I want to analyse the IL code of a simple c# method:
public static string test()
{
return "hello";
}
When I call GetILAsByteArray I'm getting the following bytes:
[0] 0x00 byte
[1] 0x72 byte
[2] 0x01 byte
[3] 0x00 byte
[4] 0x00 byte
[5] 0x70 byte
[6] 0x0a byte
[7] 0x2b byte
[8] 0x00 byte
[9] 0x06 byte
[10]0x2a byte
The second opcode is ldstr.
How I understood ldstr loads a string from metadata and pushes it on the stack.
(Description of ldstr from microsoft)
But how do I know which data is loaded from metadata? Tells me the following 0x01 that I have to take the data on index 1 from metadata or not? Or is ldstr followed by an int32? How should I interpret this bytes?
When you type hello string in your code, compiler writes this string into #US stream of PE (exe/dll) file.
#US stream (user strings) - holds array of 16 bit Unicode strings and these strings are referenced directly by ldstr.
Let's take your example 72 01 00 00 70, so in this case your string is located in offset 0x01 in #US stream.
The #US stream starts with a null byte and each following entry begins with a 7 bit encoded integer (represents the size in bytes of following entry).
More information can be found in Ecma-355 (I I.24.2.4 #US and #Blob heaps section)