Tuesday, March 7, 2017

Reading Structured Binary files in C#: Part 12

Now we pick up in the .text section at the CLR Runtime Header.  It has the following structure:
CLR Header Structure
so we can go back to the Marshall method of reading the data.  Here is the code for the CLR Runtime Header:

We read it in the same way that we have been reading it, and we test it as before.  Check out the code on GitHub if you want to see the implementations.
That was a quick one.  The next one will be quick also, the Strong Name Signature Hash.  It is pointed to by a value in the CLR Runtime Header, so we break the value we have into the RVA and size and read it.  Since the size is variable, we will treat it somewhat like we did the Import Address Table.  Well, I thought that we would.  When I pulled our the RVA and size, they didn't quite make sense.  I am having to dig into it a little deeper and see if there is an error, or simply something that I overlooked.

We are looking good and making good progress!

Last night I found a book that goes through a similar process to the Dissecting article seriese that I am doing called C# Deconstructed.  It goes into more depth about the underlying virtual processor and looks quite interesting.

Friday, March 3, 2017

Reading Structured Binary files in C#: Part 11

In the previous articles, I covered the same sections of the code that I had already covered in the Dissecting C# Executables series of articles.  Now is the time for something new!  I have updated the code on GitHub with tests that cover all of the section tables we loaded back in Part 10, so now let's take a look at the first of the section tables and see what makes it tick.  The first table is the .text table, and it has the following structure (from .NET IL Assembler figure 4-3):

Import Address Table
CLR Header
Strong Name Signature Hash (optional)
IL Code and Managed Structure Exception Handling Tables (optional)
Debug Directory (optional)
Metadata
Managed Resources (optional)
Unmanaged Export Stubs (optional)
VTFixup Table (optional)
Runtime Startup Stub

The Import Address Table is defined in the Optional Header Data Directories as a Relative Virtual Address (RVA) followed by a size.  We are back to exploratory coding, but let's start with a test anyway.   To begin with, I can look at the IAT field and see that there are 8 entries and the RVA is 0x2000, so let't write a test for that.  I extended the current test for the Optional Header Data Directories to include parts and pieces of the IAT field and extended the properties as follows:

Once that is done, let's read the values and see what we have.  To do that, we find the section table that contains the RVA (it should always be the .text section) and offset from the PointerToRawData into the section by the difference between the two Virtual addresses.  Because we don't know the number of values and because the values are simple, I have deviated from the method that we have been using to read in the values and created a class for the ImportAddressTable that can read a list of values into a List<UInt32> variable.  Here is the code:

That is good for now, we will pick up with the CLR Header next time.  Good coding!