Hi guys,

I have a new problem and wanna find a solution.So at the moment I try to work with the PE structs and found something strange.My goal was it just to read some PE Header datas just to check whether the file is a NET target or not (optinal also to find the NET version the file needs to run if possible).

So the IMAGE_NT_HEADERS structs points me to the OptionalHeader IMAGE_OPTIONAL_HEADER32 struct and this points me to DataDirectory IMAGE_DATA_DIRECTORY struct and there I have this...

IMAGE_DATA_DIRECTORY STRUCT
  VirtualAddress    DWORD      ?
  isize             DWORD      ?
IMAGE_DATA_DIRECTORY ENDS

....that all?Why this?If I follow the way in Olly then the IMAGE_DATA_DIRECTORY starts at Export Table address in PE.Now the question is how I come to the structs below with struct words I mean?In windows.inc I see also IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR value 14.So it seems I have to calc this by myself anyhow manually with IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR * 8 = 70 + IMAGE_DATA_DIRECTORY = Pointer to IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR.So is there no easier way just to use the struct words?

assume esi:ptr IMAGE_NT_HEADERS
lea eax, (IMAGE_NT_HEADERS ptr [esi]).OptionalHeader.DataDirectory (IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR) etc

Maybe something like this without to write any calculations etc you know.

greetz

Microsoft explains their file format fairly well here:

https://msdn.microsoft.com/en-us/library/ms809762.aspx

It has a vast  amount of the PE file explained, minus some parts but what you are asking is all explained there.

Hi,

this dosent answer my question but thanks anyway.I wrote it so now....

      .if ax == IMAGE_NT_OPTIONAL_HDR32_MAGIC
           assume esi:ptr IMAGE_NT_HEADERS
           lea eax, (IMAGE_NT_HEADERS ptr [esi]).OptionalHeader.DataDirectory
           mov ecx,IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR*8
           add ecx,eax
           .if dword ptr [ecx] == 0h
           mov eax, chr$(" x86")
           .else
           mov eax, chr$(" x86 NET")
           .endif
      .elseif ax == IMAGE_NT_OPTIONAL_HDR64_MAGIC
          assume esi:ptr IMAGE_NT_HEADERS64
          lea eax, (IMAGE_NT_HEADERS64 ptr [esi]).OptionalHeader.DataDirectory
          mov ecx,IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR*8
          add ecx,eax
          .if dword ptr [ecx] == 0h
          mov eax, chr$(" x64")
          .else
          mov eax, chr$(" x64 NET")
          .endif

greetz

FYI... PECOFF revision 11.0 can be downloaded here...

https://tuts4you.com/download.php?view.233

Ted.

.NET (MSIL) files normally are not 32 (x86) or 64 (x64) specific.

The JIT compiler decides at runtime during startup of assemblies is it run in x86 or in x64 mode. This depends normally also on the plattform the assembly is executed.

 

50 minutes ago, havanacj13 said:

.NET (MSIL) files normally are not 32 (x86) or 64 (x64) specific.

The JIT compiler decides at runtime during startup of assemblies is it run in x86 or in x64 mode. This depends normally also on the plattform the assembly is executed.

 

not 100% accurate, theres flags in the .net metadata that can specify 32 bit only which influence that decision

That's correct ;-). In this case the developer should know what he is is doing.