Executable Format Analysis under SSCLI (1)
SSCLI Executable Format Analysis (Draft)
I remember a classic MSDN article on Windows PE format opening with: “A system’s executable format is a mirror of the system itself in many ways. Though studying it isn’t usually a programmer’s top priority, you can learn a great deal.” I’ve been studying SSCLI source code and felt somewhat lost, so I decided to start with the easiest part — .NET executable files — then work my way up to the Class Loader, in-memory Object Layout, JIT, Garbage Collection…
References: Google, Shared Source CLI Essentials, Inside Microsoft .NET IL Assembler, SSCLI source code. Tools: Windbg, Source Insight, UltraEdit, Windows Calculator, Notepad, Word, Visual Studio .NET 2003, and a cup for drinking water.
First, write a simple C# program, Hello.cs:
public class Echo
{
private string toEcho = null;
public string EchoString
{
get { return toEcho; }
set { toEcho = value; }
}
public string DoEcho()
{
if (this.toEcho == null)
{
throw new System.Exception("Echo empty");
}
return toEcho;
}
}
public class Hello
{
public static void Main(string[] args)
{
Echo e = new Echo();
e.EchoString = "Hello world";
System.Console.WriteLine("Echo: {0}", e.DoEcho());
}
}
Compile: csc Hello.cs /debug+
The resulting Hello.exe is our subject. I wrote a C program to dump the binary as hex. The complete annotated hex dump follows, showing IMAGE_DOS_HEADER, IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER32, IMAGE_DATA_DIRECTORY, IMAGE_SECTION_HEADER, IMAGE_COR20_HEADER, and the metadata (STORAGESIGNATURE, STORAGEHEADER, streams #Strings, #US, #GUID, #Blob, #~), and finally the IL code and import section.