private void loadImportTable(Process process, uint importTableAddress, uint length, uint baseAddress)
{
// Read in the first import descriptor structure
byte[] image_import_descriptor_rawData = oMemoryFunctions.readMemory(process, importTableAddress, (uint)Marshal.SizeOf(typeof(image_import_descriptor)));
image_import_descriptor descriptor = (image_import_descriptor)oMemoryFunctions.RawDataToObject(ref image_import_descriptor_rawData, typeof(image_import_descriptor));
List<image_import_by_name> imports = new List<image_import_by_name>(0);
while (descriptor.FirstThunk != 0 || descriptor.OriginalFirstThunk != 0 || descriptor.Name != 0)
{
// Process this descriptor
imports.Add(new image_import_by_name(process, descriptor, (int)baseAddress));
// Read next descriptor
image_import_descriptor_rawData = oMemoryFunctions.readMemory(process, oMemoryFunctions.addressAdd(importTableAddress, (ulong)(imports.Count * Marshal.SizeOf(typeof(image_import_descriptor)))), (uint)Marshal.SizeOf(typeof(image_import_descriptor)));
descriptor = (image_import_descriptor)oMemoryFunctions.RawDataToObject(ref image_import_descriptor_rawData, typeof(image_import_descriptor));
}
// Now lets process the array of descriptors
foreach (image_import_by_name dllDescriptor in imports)
{
for (int i = 0; i < dllDescriptor.ImportTableAddresses.Count; i++)
{
// Process this function import
try
{
IMPORT_FUNCTION newImport = new IMPORT_FUNCTION();
newImport.name = dllDescriptor.Names[i];
newImport.memoryAddress = (uint) dllDescriptor.ImportTableAddresses[i];
newImport.targetAddress = oMemoryFunctions.readMemoryDword(process,
(ulong) newImport.memoryAddress);
importTable.Add(newImport);
}catch
{
// Not a critical error
}
}
}
}
public image_import_by_name(Process process, image_import_descriptor descriptor, int baseAddress)
{
AddressOfData = new List<uint>(0);
ImportTableAddresses = new List<int>(0);
Names = new List<string>(0);
// Read the AddressOfData array in
if (descriptor.OriginalFirstThunk != 0 && descriptor.FirstThunk != 0)
{
// Read in the descriptor table with names
int i = 0;
uint newAddress = oMemoryFunctions.readMemoryDword(process,
((ulong) descriptor.OriginalFirstThunk +
(ulong) baseAddress + (ulong) i*4) & 0x7fffffff);
while (newAddress != 0)
{
// Add this new address
AddressOfData.Add(newAddress & 0x7fffffff);
// Add the string corresponding to this new function
if ((newAddress & 0x80000000) > 0)
{
// Export by ordinal
newAddress = newAddress & 0x7fffffff;
Names.Add("ordinal 0x" +
oMemoryFunctions.readMemoryUShort(process, (ulong)(newAddress + baseAddress) & 0x7fffffff).
ToString("X"));
}
else if (newAddress > 0)
{
// Export by name
Names.Add(oMemoryFunctions.readMemoryString(process, (ulong)(newAddress + baseAddress + 2) & 0x7fffffff, 256));
}
else
{
// There is no name or ordinal given, probably obfuscated?
Names.Add("obfuscated?");
}
// Add the pe table address corresponding to this function
ImportTableAddresses.Add((descriptor.FirstThunk + baseAddress + i*4) & 0x7fffffff);
// Read in the next value
i++;
newAddress = oMemoryFunctions.readMemoryDword(process,
((ulong) descriptor.OriginalFirstThunk +
(ulong) baseAddress + (ulong) i*4) & 0x7fffffff);
}
}else
{
// Read in the descriptor table without names
int i = 0;
ulong addressThunk = (ulong) (descriptor.OriginalFirstThunk != 0
? descriptor.OriginalFirstThunk
: descriptor.FirstThunk);
if( addressThunk == 0 )
return; // We have no imports that we can read in.
uint newAddress = oMemoryFunctions.readMemoryDword(process,
(addressThunk +
(ulong)baseAddress + (ulong)i * 4) & 0x7fffffff);
while (newAddress != 0)
{
// Add this new address
AddressOfData.Add(newAddress & 0x7fffffff);
Names.Add("");
ImportTableAddresses.Add( ( (int)addressThunk + baseAddress + i * 4 ) & 0x7fffffff);
// Read in the next value
i++;
newAddress = oMemoryFunctions.readMemoryDword(process,
(addressThunk +
(ulong)baseAddress + (ulong)i * 4) & 0x7fffffff);
}
}
}
