public void Load()
{
// "warm up" the cache
foreach (var CachedBinary in Directory.EnumerateFiles(BinaryCacheFolderPath))
{
GetBinary(CachedBinary);
}
string System32Folder = Environment.GetFolderPath(Environment.SpecialFolder.System);
string SysWow64Folder = Environment.GetFolderPath(Environment.SpecialFolder.SystemX86);
// preload all well konwn dlls
foreach (String KnownDll in Phlib.GetKnownDlls(false))
{
GetBinary(Path.Combine(System32Folder, KnownDll));
}
foreach (String KnownDll in Phlib.GetKnownDlls(true))
{
GetBinary(Path.Combine(SysWow64Folder, KnownDll));
}
}
public static void DumpKnownDlls()
{
VerboseWriteLine("[-] 64-bit KnownDlls : ");
foreach (String KnownDll in Phlib.GetKnownDlls(false))
{
string System32Folder = Environment.GetFolderPath(Environment.SpecialFolder.System);
Console.WriteLine(" {0:s}\\{1:s}", System32Folder, KnownDll);
}
VerboseWriteLine("");
VerboseWriteLine("[-] 32-bit KnownDlls : ");
foreach (String KnownDll in Phlib.GetKnownDlls(true))
{
string SysWow64Folder = Environment.GetFolderPath(Environment.SpecialFolder.SystemX86);
Console.WriteLine(" {0:s}\\{1:s}", SysWow64Folder, KnownDll);
}
VerboseWriteLine("");
}
public void Load()
{
// "warm up" the cache
foreach (var CachedBinary in Directory.EnumerateFiles(BinaryCacheFolderPath))
{
GetBinaryAsync(CachedBinary);
}
string System32Folder = Environment.GetFolderPath(Environment.SpecialFolder.System);
string SysWow64Folder = Environment.GetFolderPath(Environment.SpecialFolder.SystemX86);
// wow64.dll, wow64cpu.dll and wow64win.dll are listed as wow64 known dlls,
// but they are actually x64 binaries.
List <String> Wow64Dlls = new List <string>(new string[] {
"wow64.dll",
"wow64cpu.dll",
"wow64win.dll"
});
// preload all well konwn dlls
foreach (String KnownDll in Phlib.GetKnownDlls(false))
{
GetBinaryAsync(Path.Combine(System32Folder, KnownDll));
}
foreach (String KnownDll in Phlib.GetKnownDlls(true))
{
if (Wow64Dlls.Contains(KnownDll))
{
GetBinaryAsync(Path.Combine(System32Folder, KnownDll));
}
else
{
GetBinaryAsync(Path.Combine(SysWow64Folder, KnownDll));
}
}
}
public NtKnownDlls()
{
x64 = Phlib.GetKnownDlls(false);
x86 = Phlib.GetKnownDlls(true);
}
// default search order :
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx
//
// if (SafeDllSearchMode) {
// -1. Sxs manifests
// 0. KnownDlls list
// 1. Loaded PE folder
// 2. C:\Windows\(System32 | SysWow64 )
// 3. 16-bit system directory <-- ignored
// 4. C:\Windows
// 5. %pwd%
// 6. AppDatas
// }
public static Tuple <ModuleSearchStrategy, string> FindPeFromDefault(PE RootPe, string ModuleName, SxsEntries SxsCache)
{
bool Wow64Dll = RootPe.IsWow64Dll();
string RootPeFolder = Path.GetDirectoryName(RootPe.Filepath);
string FoundPePath = null;
Environment.SpecialFolder WindowsSystemFolder = (Wow64Dll) ?
Environment.SpecialFolder.SystemX86 :
Environment.SpecialFolder.System;
String WindowsSystemFolderPath = Environment.GetFolderPath(WindowsSystemFolder);
// -1. Look in Sxs manifest (copious reversing needed)
// TODO : find dll search order
if (SxsCache.Count != 0)
{
SxsEntry Entry = SxsCache.Find(SxsItem =>
string.Equals(SxsItem.Name, ModuleName, StringComparison.OrdinalIgnoreCase)
);
if (Entry != null)
{
return(new Tuple <ModuleSearchStrategy, string>(ModuleSearchStrategy.SxS, Entry.Path));
}
}
// 0. Look in well-known dlls list
// HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs
// https://blogs.msdn.microsoft.com/larryosterman/2004/07/19/what-are-known-dlls-anyway/
String KnownDll = Phlib.GetKnownDlls(Wow64Dll).Find(x => string.Equals(x, ModuleName, StringComparison.OrdinalIgnoreCase));
if (KnownDll != null)
{
return(new Tuple <ModuleSearchStrategy, string>(
ModuleSearchStrategy.WellKnownDlls,
Path.Combine(WindowsSystemFolderPath, KnownDll)
));
}
// 1. Look in application folder
FoundPePath = FindPeFromPath(ModuleName, new List <string>(new string[] { RootPeFolder }), Wow64Dll);
if (FoundPePath != null)
{
return(new Tuple <ModuleSearchStrategy, string>(
ModuleSearchStrategy.ApplicationDirectory,
FoundPePath
));
}
// {2-3-4}. Look in system folders
List <String> SystemFolders = new List <string>(new string[] {
WindowsSystemFolderPath,
Environment.GetFolderPath(Environment.SpecialFolder.Windows)
}
);
FoundPePath = FindPeFromPath(ModuleName, SystemFolders, Wow64Dll);
if (FoundPePath != null)
{
return(new Tuple <ModuleSearchStrategy, string>(
ModuleSearchStrategy.WindowsFolder,
FoundPePath
));
}
// 5. Look in current directory
// Ignored for the time being since we can't know from
// where the exe is run
// TODO : Add a user supplied path emulating %cwd%
// 6. Look in local app data (check for python for exemple)
// 7. Find in PATH
string PATH = Environment.GetEnvironmentVariable("PATH");
List <String> PATHFolders = new List <string>(PATH.Split(';'));
FoundPePath = FindPeFromPath(ModuleName, PATHFolders, Wow64Dll);
if (FoundPePath != null)
{
return(new Tuple <ModuleSearchStrategy, string>(
ModuleSearchStrategy.Environment,
FoundPePath
));
}
return(new Tuple <ModuleSearchStrategy, string>(
ModuleSearchStrategy.NOT_FOUND,
null
));
}
// default search order :
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx
//
// if (SafeDllSearchMode) {
// -1. Sxs manifests
// 0. KnownDlls list
// 1. Loaded PE folder
// 2. C:\Windows\(System32 | SysWow64 )
// 3. 16-bit system directory <-- ignored
// 4. C:\Windows
// 5. %pwd%
// 6. AppDatas
// }
public static Tuple <ModuleSearchStrategy, string> FindPeFromDefault(PE RootPe, string ModuleName, SxsEntries SxsCache, List <string> CustomSearchFolders, string WorkingDirectory)
{
bool Wow64Dll = RootPe.IsWow64Dll();
string RootPeFolder = Path.GetDirectoryName(RootPe.Filepath);
string FoundPePath = null;
Environment.SpecialFolder WindowsSystemFolder = (Wow64Dll) ?
Environment.SpecialFolder.SystemX86 :
Environment.SpecialFolder.System;
String WindowsSystemFolderPath = Environment.GetFolderPath(WindowsSystemFolder);
// -1. Look in Sxs manifest (copious reversing needed)
// TODO : find dll search order
if (SxsCache.Count != 0)
{
SxsEntry Entry = SxsCache.Find(SxsItem =>
string.Equals(SxsItem.Name, ModuleName, StringComparison.OrdinalIgnoreCase)
);
if (Entry != null)
{
return(new Tuple <ModuleSearchStrategy, string>(ModuleSearchStrategy.SxS, Entry.Path));
}
}
// 0. Look in well-known dlls list
// HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs
// https://blogs.msdn.microsoft.com/larryosterman/2004/07/19/what-are-known-dlls-anyway/
String KnownDll = Phlib.GetKnownDlls(Wow64Dll).Find(x => string.Equals(x, ModuleName, StringComparison.OrdinalIgnoreCase));
if (KnownDll != null)
{
return(new Tuple <ModuleSearchStrategy, string>(
ModuleSearchStrategy.WellKnownDlls,
Path.Combine(WindowsSystemFolderPath, KnownDll)
));
}
// 1. Look in application folder
FoundPePath = FindPeFromPath(ModuleName, new List <string>(new string[] { RootPeFolder }), Wow64Dll);
if (FoundPePath != null)
{
return(new Tuple <ModuleSearchStrategy, string>(
ModuleSearchStrategy.ApplicationDirectory,
FoundPePath
));
}
// {2-3-4}. Look in system folders
List <String> SystemFolders = new List <string>(new string[] {
WindowsSystemFolderPath,
Environment.GetFolderPath(Environment.SpecialFolder.Windows)
}
);
FoundPePath = FindPeFromPath(ModuleName, SystemFolders, Wow64Dll);
if (FoundPePath != null)
{
return(new Tuple <ModuleSearchStrategy, string>(
ModuleSearchStrategy.WindowsFolder,
FoundPePath
));
}
// 5. Look in current directory
// Ignored for the time being since we can't know from
// where the exe is run
// TODO : Add a user supplied path emulating %cwd%
FoundPePath = FindPeFromPath(ModuleName, new List <string>(new string[] { WorkingDirectory }), Wow64Dll);
if (FoundPePath != null)
{
return(new Tuple <ModuleSearchStrategy, string>(
ModuleSearchStrategy.WorkingDirectory,
FoundPePath
));
}
// 6. Look in local app data (check for python for exemple)
// 7. Find in PATH
string PATH = Environment.GetEnvironmentVariable("PATH");
List <String> PATHFolders = new List <string>(PATH.Split(';'));
// Filter out empty paths, since it resolve to the current working directory
// fix https://github.com/lucasg/Dependencies/issues/51
PATHFolders = PATHFolders.Where(path => path.Length != 0).ToList();
FoundPePath = FindPeFromPath(ModuleName, PATHFolders, Wow64Dll);
if (FoundPePath != null)
{
return(new Tuple <ModuleSearchStrategy, string>(
ModuleSearchStrategy.Environment,
FoundPePath
));
}
// 8. Check if it's an absolute import
if ((Path.GetFullPath(ModuleName) == ModuleName) && File.Exists(ModuleName))
{
return(new Tuple <ModuleSearchStrategy, string>(
ModuleSearchStrategy.Fullpath,
ModuleName
));
}
// 0xff. Allow the user to supply custom search folders, to take into account
// specific cases.
FoundPePath = FindPeFromPath(ModuleName, CustomSearchFolders, Wow64Dll);
if (FoundPePath != null)
{
return(new Tuple <ModuleSearchStrategy, string>(
ModuleSearchStrategy.UserDefined,
FoundPePath
));
}
return(new Tuple <ModuleSearchStrategy, string>(
ModuleSearchStrategy.NOT_FOUND,
null
));
}
