`* .ni.dll.aux`文件的格式是什么?

时间:2013-07-16 16:02:00

标签: .net format clr .net-assembly ngen

*.ni.dll.aux中找到的C:\Windows\assembly\NativeImages_v4.0.30319_64个文件的格式(数据布局)是什么?我知道这些是ngen.exe生成的辅助文件。它们包含哪些数据?

1 个答案:

答案 0 :(得分:2)

分析显示它是一种相当简单的格式(正如Hans Passant指出的那样)。它有一个类型字,后面是3个级别的长度字:在文件级别,记录级别和基准级别(这些是我为清晰起见而使用的任意术语)。

这是一个概述:

jcomeau@aspire:~/stackoverflow/17681514$ ./job.py System.Net.ni.dll.aux 
00000005 (00000204): 0b000000bc0000000d000000...00000000000000000000cccc
 0000000b (000000bc): 0d0000005000000053797374...00000000000000000000cccc
  0000000d: (00000050) 'System.Net, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a\x00\xcc\xcc'
  00000007: (00000004) '\t\x11\x00\x00'
  00000002: (00000008) '\x00i,\x03c]\xcd\x01'
  00000008: (00000014) '\xf3\xd8#\x08\xf7\x08\x9a$1\x11\xb8\x18Rv\xf4@\xa1y\xb2.'
  0000000a: (00000024) '\x011.0.23-106002268\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xcc\xcc'
 00000004 (00000098): 010000004c0000006d73636f...00000000000000000000cccc
  00000001: (0000004c) 'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\x00'
  00000003: (00000010) '\x9d\xa5\xbb3\xcd\x1c4\xb7\x85\x1c\x08\x8f\x0c\xf7I\xcc'
  0000000a: (00000024) '\x011.0.23-106002119\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xcc\xcc'
 00000004 (00000098): 010000004c00000053797374...00000000000000000000cccc
  00000001: (0000004c) 'System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\x00\xcc\xcc'
  00000003: (00000010) '\xe30[\xdb\xd0>\xf9\x19\x05\x1a\xa7\xf2x:\xc3*'
  0000000a: (00000024) '\x011.0.23-106003331\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xcc\xcc'

这是转储上述内容的脚本(逐步开发):

jcomeau@aspire:~/stackoverflow/17681514$ cat job.py
#!/usr/bin/python
import sys, os, struct
def dump(infile):
 data = read(infile)
 filelength = len(data)
 filetype, length, data = next(data)
 assert filelength == length + 8
 print '%08x (%08x): %s' % (filetype, length, snippet(data))
 lengthcheck = 8
 while data:
  recordtype, recordlength, data = next(data)
  lengthcheck += 8 + recordlength
  #debug('remaining data: %s' % snippet(data))
  record, data = data[:recordlength], data[recordlength:]
  print ' %08x (%08x): %s' % (recordtype, recordlength, snippet(record))
  recordcheck = 0  # not 8 because record header was already not counted
  while record:
   subrecordtype, subrecordlength, record = next(record)
   recordcheck += 8 + subrecordlength
   datum, record = record[:subrecordlength], record[subrecordlength:]
   print '  %08x: (%08x) %s' % (subrecordtype, subrecordlength, repr(datum))
  assert recordcheck == recordlength
 assert lengthcheck == filelength
def next(data):
 'each chunk is a type word followed by a length word'
 if not data:
  typeword, length = 0, 0
 elif len(data) > 16:
  typeword = struct.unpack('<I', data[:4])[0]
  length = struct.unpack('<I', data[4:8])[0]
 else:
  raise Exception('Invalid data length %d' % len(data))
 return typeword, length, data[8:]
def read(filename):
 input = open(filename, 'rb')
 data = input.read()
 input.close()
 return data
def snippet(data):
 snippet = data[:12].encode('hex')
 if len(data) > 12:
  snippet += '...'
 if len(data) > 24:
  snippet += data[-12:].encode('hex')
 return snippet
def debug(message):
 if __debug__:
  if message:
   print >>sys.stderr, message
  return True
if __name__ == '__main__':
 for infile in sys.argv[1:]:
  dump(infile)

每条记录都有一个子记录类型0xa,它似乎是各种类型的版本号。子记录类型0x3可能是一个GUID,只是根据它的长度来判断。类型0x1和0xd是描述性的。我不知道子记录类型0x7和0x2可能是什么。或许0x7是匹配的.dll的32位偏移量,但是类型0x2中的64位数字并不特别对我提出任何建议。类型0x8,长度为20个字节,可能是某种类型的散列。也许其他人可以填补空白。

正如您所见,

字符串值以0x0加0xcccc结尾。记录类型0xa主要是字符串数据,但前面是0x1字节,固定长度为0x24,所以用额外的0x0填充。其他记录类型,但不是全部,也以0xcccc结尾。

这些文件是通过谷歌搜索“index.of dll.aux”获得的,在此处找到:http://www.badelement.co.uk/Movies/Storage/Win-7-Pro_64/Windows/assembly/NativeImages_v4.0.30319_64/System.Net/d79a634a4d873717e2dab52d827ba985/