private List <ExportedFunction> GetNtDllFunctions()
{
var ntDllPath = Process.GetCurrentProcess().Modules.Cast <ProcessModule>().First(module => module.ModuleName == "ntdll.dll").FileName;
using (var peParser = new PortableExecutableParser(ntDllPath))
{
return(peParser.GetExportedFunctions());
}
}
internal PropertyWrapper(string targetProcessName, string dllPath)
{
DllPath = dllPath;
SyscallManager = new SyscallManager();
TargetProcess = new ProcessInstance(targetProcessName, SyscallManager);
MemoryManager = new MemoryManager(TargetProcess.Handle, SyscallManager);
PeParser = new PortableExecutableParser(DllPath);
}
internal PropertyWrapper(int targetProcessId, byte[] dllBytes)
{
DllBytes = dllBytes;
SyscallManager = new SyscallManager();
TargetProcess = new ProcessInstance(targetProcessId, SyscallManager);
MemoryManager = new MemoryManager(TargetProcess.Handle, SyscallManager);
PeParser = new PortableExecutableParser(DllBytes);
}
/// <summary> Load a native file into memory and emulate the CPU *EXPERIMENTAL* </summary>
public AsmNet(string FilePath)
{
PeParser = new PortableExecutableParser(FilePath);
Instructions = x86Data.PeToInstructions(FilePath);
//Load the modules we need to emulate also
Modules = new SortedList <string, Module>();
foreach (string dll in PeParser.Imports.Keys)
{
Modules.Add(dll, new Module(dll));
}
//Set comments to the instructions
foreach (Instruction i in Instructions)
{
if (i.GetType() == typeof(CALL))
{
foreach (SortedList <string, IntPtr> handles in PeParser.Imports.Values)
{
if (handles.Values.Contains(new IntPtr(((CALL)i).FuncAddress)))
{
string DLL = "???";
string Func = "???";
i.ExtraInformation = DLL + "." + Func;
}
}
}
else if (i.GetType() == typeof(JMP))
{
foreach (SortedList <string, IntPtr> handles in PeParser.Imports.Values)
{
if (handles.Values.Contains(new IntPtr(((IJump)i).JumpAddress)))
{
string DLL = "???";
string Func = "???";
i.ExtraInformation = DLL + "." + Func;
}
}
}
}
//PeLoader = new PELoader(File.Open(FilePath, FileMode.Open));
//int EntryPoint = PeLoader.getEntryPoint();
PeReader = new PEReader(FilePath);
}
public List<Tuple<string, List<string>>> CloneImportTable(string ClonePath)
{
PortableExecutableParser ExeParser = new PortableExecutableParser(ClonePath);
return ExeParser.Imports.ToList();
}
public List <Tuple <string, List <string> > > CloneImportTable(string ClonePath)
{
PortableExecutableParser ExeParser = new PortableExecutableParser(ClonePath);
return(ExeParser.Imports.ToList());
}
public PortableExecutableParserTests()
{
_parserUnderTest = new PortableExecutableParser();
}
internal PeInstance(string modulePath)
{
PeParser = new PortableExecutableParser(modulePath);
ExportedFunctions = PeParser.GetExportedFunctions();
}
