# Cor20

This header contains runtime-specific and various other information.

# Entry point existence

Cor20Header.entry_point_exists() -> bool

The Cor20 header has a field named EntryPointToken. This field contains the token of the managed entry point if not 0. The token encodes information in which row of the MethodDef table the entry point is located.

.NET executables always have an entry point defined in EntryPointToken, while it is optional for .NET DLLs in contrast to native PE DLLs.

Parameters:

Return value:

True or False

Example:

# Import class DotNetPE from module dotnetfile
from dotnetfile import DotNetPE

# Create an instance of DotNetPE with the file path as a parameter
dotnet_file = DotNetPE('/Users/<username>/my_dotnet_assembly.exe')

# Print out if .NET assembly has a managed entry point
print(f'Has managed entry point: {dotnet_file.Cor20Header.entry_point_exists()}')

# Get entry point information

Cor20Header.get_header_entry_point() -> Optional[Union[Struct.NativeEntryPoint, Struct.ManagedEntryPoint]]

Gets information about the native or managed entry point. It checks if the .NET assembly has a native or managed entry point. In the latter case, it decodes the EntryPointToken and gets all the information of the method from the MethodDef and cross-referenced tables. This includes the method name along with the type, namespace and possible parameter(s).

When a .NET assembly has a native entry point, it is a mixed assembly. Then, the RVA in the EntryPointToken points to the DllEntryPoint function that initializes the native part in case of a DLL.

Parameters:

Return value:

The result can be one of the following dataclass objects or None:

Class NativeEntryPoint:

EntryPointType str Type of entry point
Address str RVA of the entry point

Class ManagedEntryPoint:

EntryPointType str Type of entry point
Method str Method name
Type [Optional] str Type name
Namespace [Optional] str Namespace name
Signature [Optional] Dict Method information:
- hasthis bool Method has a "this" pointer
- return str Return value
- parameter Tuple[str] Parameter(s)

Example:

# Import class DotNetPE from module dotnetfile
from dotnetfile import DotNetPE

# Create an instance of DotNetPE with the file path as a parameter
dotnet_file = DotNetPE('/Users/<username>/my_dotnet_assembly.exe')

# Get information about the entry point
defined_entry_point = dotnet_file.Cor20Header.get_header_entry_point()

# Check if an entry point exists and print out detailed information
if defined_entry_point:
    print(f'Entry point type: {defined_entry_point.EntryPointType}')
    if defined_entry_point.EntryPointType == 'Managed':
        print(f'Method: {defined_entry_point.Method}')
        print(f'Type: {defined_entry_point.Type}')
        print(f'Namespace: {defined_entry_point.Namespace}')
        if defined_entry_point.Signature:
            print('Signature:')
            print(f'\tParameter: {defined_entry_point.Signature["parameter"]}')
            print(f'\tReturn value: {defined_entry_point.Signature["return"]}')
            print(f'\tHas this pointer: {defined_entry_point.Signature["hasthis"]}')
    elif defined_entry_point.EntryPointType == 'Native':
        print(f'Address: {defined_entry_point.Address}')