.NET Metadata | .NET Debugging

.NET DEBUGGING

Module 12 - .NET Assembly

Common Language Runtime Header

CLR Header of Executable Image

For Instance Size, Metadata etc.
How To
Dump CLR Header	1) RUN@ cdb.exe -o C:\Windows\System32\mmc.exe C:\Windows\System32\eventvwr.msc Microsoft (R) Windows Debugger Version 10.0.22621.2428 AMD64 ... ntdll!LdrpDoDebuggerBreak+0x30: ... 2) CDB@ sxe ld clrjit 3) CDB@ g ... ... clrjit.dll ntdll!NtMapViewOfSection+0x14: ... 4) CDB@ .reload Reloading current modules ... 5) CDB@ lm m MMCEx* Browse full module list start end module name 00007ffa`34330000 00007ffa`34549000 MMCEx_ni (deferred) 6) CDB@ dt 00007ffa`34330000 ntdll!_IMAGE_DOS_HEADER +0x000 e_magic : 0x5a4d ... +0x03c e_lfanew : 0n128 ... 7) CDB@ db /c4 00007ffa`34330000+0x03c L4 00007ffa`3433003c 80 00 00 00 .... 8) CDB@ dt 00007ffa`34330000+0x80 ntdll!_IMAGE_NT_HEADERS64 +0x000 Signature : 0x4550 ... +0x018 OptionalHeader : _IMAGE_OPTIONAL_HEADER64 ... 9) CDB@ dt 00007ffa`34330000+0x80+0x018 ntdll!_IMAGE_OPTIONAL_HEADER64 +0x000 Magic : 0x20b ... +0x070 DataDirectory : [16] _IMAGE_DATA_DIRECTORY ... 10) CDB@ dt -a16 00007ffa`34330000+0x80+0x018+0x070 ntdll!_IMAGE_DATA_DIRECTORY [0] @ 00007ffa`34330108 --------------------------------------------- +0x000 VirtualAddress : 0 +0x004 Size : 0 ... [14] @ 00007ffa`34330178 --------------------------------------------- +0x000 VirtualAddress : 0x90460 +0x004 Size : 0x48 ... 11) CDB@ dt 00007ffa`34330000+0x90460 wintypes!IMAGE_COR20_HEADER +0x000 cb : 0x48 ... +0x008 MetaData : _IMAGE_DATA_DIRECTORY ... 12) CDB@ qd
cdb.exe : Program, CUI Symbolic Debugger -o : Switch, Specifies Target Application C:\Windows\System32\mmc.exe : Parameter, MMC Application C:\Windows\System32\eventvwr.msc : Argument, Event Viewer Snap In sxe ld : Standard Command, To Break on Module Load g : Standard Command, To Go Execution .reload : Meta Command, To Reload Module Symbol lm : Standard Command, To List Module m : Option, Specifies Pattern MMCEx : Parameter, Module Name * : Parameter, Wildcard 00007ff6`6d8f0000 : Output, Module Start Address dt : Standard Command, To Display Type ntdll : Parameter, Type Module Name _IMAGE_DOS_HEADER : Parameter, Type Name db : Standard Command, To Display Memory Content /c4 : Option, Specifies 4 Column Width 0x03c : Output, LFA New Offset L4 : Range, 4 Address Range 80 00 00 00 : Output, PE Header Offset .... : Output, ASCII Character _IMAGE_NT_HEADERS64 : Parameter, Type Name 0x018 : Output, Optional Header Offset _IMAGE_OPTIONAL_HEADER64 : Parameter, Type Name 0x070 : Output, 15th Data Directory Offset _IMAGE_DATA_DIRECTORY : Parameter, Type Name 0x90760 : Output, CLR Header Offset wintypes : Parameter, Type Module Name IMAGE_COR20_HEADER : Parameter, Type Name 0x48 : Output, CLR Header Size 0x008 : Output, Metadata Offset qd : Standard Command, To Quit and Detach
Alternatively, RUN@ windbg.exe -o C:\Windows\System32\mmc.exe C:\Windows\System32\eventvwr.msc → View → Command (Alt+1) → sxe ld clrjit; g; .reload; lm m MMCEx; dt {Module Start Address}* ntdll!_IMAGE_DOS_HEADER; db /c4 {Module Start Address}+{PE Header Offset} L4; dt {Module Start Address}+{PE Header Offset} ntdll!_IMAGE_NT_HEADERS64; dt -a16 {Module Start Address}+{PE Header Offset}+{Optional Header Offset}+{Data Directory Offset} ntdll!_IMAGE_DATA_DIRECTORY; dt {Module Start Address}+{CLR Header Offset} wintypes!IMAGE_COR20_HEADER; qd

Metadata Signature

Metadata Signature of Executable Image

Starts with BSJB
How To
Dump Metadata Signature	1) RUN@ cdb.exe -o C:\Windows\System32\mmc.exe C:\Windows\System32\eventvwr.msc Microsoft (R) Windows Debugger Version 10.0.22621.2428 AMD64 ... ntdll!LdrpDoDebuggerBreak+0x30: ... 2) CDB@ sxe ld clrjit 3) CDB@ g ... ... clrjit.dll ntdll!NtMapViewOfSection+0x14: ... 4) CDB@ .reload Reloading current modules ... 5) CDB@ lm m MMCEx* Browse full module list start end module name 00007ffa`34330000 00007ffa`34549000 MMCEx_ni (deferred) 6) CDB@ dt 00007ffa`34330000 ntdll!_IMAGE_DOS_HEADER +0x000 e_magic : 0x5a4d ... +0x03c e_lfanew : 0n128 ... 7) CDB@ db /c4 00007ffa`34330000+0x03c L4 00007ffa`3433003c 80 00 00 00 .... 8) CDB@ dt 00007ffa`34330000+0x80 ntdll!_IMAGE_NT_HEADERS64 +0x000 Signature : 0x4550 ... +0x018 OptionalHeader : _IMAGE_OPTIONAL_HEADER64 ... 9) CDB@ dt 00007ffa`34330000+0x80+0x018 ntdll!_IMAGE_OPTIONAL_HEADER64 +0x000 Magic : 0x20b ... +0x070 DataDirectory : [16] _IMAGE_DATA_DIRECTORY ... 10) CDB@ dt -a16 00007ffa`34330000+0x80+0x018+0x070 ntdll!_IMAGE_DATA_DIRECTORY [0] @ 00007ffa`34330108 --------------------------------------------- +0x000 VirtualAddress : 0 +0x004 Size : 0 ... [14] @ 00007ffa`34330178 --------------------------------------------- +0x000 VirtualAddress : 0x90460 +0x004 Size : 0x48 ... 11) CDB@ dt 00007ffa`34330000+0x90460 wintypes!IMAGE_COR20_HEADER +0x000 cb : 0x48 ... +0x008 MetaData : _IMAGE_DATA_DIRECTORY ... 12) CDB@ db /c4 00007ffa`34330000+0x90460+0x008 L4 00007ffa`343c0468 c0 9b 0c 00 .... ... 13) CDB@ db /c4 00007ffa`34330000+0x0c9bc0 L4 00007ffa`343f9bc0 42 53 4a 42 BSJB 14) CDB@ qd
cdb.exe : Program, CUI Symbolic Debugger -o : Switch, Specifies Target Application C:\Windows\System32\mmc.exe : Parameter, MMC Application C:\Windows\System32\eventvwr.msc : Argument, Event Viewer Snap In sxe ld : Standard Command, To Break on Module Load g : Standard Command, To Go Execution .reload : Meta Command, To Reload Module Symbol lm : Standard Command, To List Module m : Option, Specifies Pattern MMCEx : Parameter, Module Name * : Parameter, Wildcard 00007ff6`6d8f0000 : Output, Module Start Address dt : Standard Command, To Display Type ntdll : Parameter, Type Module Name _IMAGE_DOS_HEADER : Parameter, Type Name db : Standard Command, To Display Memory Content /c4 : Option, Specifies 4 Column Width 0x03c : Output, LFA New Offset L4 : Range, 4 Address Range 80 00 00 00 : Output, PE Header Offset .... : Output, ASCII Character _IMAGE_NT_HEADERS64 : Parameter, Type Name 0x018 : Output, Optional Header Offset _IMAGE_OPTIONAL_HEADER64 : Parameter, Type Name 0x070 : Output, 15th Data Directory Offset _IMAGE_DATA_DIRECTORY : Parameter, Type Name 0x90760 : Output, CLR Header Offset wintypes : Parameter, Type Module Name IMAGE_COR20_HEADER : Parameter, Type Name 0x48 : Output, CLR Header Size 0x008 : Output, Metadata Offset c0 9b 0c 00 : Output, Metadata Header Offset .... : Output, ASCII Character 42 53 4a 42 : Output, Metadata Signature BSJB : Output, ASCII Character qd : Standard Command, To Quit and Detach
Alternatively, RUN@ windbg.exe -o C:\Windows\System32\mmc.exe C:\Windows\System32\eventvwr.msc → View → Command (Alt+1) → sxe ld clrjit; g; .reload; lm m MMCEx; dt {Module Start Address}* ntdll!_IMAGE_DOS_HEADER; db /c4 {Module Start Address}+{PE Header Offset} L4; dt {Module Start Address}+{PE Header Offset} ntdll!_IMAGE_NT_HEADERS64; dt -a16 {Module Start Address}+{PE Header Offset}+{Optional Header Offset}+{Data Directory Offset} ntdll!_IMAGE_DATA_DIRECTORY; dt {Module Start Address}+{CLR Header Offset} wintypes!IMAGE_COR20_HEADER; db /c4 {Module Start Address}+{Data Directory Offset}+{Metadata Offset} L4; db /c4 {Module Start Address}+{Metadata Header Offset} L4; qd

AMD

Advanced Micro Devices

ASCII

American Standard Code for Information Interchange

BSJB

Brian Harry, Susan Radke-Sproull, Jason Zander, Bill Evans

CDB

Console Debugger

CLR

Common Language Runtime

COR

Common Object Runtime

CUI

Character User Interface

DB

Display Byte

DBG

Debugger

DT

Dump Type

EXE

Executable

G

Go

JIT

Just In Time

LD

Load

LDR

Loader

LM

List Module

MMC

Microsoft Management Console

MSC

Management Saved Console

NT

New Technology

QD

Quit Detach

SXE

Set Exception Enabled

VWR

Viewer

WIN

Windows