000010,
COMIMAGE_FLAGS_TRACKDEBUGDATA =0x00010000,
COMIMAGE_FLAGS_ISIBCOPTIMIZED =0x00020000, // NEW

As kao said they are a bit flags so you will need to check if a flag is set if you are trying to determine what is/isn't set.

Posted

you have to use the "&" operator in C# to test for bit flags.

Posted (edited)

CorHdr.h has all the values you are looking for which you can find (if you have Visual Studio installed) at:

C:\Program Files\Microsoft SDKs\Windows\v7.0A

Path might be different depending on if you use Express or Professional versions of VS as well as actual VS versions (2003, 2005, 2008, 2010 etc.) so you may need to search your HDD for it.

In your case the flags are:


// COM+ Header entry point flags.
COMIMAGE_FLAGS_ILONLY =0x00000001,
COMIMAGE_FLAGS_32BITREQUIRED =0x00000002,
COMIMAGE_FLAGS_IL_LIBRARY =0x00000004,
COMIMAGE_FLAGS_STRONGNAMESIGNED =0x00000008,
COMIMAGE_FLAGS_NATIVE_ENTRYPOINT =0x00000010,
COMIMAGE_FLAGS_TRACKDEBUGDATA =0x00010000,
COMIMAGE_FLAGS_ISIBCOPTIMIZED =0x00020000, // NEW

As kao said they are a bit flags so you will need to check if a flag is set if you are trying to determine what is/isn't set.

Hey, thanks I know that. But I get the value from the file it's bytes. So lets say its 1, then its easy. But if the file has more flags I can't find out how to determine which flag is selected. And that's my problem.

you have to use the "&" operator in C# to test for bit flags.

I know, I have it working, but I don't know how to find out if more flags are selected.

This is what I'm using now:


private void ReadFile(string p)
{
BinaryReader br = new BinaryReader(File.Open(txtPath.Text, FileMode.Open, FileAccess.Read));
string x416 = null;
string x417 = null;
string x418 = null;
br.BaseStream.Seek(0x416, SeekOrigin.Begin);
x416 = br.Read;
br.BaseStream.Seek(0x417, SeekOrigin.Begin);
x417 = br.Read;
br.BaseStream.Seek(0x418, SeekOrigin.Begin);
x418 = br.Read;
br.Close();
SelectCheckboxes(x416, x417, x418);
}

It works, but I can only determine which flag is set if there is only one.

Edited by w00tare
Posted

You can determine each one like this:


Int32 nFlagsFromFile = ReadFlagsFromFile( .. );if( nFlagsFromFile & COMIMAGE_FLAGS_ILONLY ) {
// COMIMAGE_FLAGS_ILONLY is set..
}
if( nFlagsFromFile & COMIMAGE_FLAGS_32BITREQUIRE ) {
// COMIMAGE_FLAGS_32BITREQUIRE is set..
}
if( nFlagsFromFile & COMIMAGE_FLAGS_IL_LIBRARY ) {
// COMIMAGE_FLAGS_IL_LIBRARY is set..
}
if( nFlagsFromFile & COMIMAGE_FLAGS_STRONGNAMESIGNED ) {
// COMIMAGE_FLAGS_STRONGNAMESIGNED is set..
}
if( nFlagsFromFile & COMIMAGE_FLAGS_NATIVE_ENTRYPOINT ) {
// COMIMAGE_FLAGS_NATIVE_ENTRYPOINT is set..
}
if( nFlagsFromFile & COMIMAGE_FLAGS_TRACKDEBUGDATA ) {
// COMIMAGE_FLAGS_TRACKDEBUGDATA is set..
}

Mind you the first part is pseudo, replace it with how you are reading the flags from the file.

Posted (edited)

That is what I have (already), but you can select more then one flags. So lets say I have COMIMAGE_FLAGS_ILONLY and COMIMAGE_FLAGS_32BITREQUIRE, how would I verify then which flag is checked?

Okay, lets say I choose these settings:

di-BU3A.png

then the read function I wrote will return 00000015, now how can I find out that COMIMAGE_FLAGS_ILONLY, COMIMAGE_FLAGS_IL_LIBRARY and COMIMAGE_FLAGS_NATIVEENTRYPOINT are set?

Edited by w00tare
Posted

If you actually read the pseudo code you would know...

Posted (edited)

I did, but that only works for one flag? Sorry for my stupidness, I'm completely new to this.

Edited by w00tare
Posted

you read flag 1 by 1, if the first is set, u set the first checkbox, and so on, untill u checked all flags.

Posted (edited)

you read flag 1 by 1, if the first is set, u set the first checkbox, and so on, untill u checked all flags.

I think that's a problem. Mines read all at once. Since I read the bytes of a exe, I don't touch the header.

Edited by w00tare
Posted

You need some basic programming skills in any language.

Posted

You need some basic programming skills in any language.

I can program in .NET, I just thought reading the bytes was enough to do this. So I have to access the header of a file to gain the information I want?

Posted

I guess you dont understand what a bitflag is?

Take the value you read and use calc or something to convert to BINARY...

then check each bit. If its set (1) or unset (0)...

This is rudimentary programming..try google or wikipedia if you still do not grasp the concept

COMIMAGE_FLAGS_ILONLY =0x00000001 bit 1 COMIMAGE_FLAGS_32BITREQUIRED =0x00000002 bit 2

COMIMAGE_FLAGS_IL_LIBRARY =0x00000004 bit 3

COMIMAGE_FLAGS_STRONGNAMESIGNED =0x00000008 bit 4 COMIMAGE_FLAGS_NATIVE_ENTRYPOINT =0x00000010 bit 5 COMIMAGE_FLAGS_TRACKDEBUGDATA =0x00010000 bit 6

and so on..also, its not a byte if i remember correctly..its a dword

Posted

Here's a full example of how to read the flags that I wrote. (Attached to this post.)

Credits:

//////////////////////////////////////////////////////////////////////////////////////
// Credits:
//
// CorHdr.h
// - Microsoft; definitions for COMIMAGE flags and IMAGE_COR20_HEADER.
//
// Image Directory Entry Information:
// - http://msdn.microsoft.com/en-us/library/ms680149%28v=vs.85%29.aspx
//
// Some Structure Definitions:
// - http://code.cheesydesign.com/?p=572
// - Windows SDK
//
// y0da
// - RVAToOffset method. From his old PE file stuff.
//////////////////////////////////////////////////////////////////////////////////////

Debug/Release exe's included. Drag and drop a file into the groupbox control to show which flags are set for it.

(This is setup specifically for x86 files so if the file is x64 it wont work since the headers are not setup for it.)

DotNetFileReader.rar

  • Like 1
Posted

Here's a full example of how to read the flags that I wrote. (Attached to this post.)

Credits:

//////////////////////////////////////////////////////////////////////////////////////
// Credits:
//
// CorHdr.h
// - Microsoft; definitions for COMIMAGE flags and IMAGE_COR20_HEADER.
//
// Image Directory Entry Information:
// - http://msdn.microsoft.com/en-us/library/ms680149%28v=vs.85%29.aspx
//
// Some Structure Definitions:
// - http://code.cheesydesign.com/?p=572
// - Windows SDK
//
// y0da
// - RVAToOffset method. From his old PE file stuff.
//////////////////////////////////////////////////////////////////////////////////////

Debug/Release exe's included. Drag and drop a file into the groupbox control to show which flags are set for it.

(This is setup specifically for x86 files so if the file is x64 it wont work since the headers are not setup for it.)

Thanks I will look into this, I'm sure this will help me.

Posted

You could have helped yourself by reserching instead of waiting to be spoonfed...seriously

Posted

You could have helped yourself by reserching instead of waiting to be spoonfed...seriously

I hope they tell you that next time when you ask for help, you seriously think I just didn't do anything? You should be a clairvoyant!! You can make big money if you can just 'see' what people are doing /rage.

Posted

Heh, raging is kinda pathetic, and i am self taught..i actually spent time researching, testing, debugging as i realised the old saying of. ."give someone a fish..." was incredibly accurate...

And did you actually do anything...did you check google, programming books etc..i doubt it. ...then you call yourself a coder yet dont understand the basics, and read a dword as bytes.. Get the point? (Incase you dont.. The point is to stop being lazy and do some research yourself, otherwise you will never progress to become a better coder...)..

As for me asking for help..i doubt that will happen..why? because i spent 25+ years learning my skills, researching, testing and learning multiple coding languages...

And a clairvoyant is a circus act.. People pretending to be what they are not...oh wait.........what an amazing parallel

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...