DotNetRaj

What's inside a .NET PE?

Besides 'PE/COFF header' and 'Native Image sections' which are present in typical windows Portable Executable(PE) files - a .Net Assembly adds 'CLR Header' and 'CLR data sections' to the PE.

Lets look inside a .NET PE

1. Create and compile a Console Project at say :\TestConsoleApp

2. Open Visual Studio .NET 2003 Command Prompt

3. Run

:\TestConsoleApp\bin\Debug>dumpbin TestConsoleApp.exe /all

Microsoft (R) COFF/PE Dumper Version 7.10.3077

Copyright (C) Microsoft Corporation. All rights reserved.

Dump of file c:\TestConsoleApp\bin\Debug\TestConsoleApp.exe

PE signature found

File Type: EXECUTABLE IMAGE

14C machine (x86)

3 number of sections

...

10B magic # (PE32)

...

.text name

5A4 virtual size

...

Code

Execute Read

RAW DATA #1

00402000: 80 25 00 00 00 00 00 00 48 00 00 00 02 00 00 00 .%......H.......

....

...

Section contains the following imports:

mscoree.dll

402000 Import Address Table

402570 Import Name Table

...

SECTION HEADER #2

...

RAW DATA #2

...

...

Summary

2000 .reloc

2000 .rsrc

2000 .text

The main function called when CLR header is found is _CorExeMain implemented by mscoree.dll ( MS .NET core/runtime execution engine of CLR - an inprocess COM Server) found in %WinDir%\system32

For looking inside CLR Data (metadata and code) we can use any de-assembler (ildasm.exe ) or programmatically query the .net assembly via Reflection

or better even reverse engineer the source code itself using a decompiler ('.NET Reflector' )

NOTE:

1. dumpbin.exe utility is located at :\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE

it requires

link.exe (in same directory)

mspdb71.dll (in :\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE directory)

incase You are not using VS 2003 Command Prompt make sure these files are in your PATH

2. COFF is Microsoft Common Object File Format specifications which are publicly available

posted @ Tuesday, February 14, 2006 12:47 PM | Feedback (3584)