bool IBinaryAppender <ImportFunctionModule.ImageBoundImportDescription, ReaderWithOffsetArgs> .Attach(ref ImportFunctionModule.ImageBoundImportDescription s, uint size, ReaderWithOffsetArgs arg)
{
if (s.TimeDateStamp == 0)
{
return(false);
}
ImportFunctionSection ifs = arg.Tag as ImportFunctionSection;
if (ifs == null)
{
return(false);
}
string name = arg.Source.ReadStringAnsiAt(arg.Offset + s.OffsetModuleName);
ImportFunctionModule ifm = ifs[name];
// if there is a module to update:
if (ifm != null)
{
ReaderWithOffsetArgs mArg = new ReaderWithOffsetArgs(arg.Source, arg.Offset, 0, null);
ifm.BoundDate = new DateTime(1970, 1, 1).AddSeconds(s.TimeDateStamp);
// append given number of forwarders, having the same size as the current structure
// and lying just after:
for (ushort i = 0; i < s.NumberOfModuleForwarderRefs; i++)
{
Append
<ImportFunctionModule.ImageBoundImportForwarderRef, ImportFunctionModule, ReaderWithOffsetArgs>(
arg.Source, ifm, mArg);
}
}
return(true);
}
private void AppendRelocationSection(UnmanagedDataReader s, DataSectionDescription relocationSection)
{
uint delta;
uint offset = GetVirtualRelativeAddress(relocationSection.VirtualAddress, out delta);
ReaderWithOffsetArgs arg;
RelocationSection section;
if (offset == 0)
{
return;
}
// read the info:
s.Jump(offset);
// add all sections:
section = new RelocationSection();
arg = new ReaderWithOffsetArgs(s, offset, delta, section);
while (Append <RelocationSection.ImageBaseRelocation, WindowsPortableExecutable, ReaderWithOffsetArgs>
(s, this, arg))
{
}
// append relocation section when any data was read from file:
if (section.Count > 0)
{
section.UpdateFileInfo(RelocationSection.DefaultName, offset, s.CurrentOffset - offset);
section.UpdateVirtualInfo(offset, s.CurrentOffset - offset);
Add(section);
}
}
/// <summary>
/// Extracts info about Import section.
/// </summary>
private void AppendImportSection(UnmanagedDataReader s, DataSectionDescription importSection, DataSectionDescription importBoundSection, NtHeaderSection ntSection)
{
ImportFunctionSection ifs = new ImportFunctionSection();
uint delta;
uint offset = GetVirtualRelativeAddress(importSection.VirtualAddress, out delta);
if (offset == 0 || ntSection == null)
{
return;
}
// analize data inside given section:
ReaderWithOffsetArgs arg = new ReaderWithOffsetArgs(s, offset, delta, ifs);
// read the info:
s.Jump(offset);
while (Append <ImportFunctionModule.ImageImportDescriptor, WindowsPortableExecutable, ReaderWithOffsetArgs>
(s, this, arg))
{
// store the current location:
offset = s.CurrentOffset;
// read functions assigned to given module:
if (ntSection.MachineType == MachineType.Intel_x86)
{
ReadImportData <ImportFunctionModule.ImageImportData32, WindowsPortableExecutable>(s, arg.Tag as ImportFunctionModule);
}
else
if (ntSection.MachineType == MachineType.Intel_x64)
{
ReadImportData <ImportFunctionModule.ImageImportData64, WindowsPortableExecutable>(s, arg.Tag as ImportFunctionModule);
}
// restore the offset:
s.Jump(offset);
arg.Tag = ifs;
}
// check if there is additional bound-import infor available and read it:
if (importBoundSection != null)
{
ReaderWithOffsetArgs iArg = new ReaderWithOffsetArgs(s, importBoundSection.VirtualAddress, 0, ifs);
s.Jump(importBoundSection.VirtualAddress);
while (Append <ImportFunctionModule.ImageBoundImportDescription, WindowsPortableExecutable, ReaderWithOffsetArgs>(s, this, iArg))
{
}
}
// if import section was correctly filled by at least one element then store it:
if (ifs.Count > 0)
{
ifs.UpdateFileInfo(ImportFunctionSection.DefaultName, offset, s.LastReadSize * (uint)ifs.Count);
ifs.UpdateVirtualInfo(importSection.VirtualAddress, importSection.Size);
Add(ifs);
}
}
internal bool Read(ReaderWithOffsetArgs e)
{
const uint sizeOfUInt32 = 4;
const uint sizeOfUInt16 = 2;
string forwardedName;
List <ExportFunctionDescription> r = new List <ExportFunctionDescription>();
// update the pointers with offset:
NameAddress -= e.Delta;
FunctionAddress -= e.Delta;
OrdinalAddress -= e.Delta;
ModuleNameAddress -= e.Delta;
// read the module name:
ModuleName = e.Source.ReadStringAnsiAt(ModuleNameAddress);
// read functions:
for (uint i = 0; i < Count; i++)
{
uint entryPointRVA = e.Source.ReadUInt32At(FunctionAddress + sizeOfUInt32 * i);
uint ordinal = i + OrdinalBase;
uint nameAddress;
if (entryPointRVA != 0)
{
// check if this function has an associated name exported:
for (uint j = 0; j < Count; j++)
{
if (e.Source.ReadUInt16At(OrdinalAddress + sizeOfUInt16 * j) == i)
{
nameAddress = e.Source.ReadUInt32At(NameAddress + sizeOfUInt32 * j) - e.Delta;
forwardedName = ContainsVirtual(entryPointRVA)
? e.Source.ReadStringAnsiAt(entryPointRVA - e.Delta)
: null;
r.Add(new ExportFunctionDescription(e.Source.ReadStringAnsiAt(nameAddress),
forwardedName, ordinal, entryPointRVA, j));
}
}
}
}
Functions = r;
// calculate the function dictionary by names:
HashFunctions = new Dictionary <string, ExportFunctionDescription>();
foreach (ExportFunctionDescription f in r)
{
if (!HashFunctions.ContainsKey(f.Name))
{
HashFunctions.Add(f.Name, f);
}
}
return(true);
}
bool IBinaryAppender <RelocationSection.ImageBaseRelocation, ReaderWithOffsetArgs> .Attach(ref RelocationSection.ImageBaseRelocation s, uint size, ReaderWithOffsetArgs arg)
{
UnmanagedDataReader r = arg.Source;
RelocationSection section = arg.Tag as RelocationSection;
RelocationDescription desc;
ushort data = 0;
RelocationType type;
uint count;
uint offset;
// validate input data:
if (s.SizeOfBlock == 0 || s.VirtualAddress == 0 || section == null)
{
return(false);
}
// append data to section:
count = (s.SizeOfBlock - (uint)Marshal.SizeOf(typeof(RelocationSection.ImageBaseRelocation))) /
(uint)Marshal.SizeOf(typeof(ushort));
if (count > 0)
{
desc = new RelocationDescription(s.VirtualAddress, s.SizeOfBlock);
for (uint i = 0; i < count; i++)
{
if (r.Read(ref data))
{
type = (RelocationType)((data & 0xF000) >> 12);
offset = (uint)(data & 0x0FFF);
if (type == RelocationType.BasedHighAdjust)
{
if (r.Read(ref data))
{
offset += ((uint)data) << 12;
count--;
}
}
desc.Add(new RelocationItem(type, offset));
}
else
{
break;
}
}
// if data is defined inside the given description:
if (desc.Count > 0)
{
section.Add(desc);
}
}
return(true);
}
bool IBinaryAppender <ImportFunctionModule.ImageImportData64, ReaderWithOffsetArgs> .Attach(ref ImportFunctionModule.ImageImportData64 s, uint size, ReaderWithOffsetArgs arg)
{
return(AttachImportData(ref s, arg.Source, arg.Delta, arg.Tag as ImportFunctionModule));
}
bool IBinaryAppender <ImportFunctionModule.ImageImportDescriptor, ReaderWithOffsetArgs> .Attach(ref ImportFunctionModule.ImageImportDescriptor s, uint size, ReaderWithOffsetArgs arg)
{
ImportFunctionSection imports = arg.Tag as ImportFunctionSection;
IBinaryAppender <ImportFunctionModule.ImageImportDescriptor, ReaderWithOffsetArgs> t = new ImportFunctionModule();
// read the next import module description:
if (t.Attach(ref s, size, arg))
{
if (imports != null)
{
imports.Add(t as ImportFunctionModule);
arg.Tag = t;
return(true);
}
}
return(false);
}
/// <summary>
/// Setup internal data based on given input read from native image.
/// </summary>
bool IBinaryAppender <ExportFunctionSection.ImageExportDirectory, ReaderWithOffsetArgs> .Attach(ref ExportFunctionSection.ImageExportDirectory s, uint size, ReaderWithOffsetArgs arg)
{
ExportFunctionSection x = new ExportFunctionSection();
IBinaryConverter <ExportFunctionSection.ImageExportDirectory> c = x;
DataSectionDescription e = arg.Tag as DataSectionDescription;
if (!c.Convert(ref s, arg.Offset, size))
{
return(false);
}
if (e != null)
{
x.UpdateVirtualInfo(e.VirtualAddress, e.Size);
}
if (x.Read(arg))
{
Add(x);
return(true);
}
return(false);
}
