public DisplayModuleInfo(string ModuleName, PE Pe, ModuleSearchStrategy Location, ModuleFlag Flags = 0)
        {
            _Name     = ModuleName;
            _Filepath = Pe.Filepath;
            _Flags    = Flags;


            // Do not set this variables in order to
            // lessen memory allocations
            _Imports  = null;
            _Exports  = null;
            _Location = Location;

            _Info = new ModuleInfo()
            {
                Machine  = Pe.Properties.Machine,
                Magic    = Pe.Properties.Magic,
                Filesize = Pe.Properties.FileSize,

                ImageBase   = (UInt64)Pe.Properties.ImageBase,
                SizeOfImage = Pe.Properties.SizeOfImage,
                EntryPoint  = (UInt64)Pe.Properties.EntryPoint,

                Checksum        = Pe.Properties.Checksum,
                CorrectChecksum = Pe.Properties.CorrectChecksum,

                Subsystem        = Pe.Properties.Subsystem,
                SubsystemVersion = Pe.Properties.SubsystemVersion,

                Characteristics    = Pe.Properties.Characteristics,
                DllCharacteristics = Pe.Properties.DllCharacteristics,
            };

            AddNewEventHandler("FullPath", "FullPath", "ModuleName", this.GetPathDisplayName);
        }
Example #2
0
        public static Tuple <ModuleSearchStrategy, PE> ResolveModule(PE RootPe, string ModuleName, SxsEntries SxsCache)
        {
            Tuple <ModuleSearchStrategy, string> ResolvedFilepath;

            string ApiSetName = LookupApiSetLibrary(ModuleName);

            if (ApiSetName != null)
            {
                ModuleName = ApiSetName;
            }

            ResolvedFilepath = FindPe.FindPeFromDefault(RootPe, ModuleName, SxsCache);

            // ApiSet override the underneath search location if found
            ModuleSearchStrategy ModuleLocation = ResolvedFilepath.Item1;

            if ((ApiSetName != null) && (ResolvedFilepath.Item2 != null))
            {
                ModuleLocation = ModuleSearchStrategy.ApiSetSchema;
            }

            //
            PE ResolvedModule = null;

            if (ResolvedFilepath.Item2 != null)
            {
                ResolvedModule = LoadPe(ResolvedFilepath.Item2);
            }


            return(new Tuple <ModuleSearchStrategy, PE>(ModuleLocation, ResolvedModule));
        }
Example #3
0
        /// <summary>
        /// Search the missing DLL
        /// </summary>
        /// <param name="ignoreapppath">If true, the current dir will be ignored</param>
        /// <returns>The names of missing DLL</returns>
        public List <string> FindMissingDll(bool ignoreapppath = false)
        {
            if (localPE == null)
            {
                throw new InvalidOperationException();
            }
            List <string>      result    = new List <string>();
            List <PeImportDll> peImports = GetImportDllList();

            Environment.SpecialFolder WindowsSystemFolder = (localPE.IsWow64Dll()) ?
                                                            Environment.SpecialFolder.SystemX86 :
                                                            Environment.SpecialFolder.System;
            string User32Filepath = Path.Combine(Environment.GetFolderPath(WindowsSystemFolder), "user32.dll");

            foreach (PeImportDll dllImp in peImports)
            {
                Tuple <ModuleSearchStrategy, PE> ResolvedModule = BinaryCache.ResolveModule(localPE, dllImp.Name, SxsEntriesCache);
                ModuleSearchStrategy             strategy       = ResolvedModule.Item1;
                if (strategy == ModuleSearchStrategy.NOT_FOUND)
                {
                    result.Add(dllImp.Name);
                }
                if (ignoreapppath && (strategy == ModuleSearchStrategy.ApplicationDirectory))
                {
                    result.Add(dllImp.Name);
                }
            }
            return(result);
        }
Example #4
0
        public PeDependencyItem(PeDependencies _Root, string _ModuleName, string ModuleFilepath, ModuleSearchStrategy Strategy, int Level)
        {
            Root       = _Root;
            ModuleName = _ModuleName;


            Imports        = new List <PeImportDll>();
            Filepath       = ModuleFilepath;
            SearchStrategy = Strategy;
            RecursionLevel = Level;

            DependenciesResolved = false;
            Dependencies         = new List <PeDependencyItem>();
            ResolvedImports      = new List <PeDependencyItem>();
        }
Example #5
0
        public PeDependencyItem(PeDependencies _Root, string _ModuleName, string ModuleFilepath, ModuleSearchStrategy Strategy, int Level)
        {
            Root       = _Root;
            ModuleName = _ModuleName;

            if (ModuleFilepath != null)
            {
                PE Module = BinaryCache.LoadPe(ModuleFilepath);
                Imports = Module.GetImports();
            }
            else
            {
                //Module = null;
                Imports = new List <PeImportDll>();
            }

            Filepath       = ModuleFilepath;
            SearchStrategy = Strategy;
            RecursionLevel = Level;

            DependenciesResolved = false;
        }
Example #6
0
        public PeDependencyItem(PeDependencies _Root, string _ModuleName, string ModuleFilepath, ModuleSearchStrategy Strategy, int Level)
        {
            Action action = () =>
            {
                Root       = _Root;
                ModuleName = _ModuleName;


                Imports        = new List <ImportDll>();
                Filepath       = ModuleFilepath;
                SearchStrategy = Strategy;
                RecursionLevel = Level;

                DependenciesResolved = false;
                FullDependencies     = new List <PeDependencyItem>();
                ResolvedImports      = new List <PeDependencyItem>();
                ModuleReferences     = new List <ImportDll>();
                AssemblyReferences   = new List <AssemblyNameReference>();
            };

            SafeExecutor(action);
        }
Example #7
0
        public static Tuple <ModuleSearchStrategy, PE> ResolveModule(PE RootPe, string ModuleName, SxsEntries SxsCache)
        {
            Tuple <ModuleSearchStrategy, string> ResolvedFilepath;

            // if no extension is used, assume a .dll
            if (Path.GetExtension(ModuleName) == String.Empty)
            {
                ModuleName = String.Format("{0:s}.dll", ModuleName);
            }

            string ApiSetName = LookupApiSetLibrary(ModuleName);

            if (ApiSetName != null)
            {
                ModuleName = ApiSetName;
            }

            ResolvedFilepath = FindPe.FindPeFromDefault(RootPe, ModuleName, SxsCache);

            // ApiSet override the underneath search location if found
            ModuleSearchStrategy ModuleLocation = ResolvedFilepath.Item1;

            if ((ApiSetName != null) && (ResolvedFilepath.Item2 != null))
            {
                ModuleLocation = ModuleSearchStrategy.ApiSetSchema;
            }

            //
            PE ResolvedModule = null;

            if (ResolvedFilepath.Item2 != null)
            {
                ResolvedModule = LoadPe(ResolvedFilepath.Item2);
            }


            return(new Tuple <ModuleSearchStrategy, PE>(ModuleLocation, ResolvedModule));
        }
Example #8
0
        public PeDependencyItem GetModuleItem(string ModuleName, string ModuleFilepath, ModuleSearchStrategy SearchStrategy, int RecursionLevel)
        {
            // Do not process twice the same item
            ModuleCacheKey ModuleKey = new ModuleCacheKey(ModuleName, ModuleFilepath);

            if (!ModulesCache.ContainsKey(ModuleKey))
            {
                ModulesCache[ModuleKey] = new PeDependencyItem(this, ModuleName, ModuleFilepath, SearchStrategy, RecursionLevel);
            }

            return(ModulesCache[ModuleKey]);
        }