Jump to content
Tuts 4 You

PE structs question


LCF-AT

Recommended Posts

Hi guys,

I have a new problem and wanna find a solution.So at the moment I try to work with the PE structs and found something strange.My goal was it just to read some PE Header datas just to check whether the file is a NET target or not (optinal also to find the NET version the file needs to run if possible).

So the IMAGE_NT_HEADERS structs points me to the OptionalHeader IMAGE_OPTIONAL_HEADER32 struct and this points me to DataDirectory IMAGE_DATA_DIRECTORY struct and there I have this...

IMAGE_DATA_DIRECTORY STRUCT
  VirtualAddress    DWORD      ?
  isize             DWORD      ?
IMAGE_DATA_DIRECTORY ENDS

....that all?Why this?If I follow the way in Olly then the IMAGE_DATA_DIRECTORY starts at Export Table address in PE.Now the question is how I come to the structs below with struct words I mean?In windows.inc I see also IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR value 14.So it seems I have to calc this by myself anyhow manually with IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR * 8 = 70 + IMAGE_DATA_DIRECTORY = Pointer to IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR.So is there no easier way just to use the struct words?

assume esi:ptr IMAGE_NT_HEADERS
lea eax, (IMAGE_NT_HEADERS ptr [esi]).OptionalHeader.DataDirectory (IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR) etc

Maybe something like this without to write any calculations etc you know.

greetz

Link to comment

Hi,

this dosent answer my question but thanks anyway.I wrote it so now....

      .if ax == IMAGE_NT_OPTIONAL_HDR32_MAGIC
           assume esi:ptr IMAGE_NT_HEADERS
           lea eax, (IMAGE_NT_HEADERS ptr [esi]).OptionalHeader.DataDirectory
           mov ecx,IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR*8
           add ecx,eax
           .if dword ptr [ecx] == 0h
           mov eax, chr$(" x86")
           .else
           mov eax, chr$(" x86 NET")
           .endif
      .elseif ax == IMAGE_NT_OPTIONAL_HDR64_MAGIC
          assume esi:ptr IMAGE_NT_HEADERS64
          lea eax, (IMAGE_NT_HEADERS64 ptr [esi]).OptionalHeader.DataDirectory
          mov ecx,IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR*8
          add ecx,eax
          .if dword ptr [ecx] == 0h
          mov eax, chr$(" x64")
          .else
          mov eax, chr$(" x64 NET")
          .endif

greetz

Link to comment

.NET (MSIL) files normally are not 32 (x86) or 64 (x64) specific.

The JIT compiler decides at runtime during startup of assemblies is it run in x86 or in x64 mode. This depends normally also on the plattform the assembly is executed.

 

Link to comment
50 minutes ago, havanacj13 said:

.NET (MSIL) files normally are not 32 (x86) or 64 (x64) specific.

The JIT compiler decides at runtime during startup of assemblies is it run in x86 or in x64 mode. This depends normally also on the plattform the assembly is executed.

 

not 100% accurate, theres flags in the .net metadata that can specify 32 bit only which influence that decision

  • Like 2
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...