I would like to open a PE file (which i know is a .Net assembly) and find where the .Net bytecode is (ideally starting at the entrypoint). I know that the PE header data (entrypoint RVA) take me just to a stub which calls CorExeMain from mscoree.dll.
This is not what i'm looking for though. I would like to find the bytecode that gets run by mscorlib. How can i do that using C++ and no external tools like ildasm, dumpbin etc. ? I can already parse the PE header and know what image base/RVA means. I just cannot figure out where to find sufficient info about the location of the IL bytecode.
Have a look at ECMA-335 - the details of the file format are in there, in partition II section 22-25. I seem to remember finding a few bugs in it when I tried to write a parser a while ago, but with a bit of perseverance it's all doable.