LordCoder Posted August 31, 2013 Posted August 31, 2013 Hello! I want to get the sections of an executable (.text, .rdata, etc). With PEiD it's easy to dump them, but programming it's more difficult. Anybody knows how to do so in .NET? Thanks so much!
LordCoder Posted August 31, 2013 Author Posted August 31, 2013 Yes like in CFF Explorer but with programming code.
xsp!d3r Posted August 31, 2013 Posted August 31, 2013 you can use this lib http://code.google.com/p/portable-executable-library/
atom0s Posted August 31, 2013 Posted August 31, 2013 Check out my post here:http://forum.tuts4you.com/topic/26862-net-directory-flags/?p=127022
LordCoder Posted September 1, 2013 Author Posted September 1, 2013 @xsp!d3r Is there any documentation for this library?@atom0s This gets the data only for .NET applications. I mean for all types of applications in any language.
mrexodia Posted September 1, 2013 Posted September 1, 2013 This is code in C, but it could help... IMAGE_DOS_HEADER *pdh; IMAGE_NT_HEADERS *pnth; IMAGE_SECTION_HEADER *psh; pdh=(IMAGE_DOS_HEADER*)((DWORD)pFileInfo->lpFile); //start of file = DOS HEADER if(pdh->e_magic!=IMAGE_DOS_SIGNATURE) //check if it's a good MZ signature return false; pnth=(IMAGE_NT_HEADERS*)((DWORD)pFileInfo->lpFile+pdh->e_lfanew); //NT HEADER is file + e_lfanew if(IsBadReadPtr(pnth, 4)) //check if its a readable pointer return false; if(pnth->Signature!=IMAGE_NT_SIGNATURE) //check NT signature return false; if(pnth->FileHeader.Machine!=IMAGE_FILE_MACHINE_I386) //check x32 return false; psh=IMAGE_FIRST_SECTION(pnth); //little macro for section headerwhen you have IMAGE_SECTION_HEADER, you can dump the sections using the raw address (file+raw address) and the raw size.Another trick I saw (in Armadillo) to get the section header is:psh=(IMAGE_SECTION_HEADER*)pnth[1];
LordCoder Posted September 1, 2013 Author Posted September 1, 2013 Oh I found NetPE app from Ki! which does exacly that. Thanks everyone for help!
atom0s Posted September 2, 2013 Posted September 2, 2013 @xsp!d3r Is there any documentation for this library? @atom0s This gets the data only for .NET applications. I mean for all types of applications in any language. You can just remove the managed check: // Is this managed? bool bIsManaged = (imgNtHeaders.OptionalHeader.DataDirectory[HeaderHelper.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size > 0); if (!bIsManaged) { // invalid file.. throw new Exception("Invalid PE file... file is not managed."); } 1
idrcelab Posted September 5, 2013 Posted September 5, 2013 Oh I found NetPE app from Ki! which does exacly that. Thanks everyone for help! Did you mean this http://netpe.codeplex.com/
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now