Invalid Number of Data Directories In NT Header

First, let's briefly introduce the optional Header structure field numberofrvaandsizes under NT headers of PE (Windows executable program EXE and dynamic link library DLL both adopt the portable Executable File Format:
Msdn Introduction: The number of directory entries in the remainder of the optional Header. Each entry describes a location and size.
Numberofrvaandsizes stores the number of data directory tables. Generally, the value is 00 00 10 (16 ). It informs the System of the number of data directories that can be accessed by an EXE or DLL. Before viewing a data directory, you must first determine the number of data table directories. If it is set to 0, 1, 2, it will directly cause the source program or DLL to be unable to run or load. Because 0 indicates that there is no data directory, 1 indicates that there is export table, and 2 indicates that there is export table and import table. Without the identification of the number of Data Directories, the system cannot identify some important running data and functions (. idata and. edata) imported into the original program ).
The following is the definition of _ image_optional_header corresponding to optional Header (in winnt. h ):
Typedef struct _ image_optional_header {
Word magic;
Byte majorlinkerversion;
Byte minorlinkerversion;
DWORD sizeofcode;
DWORD sizeofinitializeddata;
DWORD sizeofuninitializeddata;
DWORD addressofentrypoint;
DWORD baseofcode;
DWORD baseofdata;
DWORD imagebase;
DWORD sectionalignment;
DWORD filealignment;
Word majoroperatingsystemversion;
Word minoroperatingsystemversion;
Word majorimageversion;
Word minorimageversion;
Word majorsubsystemversion;
Word minorsubsystemversion;
DWORD win32versionvalue;
DWORD sizeofimage;
DWORD sizeofheaders;
DWORD checksum;
Word subsystem;
Word dllcharacteristics;
DWORD sizeofstackreserve;
DWORD sizeofstackcommit;
DWORD sizeofheapreserve;
DWORD sizeofheapcommit;
DWORD loaderflags;
DWORD numberofrvaandsizes;
Image_data_directory datadirectory [image_numberof_directory_entries];
} Image_optional_header,
* Pimage_optional_header;
For more information about fields in the _ image_optional_header structure, see msdn: http://msdn.microsoft.com/en-us/library/ms680339 (vs.85). aspx

Reflector can decompile and view unencrypted and obfuscated program code, however, you can view the score in the optional Header structure of the PE's NT headers in the same way as that of the other party (provided that the other party does not know the decompilation and shelling technologies ). Modify the previously mentioned numberofrvaandsizes value to make it small enough, but not less than 2.
First, find a DLL and open it with reflector. You can view the source code.

Figure 1 reflector view cliapi. dll

Use some anti-shell tools (such as CFF and winhex) to find the optional Header, modify numberofrvaandsizes, and save cliapi. dll again.

Figure 2 modifying numberofrvaandsizes of optional Header in CFF Explorer

Try again reflector to open cliapli. dll, and the system prompts "Invalid Number of Data Directories In NT Header" cannot be viewed.

Figure 3 reflector view the modified cliapi. dll