Abstract: This is a beginner’s tutorial on PE format applied to .NET assemblies. We tried to focus on the big picture. We tried to give light illustrated text.
1 Continuation of another article
This article is a continuation of another article:
1.1 Tools used – Hex Editor ImHex
I am using Hex Editor ImHex (freeware), which enables me to color sections of files ([1]).
1.2 Tools used – PE Viewer “PE-bear”
PE-bear (freeware) is a very useful tool for analyzing PE files visually. Based on the documentation, it does not cover all variants and flavors of PE files, but it is a great viewer/parser/analyzer for simpler ones. I think it is always easier to study topics using visual tools. ([2])
1.3 Tools used – Assembly viewer
An excellent “A .NET assembly viewer” (freeware) is being provided in the project [3].
1.4 Tools used – CFF Explorer
Another PE file explorer “CFF Explorer” freeware) can be found at [4].
2 .NET Header (aka “COR20 Header”, “CLI Header”)
As we saw in the previous article [11], “NT Headers - Optional Header – Data Dictionary” presented by the PE-bear tool looks like this:
![AWS Systems Manager (SSM) Parameter store in .NET 3.1 Web API]()
If you look at file offset 0x168 for .NET Header, it says at address 0x2008(RVA). Again, 0x2008-0x2000+0x200= 0x208(raw file). Size is 0x48
Here is how it looks in Hex editor:
![AWS Systems Manager (SSM) Parameter store in .NET 3.1 Web API]()
And here is an interpretation by PE-bear:
![AWS Systems Manager (SSM) Parameter store in .NET 3.1 Web API]()
And here is an interpretation by Assembly Viewer
![AWS Systems Manager (SSM) Parameter store in .NET 3.1 Web API]()
3 Resources (aka “Managed resources”)
It says ResourceDir is 0x2AFC(RVA), with size 0xD8. Again, 0x2AFC-0x2000+0x200= 0xCFC(raw file). End is 0xCFC+0xD8= 0xDD4(raw file)
Here it is Hex editor:
![AWS Systems Manager (SSM) Parameter store in .NET 3.1 Web API]()
As you can see, we mapped the string “HW” to the “Hello World!” string in our C# code resources.
4 Metadata
4.1 Short theoretical background
Metadata inside the .NET assembly is organized in 5 streams. The name of each stream starts with #. The streams are:
- #~ stream – This is the “metadata stream” and contains information on the types, methods, fields, properties, and events in the assembly.
- #Strings stream – Contains names of namespaces, types, and members.
- #US stream – This is the “user string heap” and contains all the strings used in the code.
- #GUID stream – Stores GUIDs used in the assembly.
- #Blob stream – Contains pure binary data.
4.2 File content
As seen above, at file offset 0x210, for MetaData, it says the address is 0x211C(RVA). Again, 0x211C-0x2000+0x200= 0x31C(raw file). That is the location of the Metadata Header. It can be seen in the Hex editor.
![AWS Systems Manager (SSM) Parameter store in .NET 3.1 Web API]()
And here is an interpretation by Assembly Viewer
![AWS Systems Manager (SSM) Parameter store in .NET 3.1 Web API]()
So, we see that we have metadata in 5 streams. Offsets here are given “relative to start of metadata header (0x31C)”. We need to do some calculations:
- Stream #Strings starts at 0x31C+0x3D0= 0x6EC(raw file). It ends at 0x6EC+0x410= 0xAFC(raw file).
- Stream #Blob starts at 0x31C+8280x= 0xB44(raw file). It ends at 0xB44+0x1B8= 0xCFC(raw file).
- Stream #GUID starts at 0x31C+0x818= 0xB34(raw file). It ends at 0xB34+0x10= 0xB44(raw file).
- Stream #US starts at 0x31C+0x7E0= 0xAFC(raw file). It ends at 0xAFC+0x38= 0xB34(raw file).
- Stream #~ starts at 0x31C+0x6C= 0x388(raw file). It ends at 0x388+0x364= 0x6EC(raw file).
We will not be going into the interpretation of what each stream contains, just let us see the interpretation by Assembly Viewer
![AWS Systems Manager (SSM) Parameter store in .NET 3.1 Web API]()
Stream #~ is special, so it is presented differently:
![AWS Systems Manager (SSM) Parameter store in .NET 3.1 Web API]()
5 Method bodies
So, that was Metadata. Where are our method bodies, that is IL?
For that, we need to interpret Metadata. We will not do it manually but instead use tools to see that interpretation.
Let us see the interpretation by CFF Explorer.
![AWS Systems Manager (SSM) Parameter store in .NET 3.1 Web API]()
So, we can see that Metadata stream #~ contains a folder with Methods, and for method Main, we see offset 0x2069(RVA), a starting point of our method code. Again 0x2069-0x2000+0x200= 0x269(raw file) location in section .text.
So, Method bodies are stored between .NET Header and Metadata Headers. In our file, that is area 0x250(raw file)-0x31B(raw file).
6 Section .text overview
So, here is the big picture, an overview of our .NET assembly packaged into the section .text of our file.
![AWS Systems Manager (SSM) Parameter store in .NET 3.1 Web API]()
![AWS Systems Manager (SSM) Parameter store in .NET 3.1 Web API]()
![AWS Systems Manager (SSM) Parameter store in .NET 3.1 Web API]()
7 Conclusion
This article is a continuation of the article [11]. We here outlined how .NET assembly is packaged into PE file format. We tried to give light illustrated text and didn’t go into all the fine details of how bytes are packaged but relied on tools to parse and interpret data.
An interested reader can find more details in articles [6]-[9].
8 References
- https://github.com/WerWolv/ImHex/releases/tag/v1.27.0
- https://hshrzd.wordpress.com/pe-bear/
- https://www.codeproject.com/Articles/3262/A-NET-assembly-viewer
- https://ntcore.com/?page_id=388
- https://learn.microsoft.com/en-us/windows/win32/debug/pe-format?redirectedfrom=MSDN
- https://www.red-gate.com/simple-talk/blogs/anatomy-of-a-net-assembly-pe-headers/
- https://www.red-gate.com/simple-talk/blogs/anatomy-of-a-net-assembly-clr-metadata-1/
- https://www.red-gate.com/simple-talk/blogs/anatomy-of-a-net-assembly-clr-metadata-2/
- https://www.red-gate.com/simple-talk/blogs/anatomy-of-a-net-assembly-clr-metadata-3/
- https://www.red-gate.com/simple-talk/blogs/anatomy-of-a-net-assembly-methods/
- https://www.codeproject.com/Articles/5356568/PE-Format-Illustrated-Part-1