/** * Steamless - Copyright (c) 2015 - 2022 atom0s [atom0s@live.com] * * This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. * To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/4.0/ or send a letter to * Creative Commons, PO Box 1866, Mountain View, CA 94042, USA. * * By using Steamless, you agree to the above license and its terms. * * Attribution - You must give appropriate credit, provide a link to the license and indicate if changes were * made. You must do so in any reasonable manner, but not in any way that suggests the licensor * endorses you or your use. * * Non-Commercial - You may not use the material (Steamless) for commercial purposes. * * No-Derivatives - If you remix, transform, or build upon the material (Steamless), you may not distribute the * modified material. You are, however, allowed to submit the modified works back to the original * Steamless project in attempt to have it added to the original project. * * You may not apply legal terms or technological measures that legally restrict others * from doing anything the license permits. * * No warranties are given. */ namespace Steamless.API.PE64 { using System; using System.Runtime.InteropServices; public class NativeApi64 { /// /// IMAGE_DOS_HEADER Structure /// [StructLayout(LayoutKind.Sequential)] public struct ImageDosHeader64 { [MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)] public char[] e_magic; public ushort e_cblp; public ushort e_cp; public ushort e_crlc; public ushort e_cparhdr; public ushort e_minalloc; public ushort e_maxalloc; public ushort e_ss; public ushort e_sp; public ushort e_csum; public ushort e_ip; public ushort e_cs; public ushort e_lfarlc; public ushort e_ovno; [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)] public ushort[] e_res1; public ushort e_oemid; public ushort e_oeminfo; [MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)] public ushort[] e_res2; public int e_lfanew; /// /// Gets if this structure is valid for a PE file. /// public bool IsValid => new string(this.e_magic) == "MZ"; } /// /// IMAGE_NT_HEADERS Structure /// [StructLayout(LayoutKind.Explicit)] public struct ImageNtHeaders64 { [FieldOffset(0)] [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)] public char[] Signature; [FieldOffset(4)] public ImageFileHeader64 FileHeader; [FieldOffset(24)] public ImageOptionalHeader64 OptionalHeader; /// /// Gets if this structure is valid for a PE file. /// public bool IsValid => new string(this.Signature).Trim('\0') == "PE"; } /// /// IMAGE_FILE_HEADER Structure /// [StructLayout(LayoutKind.Sequential)] public struct ImageFileHeader64 { public ushort Machine; public ushort NumberOfSections; public uint TimeDateStamp; public uint PointerToSymbolTable; public uint NumberOfSymbols; public ushort SizeOfOptionalHeader; public ushort Characteristics; } /// /// Machine Type Enumeration /// public enum MachineType : ushort { Native = 0, I386 = 0x014C, Itanium = 0x0200, X64 = 0x8664 } /// /// Magic Type Enumeration /// public enum MagicType : ushort { ImageNtOptionalHdr32Magic = 0x10B, ImageNtOptionalHdr64Magic = 0x20B } /// /// Sub System Type Enumeration /// public enum SubSystemType : ushort { ImageSubsystemUnknown = 0, ImageSubsystemNative = 1, ImageSubsystemWindowsGui = 2, ImageSubsystemWindowsCui = 3, ImageSubsystemPosixCui = 7, ImageSubsystemWindowsCeGui = 9, ImageSubsystemEfiApplication = 10, ImageSubsystemEfiBootServiceDriver = 11, ImageSubsystemEfiRuntimeDriver = 12, ImageSubsystemEfiRom = 13, ImageSubsystemXbox = 14 } /// /// Dll Characteristics Type Enumeration /// public enum DllCharacteristicsType : ushort { Reserved0 = 0x0001, Reserved1 = 0x0002, Reserved2 = 0x0004, Reserved3 = 0x0008, ImageDllCharacteristicsDynamicBase = 0x0040, ImageDllCharacteristicsForceIntegrity = 0x0080, ImageDllCharacteristicsNxCompat = 0x0100, ImageDllcharacteristicsNoIsolation = 0x0200, ImageDllcharacteristicsNoSeh = 0x0400, ImageDllcharacteristicsNoBind = 0x0800, Reserved4 = 0x1000, ImageDllcharacteristicsWdmDriver = 0x2000, ImageDllcharacteristicsTerminalServerAware = 0x8000 } /// /// IMAGE_OPTIONAL_HEADER Structure /// [StructLayout(LayoutKind.Explicit)] public struct ImageOptionalHeader64 { [FieldOffset(0)] public MagicType Magic; [FieldOffset(2)] public byte MajorLinkerVersion; [FieldOffset(3)] public byte MinorLinkerVersion; [FieldOffset(4)] public uint SizeOfCode; [FieldOffset(8)] public uint SizeOfInitializedData; [FieldOffset(12)] public uint SizeOfUninitializedData; [FieldOffset(16)] public uint AddressOfEntryPoint; [FieldOffset(20)] public uint BaseOfCode; [FieldOffset(24)] public ulong ImageBase; [FieldOffset(32)] public uint SectionAlignment; [FieldOffset(36)] public uint FileAlignment; [FieldOffset(40)] public ushort MajorOperatingSystemVersion; [FieldOffset(42)] public ushort MinorOperatingSystemVersion; [FieldOffset(44)] public ushort MajorImageVersion; [FieldOffset(46)] public ushort MinorImageVersion; [FieldOffset(48)] public ushort MajorSubsystemVersion; [FieldOffset(50)] public ushort MinorSubsystemVersion; [FieldOffset(52)] public uint Win32VersionValue; [FieldOffset(56)] public uint SizeOfImage; [FieldOffset(60)] public uint SizeOfHeaders; [FieldOffset(64)] public uint CheckSum; [FieldOffset(68)] public SubSystemType Subsystem; [FieldOffset(70)] public DllCharacteristicsType DllCharacteristics; [FieldOffset(72)] public ulong SizeOfStackReserve; [FieldOffset(80)] public ulong SizeOfStackCommit; [FieldOffset(88)] public ulong SizeOfHeapReserve; [FieldOffset(96)] public ulong SizeOfHeapCommit; [FieldOffset(104)] public uint LoaderFlags; [FieldOffset(108)] public uint NumberOfRvaAndSizes; [FieldOffset(112)] public ImageDataDirectory64 ExportTable; [FieldOffset(120)] public ImageDataDirectory64 ImportTable; [FieldOffset(128)] public ImageDataDirectory64 ResourceTable; [FieldOffset(136)] public ImageDataDirectory64 ExceptionTable; [FieldOffset(144)] public ImageDataDirectory64 CertificateTable; [FieldOffset(152)] public ImageDataDirectory64 BaseRelocationTable; [FieldOffset(160)] public ImageDataDirectory64 Debug; [FieldOffset(168)] public ImageDataDirectory64 Architecture; [FieldOffset(176)] public ImageDataDirectory64 GlobalPtr; [FieldOffset(184)] public ImageDataDirectory64 TLSTable; [FieldOffset(192)] public ImageDataDirectory64 LoadConfigTable; [FieldOffset(200)] public ImageDataDirectory64 BoundImport; [FieldOffset(208)] public ImageDataDirectory64 IAT; [FieldOffset(216)] public ImageDataDirectory64 DelayImportDescriptor; [FieldOffset(224)] public ImageDataDirectory64 CLRRuntimeHeader; [FieldOffset(232)] public ImageDataDirectory64 Reserved; } /// /// IMAGE_DATA_DIRECTORY Structure /// [StructLayout(LayoutKind.Sequential)] public struct ImageDataDirectory64 { public uint VirtualAddress; public uint Size; } /// /// IMAGE_SECTION_HEADER Structure /// [StructLayout(LayoutKind.Explicit)] public struct ImageSectionHeader64 { [FieldOffset(0)] [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)] public char[] Name; [FieldOffset(8)] public uint VirtualSize; [FieldOffset(12)] public uint VirtualAddress; [FieldOffset(16)] public uint SizeOfRawData; [FieldOffset(20)] public uint PointerToRawData; [FieldOffset(24)] public uint PointerToRelocations; [FieldOffset(28)] public uint PointerToLinenumbers; [FieldOffset(32)] public ushort NumberOfRelocations; [FieldOffset(34)] public ushort NumberOfLinenumbers; [FieldOffset(36)] public DataSectionFlags Characteristics; /// /// Gets the section name of this current section object. /// public string SectionName => new string(this.Name).Trim('\0'); /// /// Gets if this structure is valid for a PE file. /// public bool IsValid => this.SizeOfRawData != 0 && this.PointerToRawData != 0; /// /// Overrides the ToString handler to return the section name. /// /// public override string ToString() { return this.SectionName; } } /// /// Data Section Flags Enumeration /// [Flags] public enum DataSectionFlags : uint { /// /// Reserved for future use. /// TypeReg = 0x00000000, /// /// Reserved for future use. /// TypeDsect = 0x00000001, /// /// Reserved for future use. /// TypeNoLoad = 0x00000002, /// /// Reserved for future use. /// TypeGroup = 0x00000004, /// /// The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files. /// TypeNoPadded = 0x00000008, /// /// Reserved for future use. /// TypeCopy = 0x00000010, /// /// The section contains executable code. /// ContentCode = 0x00000020, /// /// The section contains initialized data. /// ContentInitializedData = 0x00000040, /// /// The section contains uninitialized data. /// ContentUninitializedData = 0x00000080, /// /// Reserved for future use. /// LinkOther = 0x00000100, /// /// The section contains comments or other information. The .drectve section has this type. This is valid for object files only. /// LinkInfo = 0x00000200, /// /// Reserved for future use. /// TypeOver = 0x00000400, /// /// The section will not become part of the image. This is valid only for object files. /// LinkRemove = 0x00000800, /// /// The section contains COMDAT data. For more information, see section 5.5.6, COMDAT Sections (Object Only). This is valid only for object files. /// LinkComDat = 0x00001000, /// /// Reset speculative exceptions handling bits in the TLB entries for this section. /// NoDeferSpecExceptions = 0x00004000, /// /// The section contains data referenced through the global pointer (GP). /// RelativeGp = 0x00008000, /// /// Reserved for future use. /// MemPurgeable = 0x00020000, /// /// Reserved for future use. /// Memory16Bit = 0x00020000, /// /// Reserved for future use. /// MemoryLocked = 0x00040000, /// /// Reserved for future use. /// MemoryPreload = 0x00080000, /// /// Align data on a 1-byte boundary. Valid only for object files. /// Align1Bytes = 0x00100000, /// /// Align data on a 2-byte boundary. Valid only for object files. /// Align2Bytes = 0x00200000, /// /// Align data on a 4-byte boundary. Valid only for object files. /// Align4Bytes = 0x00300000, /// /// Align data on an 8-byte boundary. Valid only for object files. /// Align8Bytes = 0x00400000, /// /// Align data on a 16-byte boundary. Valid only for object files. /// Align16Bytes = 0x00500000, /// /// Align data on a 32-byte boundary. Valid only for object files. /// Align32Bytes = 0x00600000, /// /// Align data on a 64-byte boundary. Valid only for object files. /// Align64Bytes = 0x00700000, /// /// Align data on a 128-byte boundary. Valid only for object files. /// Align128Bytes = 0x00800000, /// /// Align data on a 256-byte boundary. Valid only for object files. /// Align256Bytes = 0x00900000, /// /// Align data on a 512-byte boundary. Valid only for object files. /// Align512Bytes = 0x00A00000, /// /// Align data on a 1024-byte boundary. Valid only for object files. /// Align1024Bytes = 0x00B00000, /// /// Align data on a 2048-byte boundary. Valid only for object files. /// Align2048Bytes = 0x00C00000, /// /// Align data on a 4096-byte boundary. Valid only for object files. /// Align4096Bytes = 0x00D00000, /// /// Align data on an 8192-byte boundary. Valid only for object files. /// Align8192Bytes = 0x00E00000, /// /// The section contains extended relocations. /// LinkExtendedRelocationOverflow = 0x01000000, /// /// The section can be discarded as needed. /// MemoryDiscardable = 0x02000000, /// /// The section cannot be cached. /// MemoryNotCached = 0x04000000, /// /// The section is not pageable. /// MemoryNotPaged = 0x08000000, /// /// The section can be shared in memory. /// MemoryShared = 0x10000000, /// /// The section can be executed as code. /// MemoryExecute = 0x20000000, /// /// The section can be read. /// MemoryRead = 0x40000000, /// /// The section can be written to. /// MemoryWrite = 0x80000000 } /// /// IMAGE_TLS_DIRECTORY Structure /// [StructLayout(LayoutKind.Sequential)] public struct ImageTlsDirectory64 { public ulong StartAddressOfRawData; public ulong EndAddressOfRawData; public ulong AddressOfIndex; public ulong AddressOfCallBacks; public uint SizeOfZeroFill; public uint Characteristics; } /// /// imagehlp!MapFileAndChecksum /// /// /// /// /// [DllImport("imagehlp.dll", CharSet = CharSet.Auto)] public static extern int MapFileAndCheckSum(string Filename, out uint HeaderSum, out uint CheckSum); } }