Beispiel #1
0
 public ExportDirTable(BinaryReader reader, MModule mod)
 {
     _ExportFlags           = reader.ReadUInt32();
     _TimeStamp             = reader.ReadUInt32();
     _MajorVersion          = reader.ReadUInt16();
     _MinorVersion          = reader.ReadUInt16();
     _Name                  = mod.StringFromRVA(reader, reader.ReadUInt32());
     _OrdinalBase           = reader.ReadUInt32();
     _AddressTableEntries   = reader.ReadUInt32();
     _NamePointerCount      = reader.ReadUInt32();
     _ExportAddressTableRVA = reader.ReadUInt32();
     _NamePointerRVA        = reader.ReadUInt32();
     _OrdinalRVA            = reader.ReadUInt32();
 }
Beispiel #2
0
        public ImpExports(BinaryReader reader, MModule mod)
        {
            ArrayList            ides = new ArrayList();
            ImportDirectoryEntry ide  = null;

            _exports = new ExportRecord[0];
            _ith     = new ImportDirectoryEntry[0];

            //imports

            if (mod.ModHeaders.OSHeaders.PEHeader.DataDirs[1].Rva != 0)
            {
                uint start, end;
                start = mod.ModHeaders.Rva2Offset(mod.ModHeaders.OSHeaders.PEHeader.DataDirs[1].Rva);
                end   = mod.ModHeaders.OSHeaders.PEHeader.DataDirs[1].Size + start;

                reader.BaseStream.Position = start;

                while (reader.BaseStream.Position < end)
                {
                    ide = new ImportDirectoryEntry(reader, mod);

                    //in older PEs it seems there is no null terminating entry, but in .NET ones there is.
                    if (ide.Name == null)
                    {
                        break;
                    }
                    else
                    {
                        ides.Add(ide);
                    }
                }

                _ith = (ImportDirectoryEntry[])ides.ToArray(typeof(ImportDirectoryEntry));
            }

            //exports

            if (mod.ModHeaders.OSHeaders.PEHeader.DataDirs[0].Rva != 0)
            {
                reader.BaseStream.Position = mod.ModHeaders.Rva2Offset(mod.ModHeaders.OSHeaders.PEHeader.DataDirs[0].Rva);
                _extab = new ExportDirTable(reader, mod);

                _expAddrTab = new uint[_extab.AddressTableEntries];
                _expNameTab = new string[_extab.NamePointerCount];
                _expOrdTab  = new uint[_extab.NamePointerCount];

                reader.BaseStream.Position = mod.ModHeaders.Rva2Offset(_extab.ExportAddressTableRVA);

                for (int i = 0; i < _extab.AddressTableEntries; ++i)
                {
                    _expAddrTab[i] = reader.ReadUInt32();
                }

                reader.BaseStream.Position = mod.ModHeaders.Rva2Offset(_extab.OrdinalRVA);

                for (int i = 0; i < _extab.NamePointerCount; ++i)
                {
                    _expOrdTab[i] = reader.ReadUInt16();
                }

                reader.BaseStream.Position = mod.ModHeaders.Rva2Offset(_extab.NamePointerRVA);

                for (int i = 0; i < _extab.NamePointerCount; ++i)
                {
                    _expNameTab[i] = mod.StringFromRVA(reader, reader.ReadUInt32());
                }

                //assemble array of exportrecords
                uint len = _extab.AddressTableEntries;
                if (len > _extab.NamePointerCount)
                {
                    len = _extab.NamePointerCount;
                }
                _exports = new ExportRecord[len];
                for (int i = 0; i < len; ++i)
                {
                    _exports[i] = new ExportRecord(_expOrdTab[i], _expAddrTab[i], _expNameTab[i]);
                }
            }
        }
Beispiel #3
0
        public ImportDirectoryEntry(BinaryReader reader, MModule mod)
        {
            Start = reader.BaseStream.Position;

            uint iltRVA = reader.ReadUInt32();

            _DateTimeStamp  = reader.ReadUInt32();
            _ForwarderChain = reader.ReadUInt32();
            uint nameRVA = reader.ReadUInt32();

            _Name = mod.StringFromRVA(reader, nameRVA);
            uint iatRVA = reader.ReadUInt32();             //can also get this from the PEHeader's data dirs

            Length = reader.BaseStream.Position - Start;

            long offs = reader.BaseStream.Position;             // remember our position at the end of the imp dir entry record

            if (nameRVA == 0)
            {
                //indicate that this is not valid, because we reached the null terminating record
                //or because we are hopelessly lost
                _Name = null;
                return;
            }

            try
            {
                //get imp look table from RVA
                ArrayList arr;
                uint      tableOffs, field;

                if (iltRVA != 0)
                {
                    arr       = new ArrayList();
                    tableOffs = mod.ModHeaders.Rva2Offset(iltRVA);
                    reader.BaseStream.Position = tableOffs;
                    field = reader.ReadUInt32();
                    while (field != 0)
                    {
                        arr.Add(new ImportAddress(field, reader, mod));
                        field = reader.ReadUInt32();
                    }

                    _ImportLookupTable = (ImportAddress[])arr.ToArray(typeof(ImportAddress));
                }


                //get imp Addr table from RVA
                if (iatRVA != 0)
                {
                    arr       = new ArrayList();
                    tableOffs = mod.ModHeaders.Rva2Offset(iatRVA);
                    reader.BaseStream.Position = tableOffs;
                    field = reader.ReadUInt32();
                    while (field != 0)
                    {
                        arr.Add(field);
                        field = reader.ReadUInt32();
                    }

                    _ImportAddressTable = (uint[])arr.ToArray(typeof(uint));
                }
            }
            catch            //(Exception e)
            {
            }
            finally
            {
                //restore stream pos
                reader.BaseStream.Position = offs;
            }
        }