public static string LookupApiSetLibrary(string ImportDllName)
{
//ApiSetSchema ApiSetmapCache = Phlib.GetApiSetSchema();
// Look for api set target
if (!ImportDllName.StartsWith("api-") && !ImportDllName.StartsWith("ext-"))
{
return(null);
}
// Strip the .dll extension and the last number (which is probably a build counter)
string ImportDllNameWithoutExtension = Path.GetFileNameWithoutExtension(ImportDllName);
string ImportDllHashKey = ImportDllNameWithoutExtension.Substring(0, ImportDllNameWithoutExtension.LastIndexOf("-"));
if (ApiSetmapCache.ContainsKey(ImportDllHashKey))
{
ApiSetTarget Targets = ApiSetmapCache[ImportDllHashKey];
if (Targets.Count > 0)
{
return(Targets[0]);
}
}
return(null);
}
/// <summary>
/// Background processing of a single PE file.
/// It can be lengthy since there are disk access (and misses).
/// </summary>
/// <param name="NewTreeContexts"> This variable is passed as reference to be updated since this function is run in a separate thread. </param>
/// <param name="newPe"> Current PE file analyzed </param>
private void ProcessPe(List <ImportContext> NewTreeContexts, PE newPe)
{
List <PeImportDll> PeImports = newPe.GetImports();
foreach (PeImportDll DllImport in PeImports)
{
bool FoundApiSet = false;
string ImportDllName = DllImport.Name;
// Look for api set target
if (ImportDllName.StartsWith("api-") || ImportDllName.StartsWith("ext-"))
{
// Strip the .dll extension and the last number (which is probably a build counter)
string ImportDllNameWithoutExtension = Path.GetFileNameWithoutExtension(ImportDllName);
string ImportDllHashKey = ImportDllNameWithoutExtension.Substring(0, ImportDllNameWithoutExtension.LastIndexOf("-"));
if (this.ApiSetmapCache.ContainsKey(ImportDllHashKey))
{
ApiSetTarget Targets = this.ApiSetmapCache[ImportDllHashKey];
if (Targets.Count > 0)
{
FoundApiSet = true;
ImportDllName = Targets[0];
}
}
}
ImportContext ImportModule = new ImportContext();
ImportModule.PeFilePath = null;
ImportModule.PeProperties = null;
ImportModule.ModuleName = DllImport.Name;
ImportModule.IsApiSet = FoundApiSet;
ImportModule.ApiSetModuleName = ImportDllName;
ImportModule.IsDelayLoadImport = (DllImport.Flags & 0x01) == 0x01; // TODO : Use proper macros
// Find Dll in "paths"
Tuple <ModuleSearchStrategy, String> FoundPe = FindPe.FindPeFromDefault(this.Pe, ImportDllName, this.SxsEntriesCache);
ImportModule.ModuleLocation = FoundPe.Item1;
if (ImportModule.ModuleLocation != ModuleSearchStrategy.NOT_FOUND)
{
ImportModule.PeFilePath = FoundPe.Item2;
ImportModule.PeProperties = BinaryCache.LoadPe(ImportModule.PeFilePath);
}
NewTreeContexts.Add(ImportModule);
}
}
public void PrettyPrint()
{
Console.WriteLine("[-] Api Sets Map : ");
foreach (var ApiSetEntry in this.Schema.GetAll())
{
ApiSetTarget ApiSetImpl = ApiSetEntry.Value;
string ApiSetName = ApiSetEntry.Key;
string ApiSetImplStr = (ApiSetImpl.Count > 0) ? String.Join(",", ApiSetImpl.ToArray()) : "";
Console.WriteLine("{0:s} -> [ {1:s} ]", ApiSetName, ApiSetImplStr);
}
Console.WriteLine("");
}
public static void DumpApiSets()
{
VerboseWriteLine("[-] Api Sets Map : ");
foreach (var ApiSetEntry in Phlib.GetApiSetSchema())
{
ApiSetTarget ApiSetImpl = ApiSetEntry.Value;
string ApiSetName = ApiSetEntry.Key;
string ApiSetImplStr = (ApiSetImpl.Count > 0) ? String.Join(",", ApiSetImpl.ToArray()) : "";
Console.WriteLine("{0:s} -> [ {1:s} ]", ApiSetName, ApiSetImplStr);
}
VerboseWriteLine("");
}
