public void Load() { // "warm up" the cache foreach (var CachedBinary in Directory.EnumerateFiles(BinaryCacheFolderPath)) { GetBinary(CachedBinary); } string System32Folder = Environment.GetFolderPath(Environment.SpecialFolder.System); string SysWow64Folder = Environment.GetFolderPath(Environment.SpecialFolder.SystemX86); // preload all well konwn dlls foreach (String KnownDll in Phlib.GetKnownDlls(false)) { GetBinary(Path.Combine(System32Folder, KnownDll)); } foreach (String KnownDll in Phlib.GetKnownDlls(true)) { GetBinary(Path.Combine(SysWow64Folder, KnownDll)); } }
public static void DumpKnownDlls() { VerboseWriteLine("[-] 64-bit KnownDlls : "); foreach (String KnownDll in Phlib.GetKnownDlls(false)) { string System32Folder = Environment.GetFolderPath(Environment.SpecialFolder.System); Console.WriteLine(" {0:s}\\{1:s}", System32Folder, KnownDll); } VerboseWriteLine(""); VerboseWriteLine("[-] 32-bit KnownDlls : "); foreach (String KnownDll in Phlib.GetKnownDlls(true)) { string SysWow64Folder = Environment.GetFolderPath(Environment.SpecialFolder.SystemX86); Console.WriteLine(" {0:s}\\{1:s}", SysWow64Folder, KnownDll); } VerboseWriteLine(""); }
public void Load() { // "warm up" the cache foreach (var CachedBinary in Directory.EnumerateFiles(BinaryCacheFolderPath)) { GetBinaryAsync(CachedBinary); } string System32Folder = Environment.GetFolderPath(Environment.SpecialFolder.System); string SysWow64Folder = Environment.GetFolderPath(Environment.SpecialFolder.SystemX86); // wow64.dll, wow64cpu.dll and wow64win.dll are listed as wow64 known dlls, // but they are actually x64 binaries. List <String> Wow64Dlls = new List <string>(new string[] { "wow64.dll", "wow64cpu.dll", "wow64win.dll" }); // preload all well konwn dlls foreach (String KnownDll in Phlib.GetKnownDlls(false)) { GetBinaryAsync(Path.Combine(System32Folder, KnownDll)); } foreach (String KnownDll in Phlib.GetKnownDlls(true)) { if (Wow64Dlls.Contains(KnownDll)) { GetBinaryAsync(Path.Combine(System32Folder, KnownDll)); } else { GetBinaryAsync(Path.Combine(SysWow64Folder, KnownDll)); } } }
public NtKnownDlls() { x64 = Phlib.GetKnownDlls(false); x86 = Phlib.GetKnownDlls(true); }
// default search order : // https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx // // if (SafeDllSearchMode) { // -1. Sxs manifests // 0. KnownDlls list // 1. Loaded PE folder // 2. C:\Windows\(System32 | SysWow64 ) // 3. 16-bit system directory <-- ignored // 4. C:\Windows // 5. %pwd% // 6. AppDatas // } public static Tuple <ModuleSearchStrategy, string> FindPeFromDefault(PE RootPe, string ModuleName, SxsEntries SxsCache) { bool Wow64Dll = RootPe.IsWow64Dll(); string RootPeFolder = Path.GetDirectoryName(RootPe.Filepath); string FoundPePath = null; Environment.SpecialFolder WindowsSystemFolder = (Wow64Dll) ? Environment.SpecialFolder.SystemX86 : Environment.SpecialFolder.System; String WindowsSystemFolderPath = Environment.GetFolderPath(WindowsSystemFolder); // -1. Look in Sxs manifest (copious reversing needed) // TODO : find dll search order if (SxsCache.Count != 0) { SxsEntry Entry = SxsCache.Find(SxsItem => string.Equals(SxsItem.Name, ModuleName, StringComparison.OrdinalIgnoreCase) ); if (Entry != null) { return(new Tuple <ModuleSearchStrategy, string>(ModuleSearchStrategy.SxS, Entry.Path)); } } // 0. Look in well-known dlls list // HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs // https://blogs.msdn.microsoft.com/larryosterman/2004/07/19/what-are-known-dlls-anyway/ String KnownDll = Phlib.GetKnownDlls(Wow64Dll).Find(x => string.Equals(x, ModuleName, StringComparison.OrdinalIgnoreCase)); if (KnownDll != null) { return(new Tuple <ModuleSearchStrategy, string>( ModuleSearchStrategy.WellKnownDlls, Path.Combine(WindowsSystemFolderPath, KnownDll) )); } // 1. Look in application folder FoundPePath = FindPeFromPath(ModuleName, new List <string>(new string[] { RootPeFolder }), Wow64Dll); if (FoundPePath != null) { return(new Tuple <ModuleSearchStrategy, string>( ModuleSearchStrategy.ApplicationDirectory, FoundPePath )); } // {2-3-4}. Look in system folders List <String> SystemFolders = new List <string>(new string[] { WindowsSystemFolderPath, Environment.GetFolderPath(Environment.SpecialFolder.Windows) } ); FoundPePath = FindPeFromPath(ModuleName, SystemFolders, Wow64Dll); if (FoundPePath != null) { return(new Tuple <ModuleSearchStrategy, string>( ModuleSearchStrategy.WindowsFolder, FoundPePath )); } // 5. Look in current directory // Ignored for the time being since we can't know from // where the exe is run // TODO : Add a user supplied path emulating %cwd% // 6. Look in local app data (check for python for exemple) // 7. Find in PATH string PATH = Environment.GetEnvironmentVariable("PATH"); List <String> PATHFolders = new List <string>(PATH.Split(';')); FoundPePath = FindPeFromPath(ModuleName, PATHFolders, Wow64Dll); if (FoundPePath != null) { return(new Tuple <ModuleSearchStrategy, string>( ModuleSearchStrategy.Environment, FoundPePath )); } return(new Tuple <ModuleSearchStrategy, string>( ModuleSearchStrategy.NOT_FOUND, null )); }
// default search order : // https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx // // if (SafeDllSearchMode) { // -1. Sxs manifests // 0. KnownDlls list // 1. Loaded PE folder // 2. C:\Windows\(System32 | SysWow64 ) // 3. 16-bit system directory <-- ignored // 4. C:\Windows // 5. %pwd% // 6. AppDatas // } public static Tuple <ModuleSearchStrategy, string> FindPeFromDefault(PE RootPe, string ModuleName, SxsEntries SxsCache, List <string> CustomSearchFolders, string WorkingDirectory) { bool Wow64Dll = RootPe.IsWow64Dll(); string RootPeFolder = Path.GetDirectoryName(RootPe.Filepath); string FoundPePath = null; Environment.SpecialFolder WindowsSystemFolder = (Wow64Dll) ? Environment.SpecialFolder.SystemX86 : Environment.SpecialFolder.System; String WindowsSystemFolderPath = Environment.GetFolderPath(WindowsSystemFolder); // -1. Look in Sxs manifest (copious reversing needed) // TODO : find dll search order if (SxsCache.Count != 0) { SxsEntry Entry = SxsCache.Find(SxsItem => string.Equals(SxsItem.Name, ModuleName, StringComparison.OrdinalIgnoreCase) ); if (Entry != null) { return(new Tuple <ModuleSearchStrategy, string>(ModuleSearchStrategy.SxS, Entry.Path)); } } // 0. Look in well-known dlls list // HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs // https://blogs.msdn.microsoft.com/larryosterman/2004/07/19/what-are-known-dlls-anyway/ String KnownDll = Phlib.GetKnownDlls(Wow64Dll).Find(x => string.Equals(x, ModuleName, StringComparison.OrdinalIgnoreCase)); if (KnownDll != null) { return(new Tuple <ModuleSearchStrategy, string>( ModuleSearchStrategy.WellKnownDlls, Path.Combine(WindowsSystemFolderPath, KnownDll) )); } // 1. Look in application folder FoundPePath = FindPeFromPath(ModuleName, new List <string>(new string[] { RootPeFolder }), Wow64Dll); if (FoundPePath != null) { return(new Tuple <ModuleSearchStrategy, string>( ModuleSearchStrategy.ApplicationDirectory, FoundPePath )); } // {2-3-4}. Look in system folders List <String> SystemFolders = new List <string>(new string[] { WindowsSystemFolderPath, Environment.GetFolderPath(Environment.SpecialFolder.Windows) } ); FoundPePath = FindPeFromPath(ModuleName, SystemFolders, Wow64Dll); if (FoundPePath != null) { return(new Tuple <ModuleSearchStrategy, string>( ModuleSearchStrategy.WindowsFolder, FoundPePath )); } // 5. Look in current directory // Ignored for the time being since we can't know from // where the exe is run // TODO : Add a user supplied path emulating %cwd% FoundPePath = FindPeFromPath(ModuleName, new List <string>(new string[] { WorkingDirectory }), Wow64Dll); if (FoundPePath != null) { return(new Tuple <ModuleSearchStrategy, string>( ModuleSearchStrategy.WorkingDirectory, FoundPePath )); } // 6. Look in local app data (check for python for exemple) // 7. Find in PATH string PATH = Environment.GetEnvironmentVariable("PATH"); List <String> PATHFolders = new List <string>(PATH.Split(';')); // Filter out empty paths, since it resolve to the current working directory // fix https://github.com/lucasg/Dependencies/issues/51 PATHFolders = PATHFolders.Where(path => path.Length != 0).ToList(); FoundPePath = FindPeFromPath(ModuleName, PATHFolders, Wow64Dll); if (FoundPePath != null) { return(new Tuple <ModuleSearchStrategy, string>( ModuleSearchStrategy.Environment, FoundPePath )); } // 8. Check if it's an absolute import if ((Path.GetFullPath(ModuleName) == ModuleName) && File.Exists(ModuleName)) { return(new Tuple <ModuleSearchStrategy, string>( ModuleSearchStrategy.Fullpath, ModuleName )); } // 0xff. Allow the user to supply custom search folders, to take into account // specific cases. FoundPePath = FindPeFromPath(ModuleName, CustomSearchFolders, Wow64Dll); if (FoundPePath != null) { return(new Tuple <ModuleSearchStrategy, string>( ModuleSearchStrategy.UserDefined, FoundPePath )); } return(new Tuple <ModuleSearchStrategy, string>( ModuleSearchStrategy.NOT_FOUND, null )); }