What is the format of `*.ni.dll.aux` files?

Question

What is the format (data layout) of *.ni.dll.aux files found in C:\Windows\assembly\NativeImages_v4.0.30319_64? I understand that these are auxiliary files generated by ngen.exe. What data do they contain?

Answer 1

analysis shows it to be a fairly simple format (as Hans Passant pointed out). it has a type word followed by a length word at 3 levels: at the file level, record level, and datum level (these are arbitrary terms I am using for clarity).

this is an overview:

jcomeau@aspire:~/stackoverflow/17681514$ ./job.py System.Net.ni.dll.aux 
00000005 (00000204): 0b000000bc0000000d000000...00000000000000000000cccc
 0000000b (000000bc): 0d0000005000000053797374...00000000000000000000cccc
  0000000d: (00000050) 'System.Net, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a\x00\xcc\xcc'
  00000007: (00000004) '\t\x11\x00\x00'
  00000002: (00000008) '\x00i,\x03c]\xcd\x01'
  00000008: (00000014) '\xf3\xd8#\x08\xf7\x08\x9a$1\x11\xb8\x18Rv\xf4@\xa1y\xb2.'
  0000000a: (00000024) '\x011.0.23-106002268\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xcc\xcc'
 00000004 (00000098): 010000004c0000006d73636f...00000000000000000000cccc
  00000001: (0000004c) 'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\x00'
  00000003: (00000010) '\x9d\xa5\xbb3\xcd\x1c4\xb7\x85\x1c\x08\x8f\x0c\xf7I\xcc'
  0000000a: (00000024) '\x011.0.23-106002119\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xcc\xcc'
 00000004 (00000098): 010000004c00000053797374...00000000000000000000cccc
  00000001: (0000004c) 'System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\x00\xcc\xcc'
  00000003: (00000010) '\xe30[\xdb\xd0>\xf9\x19\x05\x1a\xa7\xf2x:\xc3*'
  0000000a: (00000024) '\x011.0.23-106003331\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xcc\xcc'

here is the script (developed incrementally) that dumps the above:

jcomeau@aspire:~/stackoverflow/17681514$ cat job.py
#!/usr/bin/python
import sys, os, struct
def dump(infile):
 data = read(infile)
 filelength = len(data)
 filetype, length, data = next(data)
 assert filelength == length + 8
 print '%08x (%08x): %s' % (filetype, length, snippet(data))
 lengthcheck = 8
 while data:
  recordtype, recordlength, data = next(data)
  lengthcheck += 8 + recordlength
  #debug('remaining data: %s' % snippet(data))
  record, data = data[:recordlength], data[recordlength:]
  print ' %08x (%08x): %s' % (recordtype, recordlength, snippet(record))
  recordcheck = 0  # not 8 because record header was already not counted
  while record:
   subrecordtype, subrecordlength, record = next(record)
   recordcheck += 8 + subrecordlength
   datum, record = record[:subrecordlength], record[subrecordlength:]
   print '  %08x: (%08x) %s' % (subrecordtype, subrecordlength, repr(datum))
  assert recordcheck == recordlength
 assert lengthcheck == filelength
def next(data):
 'each chunk is a type word followed by a length word'
 if not data:
  typeword, length = 0, 0
 elif len(data) > 16:
  typeword = struct.unpack('<I', data[:4])[0]
  length = struct.unpack('<I', data[4:8])[0]
 else:
  raise Exception('Invalid data length %d' % len(data))
 return typeword, length, data[8:]
def read(filename):
 input = open(filename, 'rb')
 data = input.read()
 input.close()
 return data
def snippet(data):
 snippet = data[:12].encode('hex')
 if len(data) > 12:
  snippet += '...'
 if len(data) > 24:
  snippet += data[-12:].encode('hex')
 return snippet
def debug(message):
 if __debug__:
  if message:
   print >>sys.stderr, message
  return True
if __name__ == '__main__':
 for infile in sys.argv[1:]:
  dump(infile)

each record has a subrecord type 0xa which appears to be a version number of sorts. subrecord type 0x3 might be a GUID, just judging by its length. types 0x1 and 0xd are descriptive. I have no clue what subrecord types 0x7 and 0x2 may be. perhaps 0x7 is a 32-bit offset into the matching .dll, but the 64-bit number in type 0x2 doesn't suggest anything in particular to me. type 0x8, 20 bytes long, could be some type of hash. perhaps others can fill in the blanks.

string values, as you can see, end in 0x0 plus 0xcccc. record type 0xa is mostly string data, but preceded by an 0x1 byte, and fixed length of 0x24, so it is padded with extra 0x0s. other record types, but not all, also end in 0xcccc.

the files were obtained by a google search for "index.of dll.aux", and found here: http://www.badelement.co.uk/Movies/Storage/Win-7-Pro_64/Windows/assembly/NativeImages_v4.0.30319_64/System.Net/d79a634a4d873717e2dab52d827ba985/