Monday, January 9, 2017

Dissecting C# Executables: Part 6

Ok, we are now working on the .  From the Microsoft Portable Executable and Common ObjectFile Format Specification: Revision 10 that we have been using for these dissections we have the Optional Header Data Directories:
Offset
(PE/PE32+)
Size
Field
Description
  96/112
8
Export Table
The export table address and size. For more information see section 6.3, “The .edata Section (Image Only).”
104/120
8
Import Table
The import table address and size. For more information, see section 6.4, “The .idata Section.”
112/128
8
Resource Table
The resource table address and size. For more information, see section 6.9, “The .rsrc Section.”
120/136
8
Exception Table
The exception table address and size. For more information, see section 6.5, “The .pdata Section.”
128/144
8
Certificate Table
The attribute certificate table address and size. For more information, see section 5.7, “The Attribute Certificate Table (Image Only).”
136/152
8
Base Relocation Table
The base relocation table address and size. For more information, see section 6.6, "The .reloc Section (Image Only)."
144/160
8
Debug
The debug data starting address and size. For more information, see section 6.1, “The .debug Section.”
152/168
8
Architecture
Reserved, must be 0
160/176
8
Global Ptr
The RVA of the value to be stored in the global pointer register. The size member of this structure must be set to zero.
168/184
8
TLS Table
The thread local storage (TLS) table address and size. For more information, see section 6.7, “The .tls Section.”
176/192
8
Load Config Table
The load configuration table address and size. For more information, see section 6.8, “The Load Configuration Structure (Image Only).”
184/200
8
Bound Import
The bound import table address and size.
192/208
8
IAT
The import address table address and size. For more information, see section 6.4.4, “Import Address Table.”
200/216
8
Delay Import Descriptor
The delay import descriptor address and size. For more information, see section 5.8, “Delay-Load Import Tables (Image Only).”
208/224
8
CLR Runtime Header
The CLR runtime header address and size. For more information, see section 6.10, “The .cormeta Section (Object Only).”
216/232
8
Reserved, must be zero

And our data from the three are different, as expected.  They are expected to be different because the files are different sizes.  The CSC is 3072, the VS is 5102, and the Xamarin is 3584.  So, if we dig into the CSC first, we have 16 double words:

D:\Source\HelloWorld\CommandLine>PrintBinaryFile.exe HelloWorld_CSC_2.0.exe
000000F0   00 00 00 00 10 00 00 00  00 00 00 00 00 00 00 00   ················
00000100   5C 23 00 00 4F 00 00 00  00 40 00 00 D0 02 00 00   \#··O····@··D···
00000110   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ················
00000120   00 60 00 00 0C 00 00 00  00 00 00 00 00 00 00 00   ·`··············
00000130   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ················
00000140   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ················
00000150   00 00 00 00 00 00 00 00  00 20 00 00 08 00 00 00   ········· ······
00000160   00 00 00 00 00 00 00 00  08 20 00 00 48 00 00 00   ········· ··H···
00000170   00 00 00 00 00 00 00 00  2E 74 65 78 74 00 00 00   ········.text···

We have the ExportTable at 0x00,  the ImportTable at 0x0000004F0000235C, the ResourceTable at 0x000002D000004000, the ExceptionTable at 0x00, the CertificateTable  at 0x00, the BaseRelocationTable at 0x0000000C00006000, the  Debug at 0x00, the Architecture (reserved) at 0x00, the GlobalPtr at 0x00, the TLSTable at 0x00, the LoadConfigTable at 0x00, the BoundImport at 0x00, the IAT at 0x0000000800002000, the DelayImportDescriptor at 0x00, the CLRRuntimeHeader at 0x0000004800002008, and the Reserved at 0x00.

D:\Source\HelloWorld\CommandLine>PrintBinaryFile.exe HelloWorld_VS_2.0.exe
000000F0   00 00 00 00 10 00 00 00  00 00 00 00 00 00 00 00   ················
00000100   58 27 00 00 4F 00 00 00  00 40 00 00 10 06 00 00   X'··O····@······
00000110   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ················
00000120   00 60 00 00 0C 00 00 00  20 26 00 00 1C 00 00 00   ·`······ &······
00000130   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ················
00000140   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ················
00000150   00 00 00 00 00 00 00 00  00 20 00 00 08 00 00 00   ········· ······
00000160   00 00 00 00 00 00 00 00  08 20 00 00 48 00 00 00   ········· ··H···
00000170   00 00 00 00 00 00 00 00  2E 74 65 78 74 00 00 00   ········.text···

In the VS we have the ExportTable at 0x00,  the ImportTable at 0x0000004F00002758, the ResourceTable at 0x0000061000004000, the ExceptionTable at 0x00, the CertificateTable  at 0x00, the BaseRelocationTable at 0x0000000C00006000, the  Debug at 0x0000001C00002620, the Architecture (reserved) at 0x00, the GlobalPtr at 0x00, the TLSTable at 0x00, the LoadConfigTable at 0x00, the BoundImport at 0x00, the IAT at 0x0000000800002000, the DelayImportDescriptor at 0x00, the CLRRuntimeHeader at 0x0000004800002008, and the Reserved at 0x00.

D:\Source\HelloWorld\CommandLine>PrintBinaryFile.exe HelloWorld_Xamarin_2.0.exe
000000F0   00 00 00 00 10 00 00 00  00 00 00 00 00 00 00 00   ················
00000100   B0 24 00 00 4B 00 00 00  00 40 00 00 84 03 00 00   °$··K····@··?···
00000110   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ················
00000120   00 60 00 00 0C 00 00 00  00 00 00 00 00 00 00 00   ·`··············
00000130   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ················
00000140   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ················
00000150   00 00 00 00 00 00 00 00  00 20 00 00 08 00 00 00   ········· ······
00000160   00 00 00 00 00 00 00 00  08 20 00 00 48 00 00 00   ········· ··H···
00000170   00 00 00 00 00 00 00 00  2E 74 65 78 74 00 00 00   ········.text···

Finally, in the Xamarin we have the ExportTable at 0x00,  the ImportTable at 0x0000004B000024B0, the ResourceTable at 0x0000038400004000, the ExceptionTable at 0x00, the CertificateTable  at 0x00, the BaseRelocationTable at 0x0000000C00006000, the  Debug at 0x00, the Architecture (reserved) at 0x00, the GlobalPtr at 0x00, the TLSTable at 0x00, the LoadConfigTable at 0x00, the BoundImport at 0x00, the IAT at 0x0000000800002000, the DelayImportDescriptor at 0x00, the CLRRuntimeHeader at 0x0000004800002008, and the Reserved at 0x00.

So, this clears up why the VS images are so much larger than the others.  Did you catch it?  The VS image has a non-zero Debug section.  That implies that the VS image has debug information, which if we look in the Advanced Build Settings we will see that the Output is set for Debug Info as pdb-only:
Advanced Build Settings with pdb-only set for Debug Info

While we are here, also note that the DLL Base Address is 0x00400000.  I am not sure why, but we will note it. 

That is enough for tonight, we will pick back up with the Section Table next time.

No comments:

Post a Comment