Buy Me a Coffee

Buy Me a Coffee!

Friday, March 3, 2017

Reading Structured Binary files in C#: Part 11

In the previous articles, I covered the same sections of the code that I had already covered in the Dissecting C# Executables series of articles.  Now is the time for something new!  I have updated the code on GitHub with tests that cover all of the section tables we loaded back in Part 10, so now let's take a look at the first of the section tables and see what makes it tick.  The first table is the .text table, and it has the following structure (from .NET IL Assembler figure 4-3):

Import Address Table
CLR Header
Strong Name Signature Hash (optional)
IL Code and Managed Structure Exception Handling Tables (optional)
Debug Directory (optional)
Managed Resources (optional)
Unmanaged Export Stubs (optional)
VTFixup Table (optional)
Runtime Startup Stub

The Import Address Table is defined in the Optional Header Data Directories as a Relative Virtual Address (RVA) followed by a size.  We are back to exploratory coding, but let's start with a test anyway.   To begin with, I can look at the IAT field and see that there are 8 entries and the RVA is 0x2000, so let't write a test for that.  I extended the current test for the Optional Header Data Directories to include parts and pieces of the IAT field and extended the properties as follows:

Once that is done, let's read the values and see what we have.  To do that, we find the section table that contains the RVA (it should always be the .text section) and offset from the PointerToRawData into the section by the difference between the two Virtual addresses.  Because we don't know the number of values and because the values are simple, I have deviated from the method that we have been using to read in the values and created a class for the ImportAddressTable that can read a list of values into a List<UInt32> variable.  Here is the code:

That is good for now, we will pick up with the CLR Header next time.  Good coding!