How to programatically find the bytecode (CIL) in a .Net executable/dll?

Question

I would like to open a PE file (which i know is a .Net assembly) and find where the .Net bytecode is (ideally starting at the entrypoint). I know that the PE header data (entrypoint RVA) take me just to a stub which calls CorExeMain from mscoree.dll.

This is not what i'm looking for though. I would like to find the bytecode that gets run by mscorlib. How can i do that using C++ and no external tools like ildasm, dumpbin etc. ? I can already parse the PE header and know what image base/RVA means. I just cannot figure out where to find sufficient info about the location of the IL bytecode.

Thanks!

Answer 1

Have a look at ECMA-335 - the details of the file format are in there, in partition II section 22-25. I seem to remember finding a few bugs in it when I tried to write a parser a while ago, but with a bit of perseverance it's all doable.

Answer 2

I would probably grab the code from mono (cil_coff.h, pedump.c) rather than writing one from scratch.