Post

Executable Format Analysis under SSCLI (Final)

CustomAttribute describes custom attributes: Parent (HasCustomAttribute CodedToken), Type (CustomAttributeType CodedToken), Value (#Blob index). One in our example: 2E 00 0B 00 39 00.

StandAloneSig holds orphan signatures not referenced by any structure element (e.g., the calli IL instruction). One index into #Blob. Two entries in our example: 2A 00 34 00.

PropertyMap maps properties to their owning types: Parent (TypeDef index), PropertyList (Property table index). One in our example: 02 00 01 00, mapping Echo class to EchoString property.

Property defines a property: USHORT Flags, Name (#Strings), Type (#Blob). One in our example: Flags=0x0000, Name=”EchoString”.

MethodSemantics maps methods to properties/events: USHORT Semantic (0x0001=setter, 0x0002=getter, etc.), Method (Method table index), Association (HasSemantic CodedToken). Two entries: get_EchoString (Semantic=0x0002) and set_EchoString (Semantic=0x0001).

Assembly describes the assembly itself: ULONG HashAlgId (e.g. 0x8004=SHA1), version info (4×USHORT), ULONG Flags, PublicKey (#Blob), Name (#Strings), Locale (#Strings). Our example shows SHA1, version 0.0.0.0, Name=”hello”.

AssemblyRef describes referenced assemblies: similar structure to Assembly. One in our example: mscorlib v1.0.3300.1.

Summary

This concludes the analysis of our simple Hello World executable’s format. Unlike traditional C/C++ programs, .NET executables contain not only code but extensive descriptive metadata — enabling “self-description.” This makes .NET programs ideal for network distribution and provides solid foundation for RPC and similar technologies. Self-description has many advantages; the downside is easier reverse engineering 😀.

Our example only touched 14 of the many SSCLI table types. Events and other tables remain unexplored. Additionally, metadata is just the static description — at runtime, .NET’s Class Loader loads assemblies into memory with a separate dynamic description system (EEClass, MethodTable, etc.), exposed to programmers via System.Reflection.

Beyond System.Reflection, Microsoft provides the “Manifest API” — a set of COM-based unmanaged interfaces for accessing, analyzing, and generating metadata. The CLR uses these interfaces internally. SSCLI’s cli\src\md directory contains the implementation.

After the new Visual Studio “Whidbey” ships, Microsoft will release the next SSCLI version. I wonder how much it’ll change.

This post is licensed under CC BY 4.0 by the author.