private List <ExportedFunction> GetNtDllFunctions() { var ntDllPath = Process.GetCurrentProcess().Modules.Cast <ProcessModule>().First(module => module.ModuleName == "ntdll.dll").FileName; using (var peParser = new PortableExecutableParser(ntDllPath)) { return(peParser.GetExportedFunctions()); } }
internal PropertyWrapper(string targetProcessName, string dllPath) { DllPath = dllPath; SyscallManager = new SyscallManager(); TargetProcess = new ProcessInstance(targetProcessName, SyscallManager); MemoryManager = new MemoryManager(TargetProcess.Handle, SyscallManager); PeParser = new PortableExecutableParser(DllPath); }
internal PropertyWrapper(int targetProcessId, byte[] dllBytes) { DllBytes = dllBytes; SyscallManager = new SyscallManager(); TargetProcess = new ProcessInstance(targetProcessId, SyscallManager); MemoryManager = new MemoryManager(TargetProcess.Handle, SyscallManager); PeParser = new PortableExecutableParser(DllBytes); }
/// <summary> Load a native file into memory and emulate the CPU *EXPERIMENTAL* </summary> public AsmNet(string FilePath) { PeParser = new PortableExecutableParser(FilePath); Instructions = x86Data.PeToInstructions(FilePath); //Load the modules we need to emulate also Modules = new SortedList <string, Module>(); foreach (string dll in PeParser.Imports.Keys) { Modules.Add(dll, new Module(dll)); } //Set comments to the instructions foreach (Instruction i in Instructions) { if (i.GetType() == typeof(CALL)) { foreach (SortedList <string, IntPtr> handles in PeParser.Imports.Values) { if (handles.Values.Contains(new IntPtr(((CALL)i).FuncAddress))) { string DLL = "???"; string Func = "???"; i.ExtraInformation = DLL + "." + Func; } } } else if (i.GetType() == typeof(JMP)) { foreach (SortedList <string, IntPtr> handles in PeParser.Imports.Values) { if (handles.Values.Contains(new IntPtr(((IJump)i).JumpAddress))) { string DLL = "???"; string Func = "???"; i.ExtraInformation = DLL + "." + Func; } } } } //PeLoader = new PELoader(File.Open(FilePath, FileMode.Open)); //int EntryPoint = PeLoader.getEntryPoint(); PeReader = new PEReader(FilePath); }
public List<Tuple<string, List<string>>> CloneImportTable(string ClonePath) { PortableExecutableParser ExeParser = new PortableExecutableParser(ClonePath); return ExeParser.Imports.ToList(); }
public List <Tuple <string, List <string> > > CloneImportTable(string ClonePath) { PortableExecutableParser ExeParser = new PortableExecutableParser(ClonePath); return(ExeParser.Imports.ToList()); }
public PortableExecutableParserTests() { _parserUnderTest = new PortableExecutableParser(); }
internal PeInstance(string modulePath) { PeParser = new PortableExecutableParser(modulePath); ExportedFunctions = PeParser.GetExportedFunctions(); }