LCF-AT Posted February 1, 2017 Posted February 1, 2017 Hi guys, I have a new problem and wanna find a solution.So at the moment I try to work with the PE structs and found something strange.My goal was it just to read some PE Header datas just to check whether the file is a NET target or not (optinal also to find the NET version the file needs to run if possible). So the IMAGE_NT_HEADERS structs points me to the OptionalHeader IMAGE_OPTIONAL_HEADER32 struct and this points me to DataDirectory IMAGE_DATA_DIRECTORY struct and there I have this... IMAGE_DATA_DIRECTORY STRUCT VirtualAddress DWORD ? isize DWORD ? IMAGE_DATA_DIRECTORY ENDS ....that all?Why this?If I follow the way in Olly then the IMAGE_DATA_DIRECTORY starts at Export Table address in PE.Now the question is how I come to the structs below with struct words I mean?In windows.inc I see also IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR value 14.So it seems I have to calc this by myself anyhow manually with IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR * 8 = 70 + IMAGE_DATA_DIRECTORY = Pointer to IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR.So is there no easier way just to use the struct words? assume esi:ptr IMAGE_NT_HEADERS lea eax, (IMAGE_NT_HEADERS ptr [esi]).OptionalHeader.DataDirectory (IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR) etc Maybe something like this without to write any calculations etc you know. greetz
atom0s Posted February 1, 2017 Posted February 1, 2017 Microsoft explains their file format fairly well here: https://msdn.microsoft.com/en-us/library/ms809762.aspx It has a vast amount of the PE file explained, minus some parts but what you are asking is all explained there.
LCF-AT Posted February 1, 2017 Author Posted February 1, 2017 Hi, this dosent answer my question but thanks anyway.I wrote it so now.... .if ax == IMAGE_NT_OPTIONAL_HDR32_MAGIC assume esi:ptr IMAGE_NT_HEADERS lea eax, (IMAGE_NT_HEADERS ptr [esi]).OptionalHeader.DataDirectory mov ecx,IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR*8 add ecx,eax .if dword ptr [ecx] == 0h mov eax, chr$(" x86") .else mov eax, chr$(" x86 NET") .endif .elseif ax == IMAGE_NT_OPTIONAL_HDR64_MAGIC assume esi:ptr IMAGE_NT_HEADERS64 lea eax, (IMAGE_NT_HEADERS64 ptr [esi]).OptionalHeader.DataDirectory mov ecx,IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR*8 add ecx,eax .if dword ptr [ecx] == 0h mov eax, chr$(" x64") .else mov eax, chr$(" x64 NET") .endif greetz
Teddy Rogers Posted February 2, 2017 Posted February 2, 2017 FYI... PECOFF revision 11.0 can be downloaded here... https://tuts4you.com/download.php?view.233 Ted.
havanacj13 Posted February 5, 2017 Posted February 5, 2017 .NET (MSIL) files normally are not 32 (x86) or 64 (x64) specific. The JIT compiler decides at runtime during startup of assemblies is it run in x86 or in x64 mode. This depends normally also on the plattform the assembly is executed.
evlncrn8 Posted February 5, 2017 Posted February 5, 2017 50 minutes ago, havanacj13 said: .NET (MSIL) files normally are not 32 (x86) or 64 (x64) specific. The JIT compiler decides at runtime during startup of assemblies is it run in x86 or in x64 mode. This depends normally also on the plattform the assembly is executed. not 100% accurate, theres flags in the .net metadata that can specify 32 bit only which influence that decision 2
havanacj13 Posted February 12, 2017 Posted February 12, 2017 That's correct ;-). In this case the developer should know what he is is doing.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now