private string FormatFunctionName(ImportFunction impFunc)
{
var tmp = "";
if (impFunc.Name == null) // Import by ordinal
{
if (impFunc.DLL.ToLower() == "oleaut32.dll")
{
tmp += OrdinalSymbolMapping.Lookup(OrdinalSymbolMapping.Modul.oleaut32, impFunc.Hint);
}
else if (impFunc.DLL.ToLower() == "ws2_32.dll")
{
tmp += OrdinalSymbolMapping.Lookup(OrdinalSymbolMapping.Modul.ws2_32, impFunc.Hint);
}
else if (impFunc.DLL.ToLower() == "wsock32.dll")
{
tmp += OrdinalSymbolMapping.Lookup(OrdinalSymbolMapping.Modul.wsock32, impFunc.Hint);
}
else // cannot resolve ordinal to a function name
{
tmp += "ord";
tmp += impFunc.Hint.ToString();
}
}
else // Import by name
{
tmp += impFunc.Name;
}
return(tmp.ToLower());
}
private string ComputeImpHash(ICollection <ImportFunction> importedFunctions)
{
if (importedFunctions == null || importedFunctions.Count == 0)
{
return(null);
}
var list = new List <string>();
foreach (var impFunc in importedFunctions)
{
var tmp = impFunc.DLL.Split('.')[0];
tmp += ".";
if (impFunc.Name == null) // Import by ordinal
{
if (impFunc.DLL == "oleaut32.dll")
{
tmp += OrdinalSymbolMapping.Lookup(OrdinalSymbolMapping.Modul.oleaut32, impFunc.Hint);
}
else if (impFunc.DLL == "ws2_32.dll")
{
tmp += OrdinalSymbolMapping.Lookup(OrdinalSymbolMapping.Modul.ws2_32, impFunc.Hint);
}
else if (impFunc.DLL == "wsock32.dll")
{
tmp += OrdinalSymbolMapping.Lookup(OrdinalSymbolMapping.Modul.wsock32, impFunc.Hint);
}
else // cannot resolve ordinal to a function name
{
tmp += "ord";
tmp += impFunc.Hint.ToString();
}
}
else // Import by name
{
tmp += impFunc.Name;
}
list.Add(tmp.ToLower());
}
// Concatenate all imports to one string separated by ','.
var imports = string.Join(",", list);
var md5 = MD5.Create();
var inputBytes = Encoding.ASCII.GetBytes(imports);
var hash = md5.ComputeHash(inputBytes);
var sb = new StringBuilder();
foreach (var t in hash)
{
sb.Append(t.ToString("x2"));
}
return(sb.ToString());
}