C# Class Reloc.DeLocate

DeLocate provides methods to transform a relocated PE from it's in-memory state back into it's disk state. We handle missing pages so in the event you cant fault the binary into memory at runtime (like the case where your analyzing a memory dump) there will be plenty of missing pages. This is why the Delocate routine is so hairy, if there is a missing page or not some state has to be maintained for instructions which straddle a page boundary.

显示文件 Open project: ShaneK2/inVtero.net Class Usage Examples

Public Methods

Method	Description
DeLocateBuff32 ( byte bytes, uint Delta, uint RVA, Reloc relocs ) : void
DeLocateBuff64 ( byte bytes, ulong Delta, ulong RVA, Reloc relocs ) : void	I ported this from a C function and will likely write it in safe/C# eventually ;) Most of my code is rewrites of earlier native stuff I've done since it's nice to have a sandbox to play in.
DeLocateFile ( string fPath, string RelocFile, ulong CurrBase, string SaveTo, bool is64 = false, bool FixHeader = false, bool ScaleFileAlignment = false ) : Task
DelocateHeader ( byte bytes, ulong OrigBase, long OrigBaseOffset, bool Is64 ) : void
ProcessRelocs ( byte FileBuff ) : List	This routine takes a binary .reloc and emit's List of type Reloc There are theoretically some .reloc entries we do not support, I've not seen too many for recent binaries. If we wanted to support more, adding more translations here would be fine.

Method Details

DeLocateBuff32() public method

public DeLocateBuff32 ( byte bytes, uint Delta, uint RVA, Reloc relocs ) : void
bytes	byte
Delta	uint
RVA	uint
relocs	Reloc
return	void

DeLocateBuff64() public method

I ported this from a C function and will likely write it in safe/C# eventually ;) Most of my code is rewrites of earlier native stuff I've done since it's nice to have a sandbox to play in.

public DeLocateBuff64 ( byte bytes, ulong Delta, ulong RVA, Reloc relocs ) : void
bytes	byte	buffer to delocate
Delta	ulong	Delta between preferred image base and where your loaded now
RVA	ulong	Relative Virtual Address of the byte* buffer
relocs	Reloc	preprocessed .reloc data
return	void

DeLocateFile() public method

public DeLocateFile ( string fPath, string RelocFile, ulong CurrBase, string SaveTo, bool is64 = false, bool FixHeader = false, bool ScaleFileAlignment = false ) : Task
fPath	string
RelocFile	string
CurrBase	ulong
SaveTo	string
is64	bool
FixHeader	bool
ScaleFileAlignment	bool
return	Task

DelocateHeader() public static method

public static DelocateHeader ( byte bytes, ulong OrigBase, long OrigBaseOffset, bool Is64 ) : void
bytes	byte
OrigBase	ulong
OrigBaseOffset	long
Is64	bool
return	void

ProcessRelocs() public static method

This routine takes a binary .reloc and emit's List of type Reloc There are theoretically some .reloc entries we do not support, I've not seen too many for recent binaries. If we wanted to support more, adding more translations here would be fine.

public static ProcessRelocs ( byte FileBuff ) : List
FileBuff	byte
return	List