Проекты

The history of origin began with the fact that I greatly bred DAL and BLL used in different projects. And at one fine moment, it became interesting to me whether a specific method is used or not used in child projects, or it can be safely deleted without notifying anyone. The first version searched through reflection and loading through memory. But you can read about the limitations of different search methods through reflection in description of different plugin loading providers. As a result, I had to dig to PE and CLI...

User interface is available at: View→Executables→PE/CLI View

Reading PE files

Plugin can read PE files with two options:

1. Win32Loader — Using Win32 API function LoadLibrary
2. StreamLoader — Using managed class System.IO.FileStream

You can open PE file using several options:

1. File system
2. Running process (Allows you to bypass packers and the need to count RVA)
3. GAC

Configuration

• MaxArrayDisplay 10 — Mar array length that will be displayed
• ShowAsHexValue False — Display digits as decimal or hexadecimal.
• ShowBaseMetaTables False — Display base tables in dynamic structures instead of strongly typed ones (Closer to binary file type).
• Loader StreamLoader — How to load PE file
  • Win32Loader — Using Win32 API function LoadLibrary (We can skip RVA changing algorithms and bypass packers but you have to avare of viruses)
  • StreamLoader — Using namaged class System.IO.FileStream (Hav to calculate valid RVA's and can't read packed PE files)
• MonitorFileChange False — When updating a file on the hard disk, the file will be automatically updated in all open windows for displaying data from the current file

External methods

• Type GetEntityType() — Return PEFile type
• Object CreateEntityInstance(String filePath) — Create instance of PEFile type transfer as argument path to file.
• String[] GetSearchObjects(String searchPath) — Returns files array with extension *.dll, *.exe from searchPath filder.

Display directories

The interface displays information on the following directories and titles

• DOS header (IMAGE_DOS_HEADER)
• PE/PE+ header (IMAGE_NT_HEADERS)
• File header (IMAGE_FILE_HEADER)
• Optional header (IMAGE_OPTIONAL_HEADER)
• COFF header (IMAGE_COFF_SYMBOLS_HEADER)
• Sections header (IMAGE_SECTION_HEADER[])
• Директории:
  • Architecture
  • Bound import
  • Certificate
  • CLR runtime header
    • Metadata
      
      • #~
        • Module
        • TypeRef
        • TypeDef
        • FieldPtr
        • Field
        • MethodPtr
        • MethodDef
        • ParamPtr
        • Param
        • InterfaceImpl
        • MemberRef
        • Constant
        • CustomAttribute
        • FieldMarshal
        • DeclSecurity
        • ClassLayout
        • FieldLayout
        • StandAloneSig
        • EventMap
        • EventPtr
        • Event
        • PropertyMap
        • PropertyPtr
        • Property
        • MethodSemantics
        • MethodImpl
        • ModuleRef
        • TypeSpec
        • ImplMap
        • FieldRVA
        • ENCLog
        • ENCMap
        • Assembly
        • AssemblyProcessor
        • AssemblyOS
        • AssemblyRef
        • AssemblyRefProcessor
        • AssemblyRefOS
        • File
        • ExportedType
        • ManifestResource
        • NestedClass
        • GenericParam
        • MethodSpec
        • GenericParamConstraint
      • #Strings
      • #US
      • #Guid
      • #Blob
    • Resource Table (Will be rewritten in next versions)
    • VTable fixup
    • Code Manager Table
    • Export Address Table
    • Managed Native Header
    • Strong Name Signature
  • Debug
    
    • CodeView PDB2
    • CodeView PDB7
    • Misc (IMAGE_DEBUG_MISC)
  • Delay Import Descriptor
    • List of all imported libraries
    • List of all imported functions
  • Exception Table
  • Export Table
    
    • List of all exported functions
  • Global Ptr
  • IAT
  • Import Table
    
    • List of all imported libraries
    • List of all imported functions
  • Load Config Table
  • Base Relocation Table
    
    • Relocation Blocks
    • Relocation Sections
  • Resource Table. View Resources:
    
    • RT_STRING
    • RT_HTML
    • RT_MANIFEST
    • RT_ACCELERATOR
    • RT_MESSAGETABLE
    • RT_DIALOG
    • RT_MENU
    • RT_VERSION
    
    
  • TLS Table

Supported structures

The names of structures and enumerated types correspond to the names in the standard C++ header file that describes the PE format. Below, in part, are the supported structures.

• DOS Headers
  • IMAGE_DOS_HEADER
• PE/PE+ Headers
  • IMAGE_FILE_HEADER
  • IMAGE_OPTIONAL_HEADER32
  • IMAGE_OPTIONAL_HEADER64
  • IMAGE_NT_HEADERS32
  • IMAGE_NT_HEADERS64
  • IMAGE_SECTION_HEADER
  • Unmanaged resources
    • IMAGE_RESOURCE_DIRECTORY
    • IMAGE_RESOURCE_DIRECTORY_ENTRY
    • IMAGE_RESOURCE_DATA_ENTRY
    • IMAGE_RESOURCE_DIRECTORY_STRING
    • ACCELTABLEENTRY
    • DLGTEMPLATE
    • DLGITEMTEMPLATE
    • DLGTEMPLATEEX
    • DLGITEMTEMPLATEEX
    • MENUHEADER
    • MENUITEM
    • MENUITEMPOPUP
    • MENUITEMEX
    • BITMAPINFOHEADER
    • VS_VERSIONINFO
    • VS_FIXEDFILEINFO
    • VarFileInfo
    • StringTable
    • V_STRING
    • FONTDIRENTRY
    • MESSAGE_RESOURCE_BLOCK
    • MESSAGE_RESOURCE_ENTRY
  • IMAGE_IMPORT_DESCRIPTOR
  • IMAGE_THUNK_DATA32
  • IMAGE_THUNK_DATA64
  • IMAGE_IMPORT_BY_NAME
  • IMAGE_RUNTIME_FUNCTION_ENTRY
  • IMAGE_DATA_DIRECTORY
  • IMAGE_EXPORT_DIRECTORY
  • IMAGE_BOUND_IMPORT_DESCRIPTOR
  • IMAGE_BOUND_FORWARDER_REF
  • WIN_CERTIFICATE
  • ImgDelayDescr
  • IMAGE_BASE_RELOCATION
  • IMAGE_LOAD_CONFIG_DIRECTORY32
  • IMAGE_LOAD_CONFIG_DIRECTORY64
  • IMAGE_TLS_DIRECTORY32
  • IMAGE_TLS_DIRECTORY64
  • Debug directory
    • IMAGE_DEBUG_DIRECTORY
    • CV_INFO_PDB70
    • CV_HEADER
    • CV_INFO_PDB20
    • IMAGE_DEBUG_MISC
  • .NET CLI
    • IMAGE_COR20_HEADER
    • IMAGE_COR20_METADATA
    • IMAGE_COR20_VTABLE
    • ResourceManagerHeader
    • ResourceSetHeader
    • ResourceItem
    • STREAM_HEADER
    • STREAM_TABLE_HEADER