public computeImports(string path, DataTable table)
{
uint hLib = LoadLibraryEx(path, 0, 0);
uint size = 0;
IMAGE_IMPORT_DESCRIPTOR *pIID = (IMAGE_IMPORT_DESCRIPTOR *)ImageDirectoryEntryToData((void *)hLib, true, 1, out size);
if (hLib != 0 && pIID != null)
{
table.Columns.Add("import function", typeof(string));
table.Columns.Add("address", typeof(string));
table.Columns.Add("dll", typeof(string));
table.Columns.Add("ordinal", typeof(string));
while (pIID->OriginalFirstThunk != 0)
{
char * szName = (char *)(hLib + pIID->Name);
string name = Marshal.PtrToStringAnsi((IntPtr)szName);
THUNK_DATA *pThunkOrg = (THUNK_DATA *)(hLib + pIID->OriginalFirstThunk);
while (pThunkOrg->AddressOfData != 0)
{
char *szImportName;
uint Ord;
if ((pThunkOrg->Ordinal & 0x80000000) > 0)
{
Ord = pThunkOrg->Ordinal & 0xffff;
table.Rows.Add("", pThunkOrg->Function.ToString("X8"), name, Ord.ToString());
}
else
{
IMAGE_IMPORT_BY_NAME *pIBN = (IMAGE_IMPORT_BY_NAME *)(hLib + pThunkOrg->AddressOfData);
if (!IsBadReadPtr((void *)pIBN, (uint)sizeof(IMAGE_IMPORT_BY_NAME)))
{
Ord = pIBN->Hint;
szImportName = (char *)pIBN->Name;
string sImportName = Marshal.PtrToStringAnsi((IntPtr)szImportName);
table.Rows.Add(sImportName, pThunkOrg->Function.ToString("X8"), name, Ord.ToString());
}
else
{
break;
}
}
pThunkOrg++;
}
pIID++;
}
table.DefaultView.Sort = "import function";
}
}
// using mscoree.dll as an example as it doesnt export any thing
// so nothing shows up if you use your own module.
// and the only none delayload in mscoree.dll is the Kernel32.dll
private static void TestImports(uint hLib, bool mappedAsImage)
{
unsafe
{
//fixed (char* pszModule = "mscoree.dll")
{
//void* hMod = Interop.GetModuleHandleW(pszModule);
void *hMod = (void *)hLib;
uint size = 0;
uint BaseAddress = (uint)hMod;
if (hMod != null)
{
Console.WriteLine("Got handle");
IMAGE_IMPORT_DESCRIPTOR *pIID = (IMAGE_IMPORT_DESCRIPTOR *)Interop.ImageDirectoryEntryToData((void *)hMod, mappedAsImage, Interop.IMAGE_DIRECTORY_ENTRY_IMPORT, out size);
if (pIID != null)
{
Console.WriteLine("Got Image Import Descriptor");
while (pIID->OriginalFirstThunk != 0)
{
try
{
char * szName = (char *)(BaseAddress + pIID->Name);
string name = Marshal.PtrToStringAnsi((IntPtr)szName);
Console.WriteLine("pIID->Name = {0} BaseAddress - {1}", name, (uint)BaseAddress);
THUNK_DATA *pThunkOrg = (THUNK_DATA *)(BaseAddress + pIID->OriginalFirstThunk);
while (pThunkOrg->AddressOfData != 0)
{
char *szImportName;
uint Ord;
if ((pThunkOrg->Ordinal & 0x80000000) > 0)
{
Ord = pThunkOrg->Ordinal & 0xffff;
Console.WriteLine("imports ({0}).Ordinal{1} - Address: {2}", name, Ord, pThunkOrg->Function);
}
else
{
IMAGE_IMPORT_BY_NAME *pIBN = (IMAGE_IMPORT_BY_NAME *)(BaseAddress + pThunkOrg->AddressOfData);
if (!Interop.IsBadReadPtr((void *)pIBN, (uint)sizeof(IMAGE_IMPORT_BY_NAME)))
{
Ord = pIBN->Hint;
szImportName = (char *)pIBN->Name;
string sImportName = Marshal.PtrToStringAnsi((IntPtr)szImportName); // yes i know i am a lazy ass
Console.WriteLine("imports ({0}).{1}@{2} - Address: {3}", name, sImportName, Ord, pThunkOrg->Function);
}
else
{
Console.WriteLine("Bad ReadPtr Detected or EOF on Imports");
break;
}
}
pThunkOrg++;
}
}
catch (AccessViolationException e)
{
Console.WriteLine("An Access violation occured\n" +
"this seems to suggest the end of the imports section\n");
Console.WriteLine(e);
}
pIID++;
}
}
}
}
}
Console.WriteLine("Press Any Key To Continue......");
Console.ReadKey();
}
// using mscoree.dll as an example as it doesnt export any thing
// so nothing shows up when use the own module.
// and the only none delayload in mscoree.dll is the Kernel32.dll
private static void LoadImports(uint hLib, bool mappedAsImage)
{
unsafe
{
{
void *hMod = (void *)hLib;
uint size = 0;
uint BaseAddress = (uint)hMod;
if (hMod != null)
{
IMAGE_IMPORT_DESCRIPTOR *pIID = (IMAGE_IMPORT_DESCRIPTOR *)Interop.ImageDirectoryEntryToData((void *)hMod, mappedAsImage, Interop.IMAGE_DIRECTORY_ENTRY_IMPORT, out size);
if (pIID != null)
{
Console.WriteLine("Got Image Import Descriptor");
//walk the array until find the end of the array
while (pIID->OriginalFirstThunk != 0)
{
try
{
//Name contains the RVA to the name of the dll.
//Thus convert it to a virtual address first
char * szName = (char *)(BaseAddress + pIID->Name);
string name = Marshal.PtrToStringAnsi((IntPtr)szName);
Console.WriteLine("pIID->Name = {0} BaseAddress - {1}", name, (uint)BaseAddress);
// value in OriginalFirstThunk is an RVA.
// convert it to virtual address.
THUNK_DATA *pThunkOrg = (THUNK_DATA *)(BaseAddress + pIID->OriginalFirstThunk);
while (pThunkOrg->AddressOfData != 0)
{
char *szImportName;
uint Ord;
if ((pThunkOrg->Ordinal & 0x80000000) > 0)
{
Ord = pThunkOrg->Ordinal & 0xffff;
Console.WriteLine("imports ({0}).Ordinal{1} - Address: {2}", name, Ord, pThunkOrg->Function);
}
else
{
IMAGE_IMPORT_BY_NAME *pIBN = (IMAGE_IMPORT_BY_NAME *)(BaseAddress + pThunkOrg->AddressOfData);
if (!Interop.IsBadReadPtr((void *)pIBN, (uint)sizeof(IMAGE_IMPORT_BY_NAME)))
{
Ord = pIBN->Hint;
szImportName = (char *)pIBN->Name;
string sImportName = Marshal.PtrToStringAnsi((IntPtr)szImportName); // yes i know i am a lazy ass
Console.WriteLine("imports ({0}).{1}@{2} - Address: {3}", name, sImportName, Ord, pThunkOrg->Function);
}
else
{
Console.WriteLine("Bad ReadPtr Detected or EOF on Imports");
break;
}
}
pThunkOrg++;
}
}
catch (AccessViolationException e)
{
Console.WriteLine("An Access violation occured\n" +
"this seems to suggest the end of the imports section\n");
Console.WriteLine(e);
}
pIID++;
}
}
}
}
}
}
// using mscoree.dll as an example as it doesnt export any thing
// so nothing shows up when use the own module.
// and the only none delayload in mscoree.dll is the Kernel32.dll
/// <summary>
/// return the imported dlls and functions from them
/// </summary>
/// <param name="filePath"></param>
/// <param name="mappedAsImage"></param>
/// <returns></returns>
private void LoadImports(string filePath, bool mappedAsImage, List <ImportFunctionObject> ImportFunctions, List <String> ImportNames)
{
var hLib = LoadLibrary(filePath);
if (hLib == null)
{
var errorCode = GetLastError();
}
//var hLib = LoadLibraryEx(filePath, 0,
// DONT_RESOLVE_DLL_REFERENCES | LOAD_IGNORE_CODE_AUTHZ_LEVEL);
unsafe
{
{
void *hMod = (void *)hLib;
uint size = 0;
uint BaseAddress = (uint)hMod;
if (hMod != null)
{
IMAGE_IMPORT_DESCRIPTOR *pIID = (IMAGE_IMPORT_DESCRIPTOR *)Interop.ImageDirectoryEntryToData((void *)hMod, mappedAsImage, Interop.IMAGE_DIRECTORY_ENTRY_IMPORT, out size);
if (pIID != null)
{
//walk the array until find the end of the array
while (pIID->OriginalFirstThunk != 0)
{
try
{
//Name contains the RVA to the name of the dll.
//Thus convert it to a virtual address first.
char * szName = (char *)(BaseAddress + pIID->Name);
string name = Marshal.PtrToStringAnsi((IntPtr)szName);
if (!name.Contains("api-ms-win"))
{
ImportNames.Add(name);
// value in OriginalFirstThunk is an RVA.
// convert it to virtual address.
THUNK_DATA *pThunkOrg = (THUNK_DATA *)(BaseAddress + pIID->OriginalFirstThunk);
while (pThunkOrg->AddressOfData != 0)
{
char *szImportName;
uint Ord;
if ((pThunkOrg->Ordinal & 0x80000000) > 0)
{
Ord = pThunkOrg->Ordinal & 0xffff;
}
else
{
IMAGE_IMPORT_BY_NAME *pIBN = (IMAGE_IMPORT_BY_NAME *)(BaseAddress + pThunkOrg->AddressOfData);
if (!Interop.IsBadReadPtr((void *)pIBN, (uint)sizeof(IMAGE_IMPORT_BY_NAME)))
{
Ord = pIBN->Hint;
szImportName = (char *)pIBN->Name;
string sImportName = Marshal.PtrToStringAnsi((IntPtr)szImportName);
UInt32 Address = pThunkOrg->Function;
ImportFunctions.Add(new ImportFunctionObject(sImportName, Address, name));
}
else
{
break;
}
}
pThunkOrg++;
}
}
//else
//{
// smartSuggestionEngine.readErrorCode(name, 7);
//}
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine("An Access violation occured\n" +
"this seems to suggest the end of the imports section\n");
System.Diagnostics.Debug.WriteLine(e);
}
pIID++;
}
}
}
}
}
return;
}
