2

好吧,这是关于PE的。我想知道 IMAGE_DOS_HEADER 结构和 NT Header 结构的确切大小。我使用 Marshal.SizeOf 但它不起作用。

Image_Dos_Header 结构

    public struct IMAGE_DOS_HEADER
    {      // DOS .EXE header
        [MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
        public UInt16 e_magic;              // Magic number
        public UInt16 e_cblp;               // Bytes on last page of file
        public UInt16 e_cp;                 // Pages in file
        public UInt16 e_crlc;               // Relocations
        public UInt16 e_cparhdr;            // Size of header in paragraphs
        public UInt16 e_minalloc;           // Minimum extra paragraphs needed
        public UInt16 e_maxalloc;           // Maximum extra paragraphs needed
        public UInt16 e_ss;                 // Initial (relative) SS value
        public UInt16 e_sp;                 // Initial SP value
        public UInt16 e_csum;               // Checksum
        public UInt16 e_ip;                 // Initial IP value
        public UInt16 e_cs;                 // Initial (relative) CS value
        public UInt16 e_lfarlc;             // File address of relocation table
        public UInt16 e_ovno;               // Overlay number
        public UInt16 e_res_0;              // Reserved words
        public UInt16 e_res_1;              // Reserved words
        public UInt16 e_res_2;              // Reserved words
        public UInt16 e_res_3;              // Reserved words
        public UInt16 e_oemid;              // OEM identifier (for e_oeminfo)
        public UInt16 e_oeminfo;            // OEM information; e_oemid specific
        public UInt16 e_res2_0;             // Reserved words
        public UInt16 e_res2_1;             // Reserved words
        public UInt16 e_res2_2;             // Reserved words
        public UInt16 e_res2_3;             // Reserved words
        public UInt16 e_res2_4;             // Reserved words
        public UInt16 e_res2_5;             // Reserved words
        public UInt16 e_res2_6;             // Reserved words
        public UInt16 e_res2_7;             // Reserved words
        public UInt16 e_res2_8;             // Reserved words
        public UInt16 e_res2_9;             // Reserved words
        public UInt32 e_lfanew;             // File address of new exe header
    }

这是 NTHeader 结构

        [StructLayout(LayoutKind.Sequential)]
    public struct IMAGE_NT_HEADERS
    {
        public IMAGE_FILE_HEADER FileHeader;
        public IMAGE_OPTIONAL_HEADER32 OptionalHeader32;
        public IMAGE_NT_HEADERS32 INTSIGN;
     }

    [StructLayout(LayoutKind.Explicit)]
    public struct IMAGE_NT_HEADERS32
    {
        [FieldOffset(0)]
        [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
        public char[] Signature;

        [FieldOffset(4)]
        public IMAGE_FILE_HEADER FileHeader;

        [FieldOffset(24)]
        public IMAGE_OPTIONAL_HEADER32 OptionalHeader;
    }
[StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct IMAGE_OPTIONAL_HEADER32
    {
        public UInt16 Magic;
        public Byte MajorLinkerVersion;
        public Byte MinorLinkerVersion;
        public UInt32 SizeOfCode;
        public UInt32 SizeOfInitializedData;
        public UInt32 SizeOfUninitializedData;
        public UInt32 AddressOfEntryPoint;
        public UInt32 BaseOfCode;
        public UInt32 BaseOfData;
        public UInt32 ImageBase;
        public UInt32 SectionAlignment;
        public UInt32 FileAlignment;
        public UInt16 MajorOperatingSystemVersion;
        public UInt16 MinorOperatingSystemVersion;
        public UInt16 MajorImageVersion;
        public UInt16 MinorImageVersion;
        public UInt16 MajorSubsystemVersion;
        public UInt16 MinorSubsystemVersion;
        public UInt32 Win32VersionValue;
        public UInt32 SizeOfImage;
        public UInt32 SizeOfHeaders;
        public UInt32 CheckSum;
        public UInt16 Subsystem;
        public UInt16 DllCharacteristics;
        public UInt32 SizeOfStackReserve;
        public UInt32 SizeOfStackCommit;
        public UInt32 SizeOfHeapReserve;
        public UInt32 SizeOfHeapCommit;
        public UInt32 LoaderFlags;
        public UInt32 NumberOfRvaAndSizes;

        public IMAGE_DATA_DIRECTORY ExportTable;
        public IMAGE_DATA_DIRECTORY ImportTable;
        public IMAGE_DATA_DIRECTORY ResourceTable;
        public IMAGE_DATA_DIRECTORY ExceptionTable;
        public IMAGE_DATA_DIRECTORY CertificateTable;
        public IMAGE_DATA_DIRECTORY BaseRelocationTable;
        public IMAGE_DATA_DIRECTORY Debug;
        public IMAGE_DATA_DIRECTORY Architecture;
        public IMAGE_DATA_DIRECTORY GlobalPtr;
        public IMAGE_DATA_DIRECTORY TLSTable;
        public IMAGE_DATA_DIRECTORY LoadConfigTable;
        public IMAGE_DATA_DIRECTORY BoundImport;
        public IMAGE_DATA_DIRECTORY IAT;
        public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
        public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
        public IMAGE_DATA_DIRECTORY Reserved;
    }
        [StructLayout(LayoutKind.Sequential, Pack = 1)]
        public struct IMAGE_FILE_HEADER
    {
        public UInt16 Machine;
        public UInt16 NumberOfSections;
        public UInt32 TimeDateStamp;
        public UInt32 PointerToSymbolTable;
        public UInt32 NumberOfSymbols;
        public UInt16 SizeOfOptionalHeader;
        public UInt16 Characteristics;
    }

感谢您的帮助!我从几个小时前就开始尝试寻找,但仍然找不到解决方案。对不起英语不好,很抱歉问这个。我还是 C# 的新手

4

1 回答 1

6

这对我来说很好。

注意该方法的unsafe修饰符Main,您需要添加它才能正常sizeof工作。您还需要在项目中启用不安全代码才能编译。

unsafe public static void Main(string[] args)
{
    Console.WriteLine(sizeof(IMAGE_DOS_HEADER)); //64
    Console.Read();
}


public struct IMAGE_DOS_HEADER
{      // DOS .EXE header
    [MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
    public UInt16 e_magic;              // Magic number
    public UInt16 e_cblp;               // Bytes on last page of file
    public UInt16 e_cp;                 // Pages in file
    public UInt16 e_crlc;               // Relocations
    public UInt16 e_cparhdr;            // Size of header in paragraphs
    public UInt16 e_minalloc;           // Minimum extra paragraphs needed
    public UInt16 e_maxalloc;           // Maximum extra paragraphs needed
    public UInt16 e_ss;                 // Initial (relative) SS value
    public UInt16 e_sp;                 // Initial SP value
    public UInt16 e_csum;               // Checksum
    public UInt16 e_ip;                 // Initial IP value
    public UInt16 e_cs;                 // Initial (relative) CS value
    public UInt16 e_lfarlc;             // File address of relocation table
    public UInt16 e_ovno;               // Overlay number
    public UInt16 e_res_0;              // Reserved words
    public UInt16 e_res_1;              // Reserved words
    public UInt16 e_res_2;              // Reserved words
    public UInt16 e_res_3;              // Reserved words
    public UInt16 e_oemid;              // OEM identifier (for e_oeminfo)
    public UInt16 e_oeminfo;            // OEM information; e_oemid specific
    public UInt16 e_res2_0;             // Reserved words
    public UInt16 e_res2_1;             // Reserved words
    public UInt16 e_res2_2;             // Reserved words
    public UInt16 e_res2_3;             // Reserved words
    public UInt16 e_res2_4;             // Reserved words
    public UInt16 e_res2_5;             // Reserved words
    public UInt16 e_res2_6;             // Reserved words
    public UInt16 e_res2_7;             // Reserved words
    public UInt16 e_res2_8;             // Reserved words
    public UInt16 e_res2_9;             // Reserved words
    public UInt32 e_lfanew;             // File address of new exe header
}
于 2012-12-22T09:15:09.990 回答