public static List <Tuple <PeImport, bool> > LookupImports(PeImportDll ModuleImport, string ModuleFilePath)
{
List <Tuple <PeImport, bool> > Result = new List <Tuple <PeImport, bool> >();
if (ModuleFilePath == null)
{
return(Result);
}
string ApiSetName = LookupApiSetLibrary(ModuleFilePath);
if (ApiSetName != null)
{
ModuleFilePath = ApiSetName;
}
PE Module = LoadPe(ModuleFilePath);
if (Module == null)
{
return(Result);
}
return(LookupImports(ModuleImport, Module.GetExports()));
}
public static List <Tuple <PeImport, bool> > LookupImports(PeImportDll ModuleImport, string ModuleFilePath)
{
PE Module = null;
List <Tuple <PeImport, bool> > Result = new List <Tuple <PeImport, bool> >();
// if there is a module name, try to resolve apiset for attempting to load it
if (ModuleFilePath != null)
{
string ApiSetName = LookupApiSetLibrary(ModuleFilePath);
if (!string.IsNullOrEmpty(ApiSetName))
{
Module = ResolveModule(ApiSetName).Item2;
}
else
{
Module = LoadPe(ModuleFilePath);
}
}
// If the module has not been found, mark all imports as not found
if (Module == null)
{
foreach (PeImport Import in ModuleImport.ImportList)
{
Result.Add(new Tuple <PeImport, bool>(Import, false));
}
return(Result);
}
return(LookupImports(ModuleImport, Module.GetExports()));
}
static bool TestFilepath(string Filepath, Demangler SymPrv)
{
PE Pe = new PE(Filepath);
if (!Pe.Load())
{
Console.Error.WriteLine("[x] Could not load file {0:s} as a PE", Filepath);
return(false);
}
foreach (PeExport Export in Pe.GetExports())
{
if (Export.Name.Length > 0)
{
Console.Write("\t Export : {0:s} -> ", Export.Name);
Console.Out.Flush();
Console.WriteLine("{0:s}", SymPrv.UndecorateName(Export.Name));
}
}
foreach (PeImportDll DllImport in Pe.GetImports())
{
foreach (PeImport Import in DllImport.ImportList)
{
if (!Import.ImportByOrdinal)
{
Console.Write("\t Import from {0:s} : {1:s} -> ", DllImport.Name, Import.Name);
Console.Out.Flush();
Console.WriteLine("{0:s}", SymPrv.UndecorateName(Import.Name));
}
}
}
return(true);
}
public static List <Tuple <PeImport, bool> > LookupImports(PeImportDll ModuleImport, string ModuleFilePath)
{
PE Module = null;
List <Tuple <PeImport, bool> > Result = new List <Tuple <PeImport, bool> >();
if (ModuleFilePath == null)
{
return(Result);
}
string ApiSetName = LookupApiSetLibrary(ModuleFilePath);
if (!string.IsNullOrEmpty(ApiSetName))
{
Module = ResolveModule(ApiSetName).Item2;
}
else
{
Module = LoadPe(ModuleFilePath);
}
if (Module == null)
{
return(Result);
}
return(LookupImports(ModuleImport, Module.GetExports()));
}
public static List <Tuple <PeImport, bool> > LookupImports(PeImportDll ModuleImport, string ModuleFilePath)
{
List <Tuple <PeImport, bool> > Result = new List <Tuple <PeImport, bool> >();
if (ModuleFilePath == null)
{
return(Result);
}
string ApiSetName = LookupApiSetLibrary(ModuleFilePath);
if (ApiSetName != null)
{
ModuleFilePath = ApiSetName;
}
PE Module = LoadPe(ModuleFilePath);
if (Module == null)
{
return(Result);
}
foreach (PeImport Import in ModuleImport.ImportList)
{
bool bFoundImport = false;
foreach (var export in Module.GetExports())
{
if (Import.ImportByOrdinal)
{
if ((export.Ordinal == Import.Ordinal) && export.ExportByOrdinal)
{
bFoundImport = true;
break;
}
}
else
{
if (export.ForwardedName == Import.Name)
{
bFoundImport = true;
break;
}
if (export.Name == Import.Name)
{
bFoundImport = true;
break;
}
}
}
Result.Add(new Tuple <PeImport, bool>(Import, bFoundImport));
}
return(Result);
}
public static bool LookupImport(string ModuleFilePath, string ImportName, int ImportOrdinal, bool ImportByOrdinal)
{
if (ModuleFilePath == null)
{
return(false);
}
string ApiSetName = LookupApiSetLibrary(ModuleFilePath);
if (ApiSetName != null)
{
ModuleFilePath = ApiSetName;
}
PE Module = LoadPe(ModuleFilePath);
if (Module == null)
{
return(false);
}
foreach (var export in Module.GetExports())
{
if (ImportByOrdinal)
{
if ((export.Ordinal == ImportOrdinal) && export.ExportByOrdinal)
{
return(true);
}
}
else
{
if (export.ForwardedName == ImportName)
{
return(true);
}
if (export.Name == ImportName)
{
return(true);
}
}
}
return(false);
}
public static void DumpExports(PE Pe)
{
List <PeExport> Exports = Pe.GetExports();
VerboseWriteLine("[-] Export listing for file : {0}", Pe.Filepath);
foreach (PeExport Export in Exports)
{
Console.WriteLine("Export {0:d} :", Export.Ordinal);
Console.WriteLine("\t Name : {0:s}", Export.Name);
Console.WriteLine("\t VA : 0x{0:X}", (int)Export.VirtualAddress);
if (Export.ForwardedName.Length > 0)
{
Console.WriteLine("\t ForwardedName : {0:s}", Export.ForwardedName);
}
}
VerboseWriteLine("[-] Export listing done");
}
public PEExports(PE _Application)
{
Application = _Application;
Exports = Application.GetExports();
}