none
Identify .NET Mixed Mode Application RRS feed

  • Question

  • Can I Identify whether an exe is .NET Mixed Mode Application or not by reading the PE header of the exe ?

    Tuesday, August 5, 2008 3:49 AM

Answers

  • Joseph,
    if you look at the PE header - the IMAGE_OPTIONAL_HEADER to be exact - you can look at the pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_COMHEADER]; like this:

    IMAGE_DATA_DIRECTORY const* entry = NULL;
        entry = &pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_COMHEADER];

        if (entry->VirtualAddress == 0 || entry->Size == 0    || entry->Size < sizeof(IMAGE_COR20_HEADER)) {
            return E_FAIL;
        }   
         _pClrHeader = reinterpret_cast<IMAGE_COR20_HEADER*>(RtlImageRvaToVa32(_pNTHeader, _pFileBase, entry->VirtualAddress, 0));
     
    the IMAGE_COR20_HEADER is there for all CLI PEs, so you can check for its existance to determine if the PE is a CLI PE. If there's no IMAGE_OPTIONAL_HEADER  or not IMAGE_COR20_HEADER in OptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_COMHEADER], it's not a CLI PE.

    There might be a helper method somewhere in the WinAPI that I'm not aware of...

    Ben | bschwehn.de
    • Marked as answer by Zhi-Xin Ye Monday, August 11, 2008 10:59 AM
    Tuesday, August 5, 2008 2:45 PM

All replies

  • if you have the

    IMAGE_COR20_HEADER

    the flags dword should have the COMIMAGE_FLAGS_ILONLY flag set only for non mixed mode applications.

    hth

    Ben | bschwehn.de
    Tuesday, August 5, 2008 11:19 AM
  • Using CFF explorer to view the PE headers of the exe :

    .NET Directory->Flags=1 in case of pure application and 0 in  case of mixed mode application.


    Am I right ?
    Tuesday, August 5, 2008 1:47 PM
  • Well, there are more flags, so you'll have to do a bitwise compare against
    COMIMAGE_FLAGS_ILONLY.

    e.g if the PE has COMIMAGE_FLAGS_STRONGNAMESIGNED set, flags won't be 0 for a mixed mode PE either.
    Also, I don't know CFF explorer, so I can't comment on that particular tool.
    .
    Ben | bschwehn.de
    Tuesday, August 5, 2008 2:04 PM
  • I got it, definetly I am going to use bitwise operator to check it.

    Just wanted to make sure that we both are talking about flag in the PE headers, right ?
    Tuesday, August 5, 2008 2:07 PM
  • yes, I guess technically it's not the PE header, but the CLI header, but yes
    Ben | bschwehn.de
    Tuesday, August 5, 2008 2:14 PM
  • Thanks,

    I would be thankful to you if you can provide me link or material which describes the the internals of ILDASM and ILASM, how they works etc.  Actually  ILASM is not able reassemble the .il file to exe for mixed mode application so  I want to know how can I achieve this ?
    Tuesday, August 5, 2008 2:27 PM
  • my question is related, so i didn't want to create a new thread... i'm sure someone here can help me.

    how can i tell (quickly) if a dll uses managed code. i'm integrating a HUGE multi dll app, with some sll-s being loaded using native ::loadlibrary(), and yes i'm getting the mixed mode dll lock problem.

    i don't have access to all source, and need to identify which .dll(s) might be running managed code, and thus causing problems

    thanks,

    jozsef koloszar
    hungary

    Tuesday, August 5, 2008 2:28 PM
  • Joseph,
    if you look at the PE header - the IMAGE_OPTIONAL_HEADER to be exact - you can look at the pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_COMHEADER]; like this:

    IMAGE_DATA_DIRECTORY const* entry = NULL;
        entry = &pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_COMHEADER];

        if (entry->VirtualAddress == 0 || entry->Size == 0    || entry->Size < sizeof(IMAGE_COR20_HEADER)) {
            return E_FAIL;
        }   
         _pClrHeader = reinterpret_cast<IMAGE_COR20_HEADER*>(RtlImageRvaToVa32(_pNTHeader, _pFileBase, entry->VirtualAddress, 0));
     
    the IMAGE_COR20_HEADER is there for all CLI PEs, so you can check for its existance to determine if the PE is a CLI PE. If there's no IMAGE_OPTIONAL_HEADER  or not IMAGE_COR20_HEADER in OptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_COMHEADER], it's not a CLI PE.

    There might be a helper method somewhere in the WinAPI that I'm not aware of...

    Ben | bschwehn.de
    • Marked as answer by Zhi-Xin Ye Monday, August 11, 2008 10:59 AM
    Tuesday, August 5, 2008 2:45 PM
  • Nvinkaus,

    have a look at the SSCLI implementation (or mono), and you'll find source code for both ildasm and ilasm.

    I once started doing a mixed mode assembler tool that takes an existing dll, dissassembles it and is able to reassemble it. It's been a long time ago, some info is on my page here: http://bschwehn.de/ICeeFileGenPart1.html which might or might not be useful. I never finished it, iirc i stopped the project before reassembling/copying the native code worked, I think it was quite painfull todo, because you had to translate new fileoffsets, RVAs and whatnot.

    I don't think there's to be a simple way.

    Good luck :)

    Ben | bschwehn.de
    Tuesday, August 5, 2008 2:53 PM
  • Thanks Ben, It's going to be a great help for me, once I am able to do it for mixed mode application, I will share it with you :)


    Best Regards,
    Navin
    Tuesday, August 5, 2008 3:02 PM
  • If you get it to work, I'd certainly be interested in your findings!
    Cheers,
    Ben


    Ben | bschwehn.de
    Tuesday, August 5, 2008 7:35 PM