C# 클래스 Reloc.DeLocate

DeLocate provides methods to transform a relocated PE from it's in-memory state back into it's disk state. We handle missing pages so in the event you cant fault the binary into memory at runtime (like the case where your analyzing a memory dump) there will be plenty of missing pages. This is why the Delocate routine is so hairy, if there is a missing page or not some state has to be maintained for instructions which straddle a page boundary.

파일 보기 프로젝트 열기: ShaneK2/inVtero.net 1 사용 예제들

공개 메소드들

메소드	설명
DeLocateBuff32 ( byte bytes, uint Delta, uint RVA, Reloc relocs ) : void
DeLocateBuff64 ( byte bytes, ulong Delta, ulong RVA, Reloc relocs ) : void	I ported this from a C function and will likely write it in safe/C# eventually ;) Most of my code is rewrites of earlier native stuff I've done since it's nice to have a sandbox to play in.
DeLocateFile ( string fPath, string RelocFile, ulong CurrBase, string SaveTo, bool is64 = false, bool FixHeader = false, bool ScaleFileAlignment = false ) : Task
DelocateHeader ( byte bytes, ulong OrigBase, long OrigBaseOffset, bool Is64 ) : void
ProcessRelocs ( byte FileBuff ) : List	This routine takes a binary .reloc and emit's List of type Reloc There are theoretically some .reloc entries we do not support, I've not seen too many for recent binaries. If we wanted to support more, adding more translations here would be fine.

메소드 상세

DeLocateBuff32() 공개 메소드

public DeLocateBuff32 ( byte bytes, uint Delta, uint RVA, Reloc relocs ) : void
bytes	byte
Delta	uint
RVA	uint
relocs	Reloc
리턴	void

DeLocateBuff64() 공개 메소드

I ported this from a C function and will likely write it in safe/C# eventually ;) Most of my code is rewrites of earlier native stuff I've done since it's nice to have a sandbox to play in.

public DeLocateBuff64 ( byte bytes, ulong Delta, ulong RVA, Reloc relocs ) : void
bytes	byte	buffer to delocate
Delta	ulong	Delta between preferred image base and where your loaded now
RVA	ulong	Relative Virtual Address of the byte* buffer
relocs	Reloc	preprocessed .reloc data
리턴	void

DeLocateFile() 공개 메소드

public DeLocateFile ( string fPath, string RelocFile, ulong CurrBase, string SaveTo, bool is64 = false, bool FixHeader = false, bool ScaleFileAlignment = false ) : Task
fPath	string
RelocFile	string
CurrBase	ulong
SaveTo	string
is64	bool
FixHeader	bool
ScaleFileAlignment	bool
리턴	Task

DelocateHeader() 공개 정적인 메소드

public static DelocateHeader ( byte bytes, ulong OrigBase, long OrigBaseOffset, bool Is64 ) : void
bytes	byte
OrigBase	ulong
OrigBaseOffset	long
Is64	bool
리턴	void

ProcessRelocs() 공개 정적인 메소드

This routine takes a binary .reloc and emit's List of type Reloc There are theoretically some .reloc entries we do not support, I've not seen too many for recent binaries. If we wanted to support more, adding more translations here would be fine.

public static ProcessRelocs ( byte FileBuff ) : List
FileBuff	byte
리턴	List