/// <summary>
/// Reads the Export Address Table (EAT) of this module from live memory
/// </summary>
/// <param name="memUtils">MemUtils-instance that is used to read data</param>
/// <param name="imageBase">Base-address pf this module in memory</param>
/// <param name="ied">The _IMAGE_EXPORT_DIRECTORY of this module</param>
/// <returns></returns>
public Tuple <string, int>[] ReadExportedFunctions(MemUtils memUtils, IntPtr imageBase, _IMAGE_EXPORT_DIRECTORY ied)
{
List <Tuple <string, int> > functions = new List <Tuple <string, int> >();
IntPtr lpFunctions = (IntPtr)(imageBase.ToInt64() + ied.AddressOfFunctions);
IntPtr lpNames = (IntPtr)(imageBase.ToInt64() + ied.AddressOfNames);
for (int i = 0; i < ied.NumberOfFunctions; i++)
{
int address = memUtils.Read <int>((IntPtr)(lpFunctions.ToInt64() + i * 4));
string name = "?";
if (lpFunctions != lpNames)
{
int nameAddress = memUtils.Read <int>((IntPtr)(lpNames.ToInt64() + i * 4));
name = memUtils.ReadString((IntPtr)(imageBase.ToInt64() + nameAddress), 64, Encoding.ASCII);
}
functions.Add(new Tuple <string, int>(name, address));
}
return(functions.ToArray());
}
/// <summary>
/// Reads the name of this module from live-memory
/// </summary>
/// <param name="memUtils">MemUtils-instance that is used to read data</param>
/// <param name="ied">The _IMAGE_EXPORT_DIRECTORY of this module</param>
/// <param name="imageBase">Base-address pf this module in memory</param>
/// <returns></returns>
public string ReadName(MemUtils memUtils, _IMAGE_EXPORT_DIRECTORY ied, IntPtr imageBase)
{
return memUtils.ReadString((IntPtr)(imageBase.ToInt64() + ied.Name), 32, Encoding.ASCII);
}
/// <summary>
/// Reads the name of this module from live-memory
/// </summary>
/// <param name="memUtils">MemUtils-instance that is used to read data</param>
/// <param name="ied">The _IMAGE_EXPORT_DIRECTORY of this module</param>
/// <param name="imageBase">Base-address pf this module in memory</param>
/// <returns></returns>
public string ReadName(MemUtils memUtils, _IMAGE_EXPORT_DIRECTORY ied, IntPtr imageBase)
{
return(memUtils.ReadString((IntPtr)(imageBase.ToInt64() + ied.Name), 32, Encoding.ASCII));
}
/// <summary>
/// Reads the Export Address Table (EAT) of this module from live memory
/// </summary>
/// <param name="memUtils">MemUtils-instance that is used to read data</param>
/// <param name="imageBase">Base-address pf this module in memory</param>
/// <param name="ied">The _IMAGE_EXPORT_DIRECTORY of this module</param>
/// <returns></returns>
public Tuple<string, int>[] ReadExportedFunctions(MemUtils memUtils, IntPtr imageBase, _IMAGE_EXPORT_DIRECTORY ied)
{
List<Tuple<string, int>> functions = new List<Tuple<string, int>>();
IntPtr lpFunctions = (IntPtr)(imageBase.ToInt64() + ied.AddressOfFunctions);
IntPtr lpNames = (IntPtr)(imageBase.ToInt64() + ied.AddressOfNames);
for (int i = 0; i < ied.NumberOfFunctions; i++)
{
int address = memUtils.Read<int>((IntPtr)(lpFunctions.ToInt64() + i * 4));
string name = "?";
if (lpFunctions != lpNames)
{
int nameAddress = memUtils.Read<int>((IntPtr)(lpNames.ToInt64() + i * 4));
name = memUtils.ReadString((IntPtr)(imageBase.ToInt64() + nameAddress), 64, Encoding.ASCII);
}
functions.Add(new Tuple<string, int>(name, address));
}
return functions.ToArray();
}