Executable Format Analysis under SSCLI (3)
Having nothing better to do, continuing the series.
Last time we covered the ~40+ metadata tables in an assembly and analyzed the PE file structure plus two table types (Module and TypeRef) using our example. This time we’ll analyze the remaining 12 metadata tables: TypeDef, Field, Method, Param, MemberRef, CustomAttribute, StandAloneSig, PropertyMap, Property, MethodSemantic, Assembly, and AssemblyRef.
Table column definitions are in clr\src\md\runtime\metamodelcolumndefs.h.
TypeDef describes a type definition in the assembly:
- ULONG Flags (visibility, etc.)
- Name (index into #Strings)
- Namespace (index into #Strings)
- Extends (CodedToken pointing to parent type)
- FieldList (index into Field table, start of range)
- MethodList (index into Method table, start of range)
| Our example has 3 TypeDefs. The interesting one: Echo class with tdPublic | tdBeforeFieldInit, Name “Echo”, Extends → System.Object, 1 field, 4 methods. |
Field describes member variables:
- USHORT Flags (e.g. fdPrivate)
- Name (index into #Strings)
- Signature (index into #Blob)
Our single Field: Flags=0x0001 (fdPrivate), Name=”toEcho”, Signature=06 0E.
Method describes member functions:
- ULONG RVA (relative offset to code)
- USHORT ImplFlags
- USHORT Flags (e.g. mdPublic, mdStatic)
- Name (#Strings index)
- Signature (#Blob index)
- ParamList (index into Param table)
6 MethodDefs in our example. The 5th entry (entry point at 0x60000005): RVA=0x000020C4, which resolves to offset 0x000002C4. Name=”Main”, Flags=0x0096 (mdHideBySig |
mdStatic | mdPublic). |
IL Method Format: SSCLI defines two formats: Tiny (code < 64 bytes, no local vars) and Fat. The header is in clr\src\inc\Corhdr.h:
typedef enum CorILMethodFlags {
CorILMethod_TinyFormat = 0x0002,
CorILMethod_FatFormat = 0x0003,
} CorILMethodFlags;
typedef struct IMAGE_COR_ILMETHOD_TINY {
BYTE Flags_CodeSize;
} IMAGE_COR_ILMETHOD_TINY;
typedef struct IMAGE_COR_ILMETHOD_FAT {
unsigned Flags : 12;
unsigned Size : 4;
unsigned MaxStack : 16;
DWORD CodeSize;
mdSignature LocalVarSigTok;
} IMAGE_COR_ILMETHOD_FAT;
MemberRef (4 entries in our example):
- Class (CodedToken MemberRefParent)
- Name (#Strings)
- Signature (#Blob)
Param (2 entries):
- USHORT Flags
- USHORT Sequence
- Name (#Strings)
Continuing with remaining tables in the final installment…