-
Notifications
You must be signed in to change notification settings - Fork 11
1. Choosing executable loader
First of all, you need to choose required loader for executable image or write your own. There is 3 predefined loaders witch will help to load image from
Each loader must be inherit from the interface IImageLoader.
For example this is how load library from a file system:
String dll = @"%WINDIR%\System32\kernel32.dll";
using(PEFile info = new PEFile(dll, StreamLoader.FromFile(dll)))
{
}
Also we can open file from memory:
Byte[] dll = File.ReadAllBytes(@"%WINDIR%\System32\kernel32.dll");
using(PEFile info = new PEFile(dll, new StreamLoader(new MemoryStream(dll)))
{
}
Sometimes executable files can be packed and unpacked only in memory. In that case I've implemented Win32Loader to load executable inside current process using Win32 function LoadLibrary. When library is loaded inside current process it will be unpacked and all RVA will be changed to VA.
Warning: Executable loaded with this method can execute logic inside you process. Check for viruses or other unwanted behavior.
String dll = @"%WINDIR%\System32\kernel32.dll";
using(PEFile info = new PEFile(dll, Win32Loader.FromFile(dll)))
{
}
Also, there is one loader for testing purposes (LookupLoader). This loader is used for check how much read operations are made while reading the image.
One of the main goal of this reader was to limit read operations inside of reader component and try to limit this operations inside client applications. That's why I've created test loader LookupLoader that is inherited from StreamLoader.
This loader on Dispose will create separate file near executable with the name: {ExecutableName}[{Index}].log And will contains count for each byte how many times it was read.
String dll = @"C:\Temp\SomeProcess.exe";
using(PEFile info = new PEFile(dll, new LookupLoader(dll)){
if(info.Header.IsValid)
{
}
String dllDetailsLocation = @"C:\Temp\SomeProcess.log";