LordCoder Posted August 31, 2013 Share Posted August 31, 2013 Hello! I want to get the sections of an executable (.text, .rdata, etc). With PEiD it's easy to dump them, but programming it's more difficult. Anybody knows how to do so in .NET? Thanks so much! Link to comment
ewwink Posted August 31, 2013 Share Posted August 31, 2013 you mean like CFF Explorer. Link to comment
LordCoder Posted August 31, 2013 Author Share Posted August 31, 2013 Yes like in CFF Explorer but with programming code. Link to comment
xsp!d3r Posted August 31, 2013 Share Posted August 31, 2013 you can use this lib http://code.google.com/p/portable-executable-library/ Link to comment
atom0s Posted August 31, 2013 Share Posted August 31, 2013 Check out my post here:http://forum.tuts4you.com/topic/26862-net-directory-flags/?p=127022 Link to comment
LordCoder Posted September 1, 2013 Author Share Posted September 1, 2013 @xsp!d3r Is there any documentation for this library?@atom0s This gets the data only for .NET applications. I mean for all types of applications in any language. Link to comment
mrexodia Posted September 1, 2013 Share Posted September 1, 2013 This is code in C, but it could help... IMAGE_DOS_HEADER *pdh; IMAGE_NT_HEADERS *pnth; IMAGE_SECTION_HEADER *psh; pdh=(IMAGE_DOS_HEADER*)((DWORD)pFileInfo->lpFile); //start of file = DOS HEADER if(pdh->e_magic!=IMAGE_DOS_SIGNATURE) //check if it's a good MZ signature return false; pnth=(IMAGE_NT_HEADERS*)((DWORD)pFileInfo->lpFile+pdh->e_lfanew); //NT HEADER is file + e_lfanew if(IsBadReadPtr(pnth, 4)) //check if its a readable pointer return false; if(pnth->Signature!=IMAGE_NT_SIGNATURE) //check NT signature return false; if(pnth->FileHeader.Machine!=IMAGE_FILE_MACHINE_I386) //check x32 return false; psh=IMAGE_FIRST_SECTION(pnth); //little macro for section headerwhen you have IMAGE_SECTION_HEADER, you can dump the sections using the raw address (file+raw address) and the raw size.Another trick I saw (in Armadillo) to get the section header is:psh=(IMAGE_SECTION_HEADER*)pnth[1]; Link to comment
LordCoder Posted September 1, 2013 Author Share Posted September 1, 2013 Oh I found NetPE app from Ki! which does exacly that. Thanks everyone for help! Link to comment
atom0s Posted September 2, 2013 Share Posted September 2, 2013 @xsp!d3r Is there any documentation for this library? @atom0s This gets the data only for .NET applications. I mean for all types of applications in any language. You can just remove the managed check: // Is this managed? bool bIsManaged = (imgNtHeaders.OptionalHeader.DataDirectory[HeaderHelper.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size > 0); if (!bIsManaged) { // invalid file.. throw new Exception("Invalid PE file... file is not managed."); } 1 Link to comment
idrcelab Posted September 5, 2013 Share Posted September 5, 2013 Oh I found NetPE app from Ki! which does exacly that. Thanks everyone for help! Did you mean this http://netpe.codeplex.com/ Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now