*.ni.dll.aux
中找到的C:\Windows\assembly\NativeImages_v4.0.30319_64
个文件的格式(数据布局)是什么?我知道这些是ngen.exe
生成的辅助文件。它们包含哪些数据?
答案 0 :(得分:2)
分析显示它是一种相当简单的格式(正如Hans Passant指出的那样)。它有一个类型字,后面是3个级别的长度字:在文件级别,记录级别和基准级别(这些是我为清晰起见而使用的任意术语)。
这是一个概述:
jcomeau@aspire:~/stackoverflow/17681514$ ./job.py System.Net.ni.dll.aux
00000005 (00000204): 0b000000bc0000000d000000...00000000000000000000cccc
0000000b (000000bc): 0d0000005000000053797374...00000000000000000000cccc
0000000d: (00000050) 'System.Net, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a\x00\xcc\xcc'
00000007: (00000004) '\t\x11\x00\x00'
00000002: (00000008) '\x00i,\x03c]\xcd\x01'
00000008: (00000014) '\xf3\xd8#\x08\xf7\x08\x9a$1\x11\xb8\x18Rv\xf4@\xa1y\xb2.'
0000000a: (00000024) '\x011.0.23-106002268\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xcc\xcc'
00000004 (00000098): 010000004c0000006d73636f...00000000000000000000cccc
00000001: (0000004c) 'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\x00'
00000003: (00000010) '\x9d\xa5\xbb3\xcd\x1c4\xb7\x85\x1c\x08\x8f\x0c\xf7I\xcc'
0000000a: (00000024) '\x011.0.23-106002119\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xcc\xcc'
00000004 (00000098): 010000004c00000053797374...00000000000000000000cccc
00000001: (0000004c) 'System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\x00\xcc\xcc'
00000003: (00000010) '\xe30[\xdb\xd0>\xf9\x19\x05\x1a\xa7\xf2x:\xc3*'
0000000a: (00000024) '\x011.0.23-106003331\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xcc\xcc'
这是转储上述内容的脚本(逐步开发):
jcomeau@aspire:~/stackoverflow/17681514$ cat job.py
#!/usr/bin/python
import sys, os, struct
def dump(infile):
data = read(infile)
filelength = len(data)
filetype, length, data = next(data)
assert filelength == length + 8
print '%08x (%08x): %s' % (filetype, length, snippet(data))
lengthcheck = 8
while data:
recordtype, recordlength, data = next(data)
lengthcheck += 8 + recordlength
#debug('remaining data: %s' % snippet(data))
record, data = data[:recordlength], data[recordlength:]
print ' %08x (%08x): %s' % (recordtype, recordlength, snippet(record))
recordcheck = 0 # not 8 because record header was already not counted
while record:
subrecordtype, subrecordlength, record = next(record)
recordcheck += 8 + subrecordlength
datum, record = record[:subrecordlength], record[subrecordlength:]
print ' %08x: (%08x) %s' % (subrecordtype, subrecordlength, repr(datum))
assert recordcheck == recordlength
assert lengthcheck == filelength
def next(data):
'each chunk is a type word followed by a length word'
if not data:
typeword, length = 0, 0
elif len(data) > 16:
typeword = struct.unpack('<I', data[:4])[0]
length = struct.unpack('<I', data[4:8])[0]
else:
raise Exception('Invalid data length %d' % len(data))
return typeword, length, data[8:]
def read(filename):
input = open(filename, 'rb')
data = input.read()
input.close()
return data
def snippet(data):
snippet = data[:12].encode('hex')
if len(data) > 12:
snippet += '...'
if len(data) > 24:
snippet += data[-12:].encode('hex')
return snippet
def debug(message):
if __debug__:
if message:
print >>sys.stderr, message
return True
if __name__ == '__main__':
for infile in sys.argv[1:]:
dump(infile)
每条记录都有一个子记录类型0xa,它似乎是各种类型的版本号。子记录类型0x3可能是一个GUID,只是根据它的长度来判断。类型0x1和0xd是描述性的。我不知道子记录类型0x7和0x2可能是什么。或许0x7是匹配的.dll的32位偏移量,但是类型0x2中的64位数字并不特别对我提出任何建议。类型0x8,长度为20个字节,可能是某种类型的散列。也许其他人可以填补空白。
正如您所见,字符串值以0x0加0xcccc结尾。记录类型0xa主要是字符串数据,但前面是0x1字节,固定长度为0x24,所以用额外的0x0填充。其他记录类型,但不是全部,也以0xcccc结尾。
这些文件是通过谷歌搜索“index.of dll.aux”获得的,在此处找到:http://www.badelement.co.uk/Movies/Storage/Win-7-Pro_64/Windows/assembly/NativeImages_v4.0.30319_64/System.Net/d79a634a4d873717e2dab52d827ba985/