The following is a function to return the CLR header
given the image base,
To learn more about image layout, you can download
our .NET Explorer,
http://www.remotesoft.com/dotexplorer
This utility shows all of the header information.
Huihong
IMAGE_COR20_HEADER* CSimpleModuleInfo::GetCLIHeader(PBYTE
pbImageBase)
{
/* The executable has following layout, see the
File Format specification
DOS stub - 128 bytes
variable stuff here
PE signature (must be "PE\0\0"), - 4 bytes
COFF header - 20 bytes
then comes the PE header
between the DOS stub and PE signature, there may
exist some extra stuff. The PE signature
location is determined by a 4-byte unsigned int
at 0x3c.
24.2.1 MS-DOS Header
The PE/COFF format starts with an MS-DOS stub of
exactly the following 128 bytes
(except for the lfanew field at 0x3c, which might
differ between various PE files) to
be placed at the front of the module. At offset
0x3c in the DOS header is a 4 byte
unsigned integer offset to the PE signature (must
be "PE\0\0"), immediately followed
by the COFF header
*/
int PESigLocation = 128;
// first 4 bytes are RVA, next 4 bytes are Size
PBYTE ppesig = pbImageBase + 0x3c;
ULONG pe = *(ULONG *)ppesig;
if (pe != 0)
PESigLocation = pe;
PBYTE peheader = pbImageBase + (PESigLocation + 4
+ 20);
// 208 byte at PE header has the CLI header RVA
and Size
//PBYTE cli = GetPEHeader(pbImageBase) + 208;
IMAGE_DATA_DIRECTORY *cli = (IMAGE_DATA_DIRECTORY
*)(peheader + 208);
// first 4 bytes are RVA, next 4 bytes are Size
ULONG rva = cli->VirtualAddress;
if (rva == 0) {
return NULL;
}
return (IMAGE_COR20_HEADER*)(pbImageBase + rva);
}
