Post

Executable Format Analysis under SSCLI (3)

Having nothing better to do, continuing the series.

Last time we covered the ~40+ metadata tables in an assembly and analyzed the PE file structure plus two table types (Module and TypeRef) using our example. This time we’ll analyze the remaining 12 metadata tables: TypeDef, Field, Method, Param, MemberRef, CustomAttribute, StandAloneSig, PropertyMap, Property, MethodSemantic, Assembly, and AssemblyRef.

Table column definitions are in clr\src\md\runtime\metamodelcolumndefs.h.

TypeDef describes a type definition in the assembly:

  • ULONG Flags (visibility, etc.)
  • Name (index into #Strings)
  • Namespace (index into #Strings)
  • Extends (CodedToken pointing to parent type)
  • FieldList (index into Field table, start of range)
  • MethodList (index into Method table, start of range)
Our example has 3 TypeDefs. The interesting one: Echo class with tdPublic tdBeforeFieldInit, Name “Echo”, Extends → System.Object, 1 field, 4 methods.

Field describes member variables:

  • USHORT Flags (e.g. fdPrivate)
  • Name (index into #Strings)
  • Signature (index into #Blob)

Our single Field: Flags=0x0001 (fdPrivate), Name=”toEcho”, Signature=06 0E.

Method describes member functions:

  • ULONG RVA (relative offset to code)
  • USHORT ImplFlags
  • USHORT Flags (e.g. mdPublic, mdStatic)
  • Name (#Strings index)
  • Signature (#Blob index)
  • ParamList (index into Param table)
6 MethodDefs in our example. The 5th entry (entry point at 0x60000005): RVA=0x000020C4, which resolves to offset 0x000002C4. Name=”Main”, Flags=0x0096 (mdHideBySig mdStatic mdPublic).

IL Method Format: SSCLI defines two formats: Tiny (code < 64 bytes, no local vars) and Fat. The header is in clr\src\inc\Corhdr.h:

typedef enum CorILMethodFlags { CorILMethod_TinyFormat = 0x0002, CorILMethod_FatFormat = 0x0003, } CorILMethodFlags; typedef struct IMAGE_COR_ILMETHOD_TINY { BYTE Flags_CodeSize; } IMAGE_COR_ILMETHOD_TINY; typedef struct IMAGE_COR_ILMETHOD_FAT { unsigned Flags : 12; unsigned Size : 4; unsigned MaxStack : 16; DWORD CodeSize; mdSignature LocalVarSigTok; } IMAGE_COR_ILMETHOD_FAT;

MemberRef (4 entries in our example):

  • Class (CodedToken MemberRefParent)
  • Name (#Strings)
  • Signature (#Blob)

Param (2 entries):

  • USHORT Flags
  • USHORT Sequence
  • Name (#Strings)

Continuing with remaining tables in the final installment…

This post is licensed under CC BY 4.0 by the author.