private unsafe static void dumpImportTable(Log log, RemotePtr <byte> mbase, IMAGE.DATA_DIRECTORY dir) { if (dir.VirtualAddress == 0) { return; } log.WriteLine("============================================================"); log.WriteLine(" IMPORT TABLE "); log.WriteLine("============================================================"); RemotePtr <IMAGE.IMPORT_DESCRIPTOR> pDesc = (mbase + dir.VirtualAddress).Reinterpret <IMAGE.IMPORT_DESCRIPTOR>(); RemotePtr <IMAGE.IMPORT_DESCRIPTOR> pDescM = pDesc.Advance((System.IntPtr)dir.Size); while (pDesc < pDescM) { IMAGE.IMPORT_DESCRIPTOR desc = (pDesc++)[0]; log.WriteVar("Importing from", (mbase + (int)desc.pstrName).ReadAnsiString()); log.WriteVar("ForwarderChain", desc.ForwarderChain); log.WriteVar("TimeDateStamp", desc.TimeDateStamp); log.WriteVar("FirstThunk", "0x" + desc.FirstThunk.ToString("X8")); log.WriteVar("OriginalFirstThunk", "0x" + desc.OriginalFirstThunk.ToString("X8")); if (desc.FirstThunk == 0) { continue; } RemotePtr <IMAGE.THUNK_DATA32> pIAT = (mbase + (int)desc.FirstThunk).Reinterpret <IMAGE.THUNK_DATA32>(); RemotePtr <IMAGE.THUNK_DATA32> pINT = (mbase + (int)desc.OriginalFirstThunk).Reinterpret <IMAGE.THUNK_DATA32>(); while (true) { IMAGE.THUNK_DATA32 iat_item = pIAT++.Value; IMAGE.THUNK_DATA32 int_item = pINT++.Value; if (iat_item.Function == 0) { break; } string name; if (int_item.IsSnapByOrdinal) { name = "#" + int_item.OrdinalValue.ToString(); } else { const int OffsetName = 2; // IMAGE_IMPORT_BY_NAME.Name メンバのオフセット name = (mbase + int_item.AddressOfData + OffsetName).ReadAnsiString(); if (name[0] == '?') { name = DbgHelp.UnDecorateSymbolName(name, DbgHelp.UNDNAME.COMPLETE); } } log.WriteLine("dllimport {0} \t@ 0x{1:X8}", name, iat_item.Function); } log.WriteLine("------------------------------------------------------------"); } }
public static string Demangle(string Symbol) { //IntPtr CurProc = Process.GetCurrentProcess().Handle; StringBuilder SB = new StringBuilder(4069); //DbgHelp.SymInitialize(CurProc, null, false); DbgHelp.UnDecorateSymbolName(Symbol, SB, SB.Capacity, UndnameFlags.UNDNAME_COMPLETE); //DbgHelp.SymCleanup(CurProc); return(SB.ToString().Trim()); }
public ImportFunction this[int index] { get{ if (index < 0 || funccount <= index) { throw new System.ArgumentOutOfRangeException("index"); } const int OffsetName = 2; // IMAGE_IMPORT_BY_NAME.Name メンバのオフセット RemotePtr <FPtr> ppfn; string name; if (!pIAT32.IsNull) { // 対象が PE32 の場合 ppfn = (pIAT32 + index).Reinterpret <FPtr>(); // ■↑■ 64bit から 32bit の中の FPtr を触ると× IMAGE.THUNK_DATA32 int32 = pINT32[index]; if (int32.IsSnapByOrdinal) { return(new ImportFunction(int32.OrdinalValue, ppfn)); } else { name = (module.mbase + int32.AddressOfData + OffsetName).ReadAnsiString(); } } else { // 対象が PE32+ の場合 ppfn = (pIAT64 + index).Reinterpret <FPtr>(); IMAGE.THUNK_DATA64 int64 = pINT64[index]; if (int64.IsSnapByOrdinal) { return(new ImportFunction(int64.OrdinalValue, ppfn)); } else { name = (module.mbase + int64.AddressOfData + OffsetName).ReadAnsiString(); } } // 名前によるインポートの場合 if (name == null) { name = "<FAILED TO GET NAME>"; } else if (name.Length > 1 && name[0] == '?') { name = DbgHelp.UnDecorateSymbolName(name, DbgHelp.UNDNAME.COMPLETE); } return(new ImportFunction(name, ppfn)); } }