Post

Executable Format Analysis under SSCLI (1)

SSCLI Executable Format Analysis (Draft)

I remember a classic MSDN article on Windows PE format opening with: “A system’s executable format is a mirror of the system itself in many ways. Though studying it isn’t usually a programmer’s top priority, you can learn a great deal.” I’ve been studying SSCLI source code and felt somewhat lost, so I decided to start with the easiest part — .NET executable files — then work my way up to the Class Loader, in-memory Object Layout, JIT, Garbage Collection…

References: Google, Shared Source CLI Essentials, Inside Microsoft .NET IL Assembler, SSCLI source code. Tools: Windbg, Source Insight, UltraEdit, Windows Calculator, Notepad, Word, Visual Studio .NET 2003, and a cup for drinking water.

First, write a simple C# program, Hello.cs:

public class Echo { private string toEcho = null; public string EchoString { get { return toEcho; } set { toEcho = value; } } public string DoEcho() { if (this.toEcho == null) { throw new System.Exception("Echo empty"); } return toEcho; } } public class Hello { public static void Main(string[] args) { Echo e = new Echo(); e.EchoString = "Hello world"; System.Console.WriteLine("Echo: {0}", e.DoEcho()); } }

Compile: csc Hello.cs /debug+

The resulting Hello.exe is our subject. I wrote a C program to dump the binary as hex. The complete annotated hex dump follows, showing IMAGE_DOS_HEADER, IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER32, IMAGE_DATA_DIRECTORY, IMAGE_SECTION_HEADER, IMAGE_COR20_HEADER, and the metadata (STORAGESIGNATURE, STORAGEHEADER, streams #Strings, #US, #GUID, #Blob, #~), and finally the IL code and import section.

This post is licensed under CC BY 4.0 by the author.