I'm back working on my disassembler and have found that I'm quite rusty on some of the details on disassembling .Net files ... so I'm going to write up notes while I'm finishing up Debris and post them here ... I really doubt too many people will be interested in these details - though I will try and add a post or two to give some context to them. These notes are mostly for my purposes only and the few out there that need this stuff but don't want to pull out the Ecma spec to find it.
In one of my Code Camp talks I walked through how to use ILDasm to more or less locate and read (or at least make some sense of) a .Net assembly in a Hex editor ... have to admit I thought it was pretty cool but right now I've got a bit of brushing up to do to get back to that point :)
What are Signatures?
(from Serge Lidin's book, page 158):
A signature is a byte array containing one or more encoded types and resides in the #Blob stream of metadata. The following metadata tables refer to the signatures:
- Field table: Field declaration signature
- Method table: Method declaration signature
- Property table: Property declaration signature
- MemberRef table: Field or method referencing signature
- StandAloneSig table: Local variables or indirect call signature
- TypeSpec table: Type specification signature
References for Signature details I'm currently using:
Chapter 8 in Expert .Net 2.0 IL Assembler, by Serge Lidin
Ecma 335, Partition II pages 151 to 167. Page numbers from the 3rd Edition, the 4th Edition page numbers are off by one (page number--)
Starting with the easiest first: Field Signatures
Taken from the Ecma 335, Partition II spec on page 158
The field can be a static or instance field in a class or it can be a global variable. The syntax diagram for a FieldSig looks like this :
NOTE: A field signature encodes the field's type only.
The Flags column on the metadata table encodes the following
[Flags()]
public enum FieldAttributes : ushort
{
FieldAccessMask = 0x0007,
CompilerControlled = 0x0000,
Private = 0x0001,
FamANDAssem = 0x0002,
Assembly = 0x0003,
Family = 0x0004,
FamORAssem = 0x0005,
Public = 0x0006,
Static = 0x0010,
InitOnly = 0x0020,
Literal = 0x0040,
NotSerialized = 0x0080,
SpecialName = 0x0200,
PInvokeImpl = 0x2000,
RTSpecialName = 0x0400,
HasFieldMarshal = 0x1000,
HasDefault = 0x8000,
HasFieldRva = 0x0100
}
Example 1: Private field of a value type declared in same assembly
This is one of the absolutely easiest signatures to figure out, so I'm starting with it then I'll add on some other easy examples and then gradually work my way to the more complex ones (ie. generic types and arrays).
C# code for field declaration:
private EnumType et = EnumType.one;
The field's information from ILDasm:
0x06 is calling convention for a Field (IMAGE_CEE_CS_CALLCONV_FIELD)
0x11 is ELEMENT_TYPE_VALUETYPE
0x0c in this case, is a compressed TypeDefOrRef [signature] token. A token is both a table and its index encoded into an integer.
The table type is encoded in the least 2 significant bits, where:
|
Table |
Bit values |
| TypeDef |
00 |
| TypeRef |
01 |
| TypeSpec |
10 |
0x0c, is a compressed integer of 12 (0x0c)
NOTE: Since 0x0c is under 128, the compressed value is the same as the uncompressed value and only takes 1 byte to represent it. (will create notes on the compression algorithm later).
Determine the table the type is in:
If you AND the uncompressed value with 0x03 you can determine which of the least 2 bits are on or off, in this case it will be 00 = TypeDef.
Get the index of the record in the table:
Bit shift 12 to the right 2 bits and you get 3 (0x03) (which is the index in the TypeDef table for the SignatureUtility.EnumType record)
Things to provide in future notes:
- Compression Algorithm
- Full listing of calling conventions
- Full listing of element types
... and where they can be located.