Loading...
[-]

Reading the Portable Executable (PE) header in C#

My job consists of writing fully custom applications for groups of people. The time pressure of these projects is quite high, so generally people start using the application while I’m still writing it, which means I write it modularly and add features as I go along. I also fix bugs as they are discovered. My clients are 2 tiered where expert users get a new build first, they test if for a while, and if they think it’s acceptable they then pass it on to others.

This method of distribution is quite ad-hoc so when a client rings me up and asks me to view their screen to look at something, it’s useful to know what build they are running. To facillitate this I print the link date in the main Window Title so I instantly have an idea about how old the version is that I am looking at. This date is calculated at run time. To do this requires reading in the Portable Executable (PE) header from the EXE or DLL file that is responsible for updating the Window. As many of the apps I write are in C# I’ve written a general purpose PE Header reading class in C# which has a utility method for getting the link date of the Calling Assembly.

To get the date simply do this:

DateTime linkDate = PeHeaderReader.GetCallingAssemblyHeader().TimeStamp;


Updated 23rd May 2012:

Added loading IMAGE_DATA_DIRECTORY information. This involved adding 16 IMAGE_DATA_DIRECTORY fields to the end of IMAGE_OPTIONAL_HEADER32 and IMAGE_OPTIONAL_HEADER64, then reading in the number of IMAGE_SECTION_HEADERs specified in the IMAGE_FILE_HEADER, and using that number to read in the headers.

I did a test on a DLL, and got 3 Image section headers with the following names so it seems to be working:

.text

.rsrc

.reloc

You can access these headers through this property that I added:

/// <summary> 
/// Gets an array of image section headers 
/// </summary>
public IMAGE_SECTION_HEADER[] ImageSectionHeaders { 
  get { 
    return imageSectionHeaders; 
  }
}

Here’s is the complete code:

using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.IO;

namespace _3DViewerControls.Data {

  /// <summary>
  /// Reads in the header information of the Portable Executable format.
  /// Provides information such as the date the assembly was compiled.
  /// </summary>
  public class PeHeaderReader {
    #region File Header Structures

    public struct IMAGE_DOS_HEADER {      // DOS .EXE header
      public UInt16 e_magic;              // Magic number
      public UInt16 e_cblp;               // Bytes on last page of file
      public UInt16 e_cp;                 // Pages in file
      public UInt16 e_crlc;               // Relocations
      public UInt16 e_cparhdr;            // Size of header in paragraphs
      public UInt16 e_minalloc;           // Minimum extra paragraphs needed
      public UInt16 e_maxalloc;           // Maximum extra paragraphs needed
      public UInt16 e_ss;                 // Initial (relative) SS value
      public UInt16 e_sp;                 // Initial SP value
      public UInt16 e_csum;               // Checksum
      public UInt16 e_ip;                 // Initial IP value
      public UInt16 e_cs;                 // Initial (relative) CS value
      public UInt16 e_lfarlc;             // File address of relocation table
      public UInt16 e_ovno;               // Overlay number
      public UInt16 e_res_0;              // Reserved words
      public UInt16 e_res_1;              // Reserved words
      public UInt16 e_res_2;              // Reserved words
      public UInt16 e_res_3;              // Reserved words
      public UInt16 e_oemid;              // OEM identifier (for e_oeminfo)
      public UInt16 e_oeminfo;            // OEM information; e_oemid specific
      public UInt16 e_res2_0;             // Reserved words
      public UInt16 e_res2_1;             // Reserved words
      public UInt16 e_res2_2;             // Reserved words
      public UInt16 e_res2_3;             // Reserved words
      public UInt16 e_res2_4;             // Reserved words
      public UInt16 e_res2_5;             // Reserved words
      public UInt16 e_res2_6;             // Reserved words
      public UInt16 e_res2_7;             // Reserved words
      public UInt16 e_res2_8;             // Reserved words
      public UInt16 e_res2_9;             // Reserved words
      public UInt32 e_lfanew;             // File address of new exe header
    }

    [StructLayout(LayoutKind.Sequential)]
    public struct IMAGE_DATA_DIRECTORY {
      public UInt32 VirtualAddress;
      public UInt32 Size;
    }

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct IMAGE_OPTIONAL_HEADER32 {
      public UInt16 Magic;
      public Byte MajorLinkerVersion;
      public Byte MinorLinkerVersion;
      public UInt32 SizeOfCode;
      public UInt32 SizeOfInitializedData;
      public UInt32 SizeOfUninitializedData;
      public UInt32 AddressOfEntryPoint;
      public UInt32 BaseOfCode;
      public UInt32 BaseOfData;
      public UInt32 ImageBase;
      public UInt32 SectionAlignment;
      public UInt32 FileAlignment;
      public UInt16 MajorOperatingSystemVersion;
      public UInt16 MinorOperatingSystemVersion;
      public UInt16 MajorImageVersion;
      public UInt16 MinorImageVersion;
      public UInt16 MajorSubsystemVersion;
      public UInt16 MinorSubsystemVersion;
      public UInt32 Win32VersionValue;
      public UInt32 SizeOfImage;
      public UInt32 SizeOfHeaders;
      public UInt32 CheckSum;
      public UInt16 Subsystem;
      public UInt16 DllCharacteristics;
      public UInt32 SizeOfStackReserve;
      public UInt32 SizeOfStackCommit;
      public UInt32 SizeOfHeapReserve;
      public UInt32 SizeOfHeapCommit;
      public UInt32 LoaderFlags;
      public UInt32 NumberOfRvaAndSizes;

      public IMAGE_DATA_DIRECTORY ExportTable;
      public IMAGE_DATA_DIRECTORY ImportTable;
      public IMAGE_DATA_DIRECTORY ResourceTable;
      public IMAGE_DATA_DIRECTORY ExceptionTable;
      public IMAGE_DATA_DIRECTORY CertificateTable;
      public IMAGE_DATA_DIRECTORY BaseRelocationTable;
      public IMAGE_DATA_DIRECTORY Debug;
      public IMAGE_DATA_DIRECTORY Architecture;
      public IMAGE_DATA_DIRECTORY GlobalPtr;
      public IMAGE_DATA_DIRECTORY TLSTable;
      public IMAGE_DATA_DIRECTORY LoadConfigTable;
      public IMAGE_DATA_DIRECTORY BoundImport;
      public IMAGE_DATA_DIRECTORY IAT;
      public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
      public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
      public IMAGE_DATA_DIRECTORY Reserved;
    }

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct IMAGE_OPTIONAL_HEADER64 {
      public UInt16 Magic;
      public Byte MajorLinkerVersion;
      public Byte MinorLinkerVersion;
      public UInt32 SizeOfCode;
      public UInt32 SizeOfInitializedData;
      public UInt32 SizeOfUninitializedData;
      public UInt32 AddressOfEntryPoint;
      public UInt32 BaseOfCode;
      public UInt64 ImageBase;
      public UInt32 SectionAlignment;
      public UInt32 FileAlignment;
      public UInt16 MajorOperatingSystemVersion;
      public UInt16 MinorOperatingSystemVersion;
      public UInt16 MajorImageVersion;
      public UInt16 MinorImageVersion;
      public UInt16 MajorSubsystemVersion;
      public UInt16 MinorSubsystemVersion;
      public UInt32 Win32VersionValue;
      public UInt32 SizeOfImage;
      public UInt32 SizeOfHeaders;
      public UInt32 CheckSum;
      public UInt16 Subsystem;
      public UInt16 DllCharacteristics;
      public UInt64 SizeOfStackReserve;
      public UInt64 SizeOfStackCommit;
      public UInt64 SizeOfHeapReserve;
      public UInt64 SizeOfHeapCommit;
      public UInt32 LoaderFlags;
      public UInt32 NumberOfRvaAndSizes;

      public IMAGE_DATA_DIRECTORY ExportTable;
      public IMAGE_DATA_DIRECTORY ImportTable;
      public IMAGE_DATA_DIRECTORY ResourceTable;
      public IMAGE_DATA_DIRECTORY ExceptionTable;
      public IMAGE_DATA_DIRECTORY CertificateTable;
      public IMAGE_DATA_DIRECTORY BaseRelocationTable;
      public IMAGE_DATA_DIRECTORY Debug;
      public IMAGE_DATA_DIRECTORY Architecture;
      public IMAGE_DATA_DIRECTORY GlobalPtr;
      public IMAGE_DATA_DIRECTORY TLSTable;
      public IMAGE_DATA_DIRECTORY LoadConfigTable;
      public IMAGE_DATA_DIRECTORY BoundImport;
      public IMAGE_DATA_DIRECTORY IAT;
      public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
      public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
      public IMAGE_DATA_DIRECTORY Reserved;
    }

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct IMAGE_FILE_HEADER {
      public UInt16 Machine;
      public UInt16 NumberOfSections;
      public UInt32 TimeDateStamp;
      public UInt32 PointerToSymbolTable;
      public UInt32 NumberOfSymbols;
      public UInt16 SizeOfOptionalHeader;
      public UInt16 Characteristics;
    }

    // Grabbed the following 2 definitions from http://www.pinvoke.net/default.aspx/Structures/IMAGE_SECTION_HEADER.html

    [StructLayout(LayoutKind.Explicit)]
    public struct IMAGE_SECTION_HEADER {
      [FieldOffset(0)]
      [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
      public char[] Name;
      [FieldOffset(8)]
      public UInt32 VirtualSize;
      [FieldOffset(12)]
      public UInt32 VirtualAddress;
      [FieldOffset(16)]
      public UInt32 SizeOfRawData;
      [FieldOffset(20)]
      public UInt32 PointerToRawData;
      [FieldOffset(24)]
      public UInt32 PointerToRelocations;
      [FieldOffset(28)]
      public UInt32 PointerToLinenumbers;
      [FieldOffset(32)]
      public UInt16 NumberOfRelocations;
      [FieldOffset(34)]
      public UInt16 NumberOfLinenumbers;
      [FieldOffset(36)]
      public DataSectionFlags Characteristics;

      public string Section {
        get { return new string(Name); }
      }
    }

    [Flags]
    public enum DataSectionFlags : uint {
      /// <summary>
      /// Reserved for future use.
      /// </summary>
      TypeReg = 0x00000000,
      /// <summary>
      /// Reserved for future use.
      /// </summary>
      TypeDsect = 0x00000001,
      /// <summary>
      /// Reserved for future use.
      /// </summary>
      TypeNoLoad = 0x00000002,
      /// <summary>
      /// Reserved for future use.
      /// </summary>
      TypeGroup = 0x00000004,
      /// <summary>
      /// The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files.
      /// </summary>
      TypeNoPadded = 0x00000008,
      /// <summary>
      /// Reserved for future use.
      /// </summary>
      TypeCopy = 0x00000010,
      /// <summary>
      /// The section contains executable code.
      /// </summary>
      ContentCode = 0x00000020,
      /// <summary>
      /// The section contains initialized data.
      /// </summary>
      ContentInitializedData = 0x00000040,
      /// <summary>
      /// The section contains uninitialized data.
      /// </summary>
      ContentUninitializedData = 0x00000080,
      /// <summary>
      /// Reserved for future use.
      /// </summary>
      LinkOther = 0x00000100,
      /// <summary>
      /// The section contains comments or other information. The .drectve section has this type. This is valid for object files only.
      /// </summary>
      LinkInfo = 0x00000200,
      /// <summary>
      /// Reserved for future use.
      /// </summary>
      TypeOver = 0x00000400,
      /// <summary>
      /// The section will not become part of the image. This is valid only for object files.
      /// </summary>
      LinkRemove = 0x00000800,
      /// <summary>
      /// The section contains COMDAT data. For more information, see section 5.5.6, COMDAT Sections (Object Only). This is valid only for object files.
      /// </summary>
      LinkComDat = 0x00001000,
      /// <summary>
      /// Reset speculative exceptions handling bits in the TLB entries for this section.
      /// </summary>
      NoDeferSpecExceptions = 0x00004000,
      /// <summary>
      /// The section contains data referenced through the global pointer (GP).
      /// </summary>
      RelativeGP = 0x00008000,
      /// <summary>
      /// Reserved for future use.
      /// </summary>
      MemPurgeable = 0x00020000,
      /// <summary>
      /// Reserved for future use.
      /// </summary>
      Memory16Bit = 0x00020000,
      /// <summary>
      /// Reserved for future use.
      /// </summary>
      MemoryLocked = 0x00040000,
      /// <summary>
      /// Reserved for future use.
      /// </summary>
      MemoryPreload = 0x00080000,
      /// <summary>
      /// Align data on a 1-byte boundary. Valid only for object files.
      /// </summary>
      Align1Bytes = 0x00100000,
      /// <summary>
      /// Align data on a 2-byte boundary. Valid only for object files.
      /// </summary>
      Align2Bytes = 0x00200000,
      /// <summary>
      /// Align data on a 4-byte boundary. Valid only for object files.
      /// </summary>
      Align4Bytes = 0x00300000,
      /// <summary>
      /// Align data on an 8-byte boundary. Valid only for object files.
      /// </summary>
      Align8Bytes = 0x00400000,
      /// <summary>
      /// Align data on a 16-byte boundary. Valid only for object files.
      /// </summary>
      Align16Bytes = 0x00500000,
      /// <summary>
      /// Align data on a 32-byte boundary. Valid only for object files.
      /// </summary>
      Align32Bytes = 0x00600000,
      /// <summary>
      /// Align data on a 64-byte boundary. Valid only for object files.
      /// </summary>
      Align64Bytes = 0x00700000,
      /// <summary>
      /// Align data on a 128-byte boundary. Valid only for object files.
      /// </summary>
      Align128Bytes = 0x00800000,
      /// <summary>
      /// Align data on a 256-byte boundary. Valid only for object files.
      /// </summary>
      Align256Bytes = 0x00900000,
      /// <summary>
      /// Align data on a 512-byte boundary. Valid only for object files.
      /// </summary>
      Align512Bytes = 0x00A00000,
      /// <summary>
      /// Align data on a 1024-byte boundary. Valid only for object files.
      /// </summary>
      Align1024Bytes = 0x00B00000,
      /// <summary>
      /// Align data on a 2048-byte boundary. Valid only for object files.
      /// </summary>
      Align2048Bytes = 0x00C00000,
      /// <summary>
      /// Align data on a 4096-byte boundary. Valid only for object files.
      /// </summary>
      Align4096Bytes = 0x00D00000,
      /// <summary>
      /// Align data on an 8192-byte boundary. Valid only for object files.
      /// </summary>
      Align8192Bytes = 0x00E00000,
      /// <summary>
      /// The section contains extended relocations.
      /// </summary>
      LinkExtendedRelocationOverflow = 0x01000000,
      /// <summary>
      /// The section can be discarded as needed.
      /// </summary>
      MemoryDiscardable = 0x02000000,
      /// <summary>
      /// The section cannot be cached.
      /// </summary>
      MemoryNotCached = 0x04000000,
      /// <summary>
      /// The section is not pageable.
      /// </summary>
      MemoryNotPaged = 0x08000000,
      /// <summary>
      /// The section can be shared in memory.
      /// </summary>
      MemoryShared = 0x10000000,
      /// <summary>
      /// The section can be executed as code.
      /// </summary>
      MemoryExecute = 0x20000000,
      /// <summary>
      /// The section can be read.
      /// </summary>
      MemoryRead = 0x40000000,
      /// <summary>
      /// The section can be written to.
      /// </summary>
      MemoryWrite = 0x80000000
    }

    #endregion File Header Structures

    #region Private Fields

    /// <summary>
    /// The DOS header
    /// </summary>
    private IMAGE_DOS_HEADER dosHeader;
    /// <summary>
    /// The file header
    /// </summary>
    private IMAGE_FILE_HEADER fileHeader;
    /// <summary>
    /// Optional 32 bit file header 
    /// </summary>
    private IMAGE_OPTIONAL_HEADER32 optionalHeader32;
    /// <summary>
    /// Optional 64 bit file header 
    /// </summary>
    private IMAGE_OPTIONAL_HEADER64 optionalHeader64;
    /// <summary>
    /// Image Section headers. Number of sections is in the file header.
    /// </summary>
    private IMAGE_SECTION_HEADER[] imageSectionHeaders;

    #endregion Private Fields

    #region Public Methods

    public PeHeaderReader(string filePath) {
      // Read in the DLL or EXE and get the timestamp
      using (FileStream stream = new FileStream(filePath, System.IO.FileMode.Open, System.IO.FileAccess.Read)) {
        BinaryReader reader = new BinaryReader(stream);
        dosHeader = FromBinaryReader<IMAGE_DOS_HEADER>(reader);

        // Add 4 bytes to the offset
        stream.Seek(dosHeader.e_lfanew, SeekOrigin.Begin);

        UInt32 ntHeadersSignature = reader.ReadUInt32();
        fileHeader = FromBinaryReader<IMAGE_FILE_HEADER>(reader);
        if (this.Is32BitHeader) {
          optionalHeader32 = FromBinaryReader<IMAGE_OPTIONAL_HEADER32>(reader);
        }
        else {
          optionalHeader64 = FromBinaryReader<IMAGE_OPTIONAL_HEADER64>(reader);
        }

        imageSectionHeaders = new IMAGE_SECTION_HEADER[fileHeader.NumberOfSections];
        for(int headerNo = 0; headerNo < imageSectionHeaders.Length; ++headerNo) {
          imageSectionHeaders[headerNo] = FromBinaryReader<IMAGE_SECTION_HEADER>(reader);
        }

      }
    }

    /// <summary>
    /// Gets the header of the .NET assembly that called this function
    /// </summary>
    /// <returns></returns>
    public static PeHeaderReader GetCallingAssemblyHeader() {
      // Get the path to the calling assembly, which is the path to the
      // DLL or EXE that we want the time of
      string filePath = System.Reflection.Assembly.GetCallingAssembly().Location;

      // Get and return the timestamp
      return new PeHeaderReader(filePath);
    }

    /// <summary>
    /// Gets the header of the .NET assembly that called this function
    /// </summary>
    /// <returns></returns>
    public static PeHeaderReader GetAssemblyHeader() {
      // Get the path to the calling assembly, which is the path to the
      // DLL or EXE that we want the time of
      string filePath = System.Reflection.Assembly.GetAssembly(typeof(PeHeaderReader)).Location;

      // Get and return the timestamp
      return new PeHeaderReader(filePath);
    }

    /// <summary>
    /// Reads in a block from a file and converts it to the struct
    /// type specified by the template parameter
    /// </summary>
    /// <typeparam name="T"></typeparam>
    /// <param name="reader"></param>
    /// <returns></returns>
    public static T FromBinaryReader<T>(BinaryReader reader) {
      // Read in a byte array
      byte[] bytes = reader.ReadBytes(Marshal.SizeOf(typeof(T)));

      // Pin the managed memory while, copy it out the data, then unpin it
      GCHandle handle = GCHandle.Alloc(bytes, GCHandleType.Pinned);
      T theStructure = (T)Marshal.PtrToStructure(handle.AddrOfPinnedObject(), typeof(T));
      handle.Free();

      return theStructure;
    }

    #endregion Public Methods

    #region Properties

    /// <summary>
    /// Gets if the file header is 32 bit or not
    /// </summary>
    public bool Is32BitHeader {
      get {
        UInt16 IMAGE_FILE_32BIT_MACHINE = 0x0100;
        return (IMAGE_FILE_32BIT_MACHINE & FileHeader.Characteristics) == IMAGE_FILE_32BIT_MACHINE;
      }
    }

    /// <summary>
    /// Gets the file header
    /// </summary>
    public IMAGE_FILE_HEADER FileHeader {
      get {
        return fileHeader;
      }
    }

    /// <summary>
    /// Gets the optional header
    /// </summary>
    public IMAGE_OPTIONAL_HEADER32 OptionalHeader32 {
      get {
        return optionalHeader32;
      }
    }

    /// <summary>
    /// Gets the optional header
    /// </summary>
    public IMAGE_OPTIONAL_HEADER64 OptionalHeader64 {
      get {
        return optionalHeader64;
      }
    }

    public IMAGE_SECTION_HEADER[] ImageSectionHeaders {
      get {
        return imageSectionHeaders;
      }
    }

    /// <summary>
    /// Gets the timestamp from the file header
    /// </summary>
    public DateTime TimeStamp {
      get {
        // Timestamp is a date offset from 1970
        DateTime returnValue = new DateTime(1970, 1, 1, 0, 0, 0);

        // Add in the number of seconds since 1970/1/1
        returnValue = returnValue.AddSeconds(fileHeader.TimeDateStamp);
        // Adjust to local timezone
        returnValue += TimeZone.CurrentTimeZone.GetUtcOffset(returnValue);

        return returnValue;
      }
    }

    #endregion Properties
  }
}


How it works is that it first reads in the old DOS header, at the end of this header is a file offset to the new NT File Header structure. I seek to that position, and read in the NT File Header. From that header I can get the linker time stamp. As this is a general purpose library I also check whether the header is 32 or 64 bit, and read in either the Optional 32 bit Header, or the Optional 64 bit Header, which can then be used however you like. This is how you would get the 32 bit header:

PeHeaderReader reader = new PeHeaderReader("myDllFileLocation");
if (reader.Is32BitHeader)
{
  PeHeaderReader.IMAGE_OPTIONAL_HEADER32 header32 = reader.OptionalHeader32;
}

15 Comments

  1. Jeff
    Posted July 13, 2010 at 09:20 | Permalink

    What is the license for this code? Thanks -Jeff

  2. Posted July 13, 2010 at 10:36 | Permalink

    Hi Jeff, thank you for the question about what license applies to the code on our Cheesy Code blog. The blog postings are provided “AS IS” with no warranties, and confers no rights. Use our code freely. The structures for the code were lifted from Microsofts winnt.h. AS winnt.h is probably included in most Windows C/C++ applications I can’t see that there would be any restrictions there.

  3. xodder
    Posted March 16, 2011 at 17:09 | Permalink

    Hi,

    i like your code but i found a little bug that if two or more assemblies are merged together with “ilmerge” the linker timestamp will be off 1 hour in the future of the build date. Is there a way to fix that?

    Thanks -Xodder

  4. Posted March 18, 2011 at 19:23 | Permalink

    Hi xodder,

    I’ve looked into linker timestamp off by 1 hour problem, and I can’t see a way of getting around that as I’m just reading the timestamp value out that is in the header. The hour off problem must be due to what ilmerge is writing out when it creates the new assembly.

  5. Cosmin
    Posted July 7, 2011 at 15:30 | Permalink

    Thank you for your implementation!
    Keep up the good work!

  6. Jannik
    Posted February 8, 2012 at 22:59 | Permalink

    Hi Josh,

    is there a way to get the size of a specific section?

    I sucessfully was able to retrieve the Baseadress and the number of sections using your code, brilliant work indeed, but how to retrieve the size of each section?

    Greets and thanks :)
    Jannik

  7. Jens
    Posted March 15, 2012 at 19:37 | Permalink

    Excellent piece of code, good work! It’s always fascinating to dig into the mysteries of the exe-file :D

    Needed a way to determine compile time of an assembly. Modified your code to provide two methods for it. Just some sugar added to the existing code…

    public static PeHeaderReader GetCallingAssmblyHeader()
    {
    return GetAssemblyHeader(System.Reflection.Assembly.GetCallingAssembly());
    }

    public static PeHeaderReader GetAssemblyHeader(System.Reflection.Assembly assembly)
    {
    return new PeHeaderReader(assembly.Location);
    }

    Cheers!

  8. daggy
    Posted September 1, 2012 at 04:09 | Permalink

    Hy first this is an Awesome piece of code i have built with your PE Reader an example to Add an section in c# it works Great!
    now im in work to build a function to Delete an section but im stuck ,can you maybe help me a little?
    You have my email (i have give it in the comment form) ,i would it very appreciate if you write me an email ,maybe we can share some code under each other :)
    Greets from germany

  9. zeinab
    Posted January 19, 2013 at 17:52 | Permalink

    i want to print content of export table,i add the struct _IMAGE_EXPORT_DIRECTORY, but i can’t read from my test file,
    i wrote “exporttable = FromBinaryReader(reader);”
    under the line
    “optionalHeader32 = FromBinaryReader(reader);”

    now,what should i do?
    thanks

  10. M.H
    Posted January 19, 2013 at 17:53 | Permalink

    Hi,

    thanks for above info,
    i’m trying to print the whole content of export table, would you please provide me with the code doing so?
    that’s really urgent & i i would be thankful,
    regards,

  11. zeinab
    Posted January 19, 2013 at 17:58 | Permalink

    to more clear
    i get this error”Property or indexer ‘ConsoleApplication1.PeHeaderReader.exporttable’ cannot be assigned to — it is read only”

  12. Posted January 19, 2013 at 20:29 | Permalink

    It’s been a while since I’ve looked at this code, but first of all you need this structure:

    [StructLayout(LayoutKind.Sequential)]
    public struct IMAGE_EXPORT_DIRECTORY
    {
    public UInt32 Characteristics;
    public UInt32 TimeDateStamp;
    public UInt16 MajorVersion;
    public UInt16 MinorVersion;
    public UInt32 Name;
    public UInt32 Base;
    public UInt32 NumberOfFunctions;
    public UInt32 NumberOfNames;
    public UInt32 AddressOfFunctions; // RVA from base of image
    public UInt32 AddressOfNames; // RVA from base of image
    public UInt32 AddressOfNameOrdinals; // RVA from base of image
    }

    Then you need to load from the address pointed to by the Export Table IMAGE_DATA_DIRECTORY entry. Unfortunately I’m 5000km away from my development machine so I can’t work it out right now.

  13. Posted January 19, 2013 at 20:30 | Permalink

    It’s been a while since I’ve looked at this code, but first of all you need this structure:

    [StructLayout(LayoutKind.Sequential)]
    public struct IMAGE_EXPORT_DIRECTORY
    {
    public UInt32 Characteristics;
    public UInt32 TimeDateStamp;
    public UInt16 MajorVersion;
    public UInt16 MinorVersion;
    public UInt32 Name;
    public UInt32 Base;
    public UInt32 NumberOfFunctions;
    public UInt32 NumberOfNames;
    public UInt32 AddressOfFunctions; // RVA from base of image
    public UInt32 AddressOfNames; // RVA from base of image
    public UInt32 AddressOfNameOrdinals; // RVA from base of image
    }

    Then you need to load from the address pointed to by the Export Table IMAGE_DATA_DIRECTORY entry. Unfortunately I’m 5000km away from my development machine so I can’t work it out right now.

  14. Someone
    Posted April 21, 2013 at 10:42 | Permalink

    Just a heads up – the section name is always read as 8 bytes so it may include some null terminators. In C#, this is a bad thing and can mess up output in a lot of ways.

    To fix this, you should add .Replace( “”, “” ) to the end of the Name variable. It will strip the null terminators and is very simple to add.

    Greets.

  15. Someone
    Posted April 21, 2013 at 10:43 | Permalink

    Ah, this website seems to have stripped the characters in the code I posted above. Try this instead: http://pastebin.com/9xkWcs2w

One Trackback

  1. [...] Reading the Portable Executable (PE) header in C# http://code.cheesydesign.com/?p=572 [...]

Post a Comment

Your email is never shared. Required fields are marked *

*
*