public SOURCE_DEST_PAIR(uint source, uint dest, oFunction.CALL_TYPE type, SOURCE_DEST_PAIR joinedPair, string name)
{
this.dest = dest;
this.source = source;
this.type = type;
this.joinedPair = joinedPair;
this.name = name;
}
public static void addCall(uint source, uint destination, oFunction.CALL_TYPE type)
{
addCall(source, destination, type, ""); // add a call with no known name
}
public static void addCall(uint source, uint destination, oFunction.CALL_TYPE type, string name)
{
if (functions == null)
{
// Initialize
functions = new List <oFunction>(10000);
destinationToFunction = new Hashtable(20000);
}
// The source or destination cannot be in the kernel address space.
if (destination > 0x80000000 || source > 0x80000000)
{
return;
}
// Check if this function destination is a jump table call
if (type == oFunction.CALL_TYPE.FIXED_OFFSET || type == oFunction.CALL_TYPE.JUMP_TABLE_PE || type == oFunction.CALL_TYPE.CALLBACK_TABLE)
{
byte[] data = oMemoryFunctions.ReadMemory(oProcess.activeProcess, destination, 2);
// Codes: E9 jump, EB short jump, FF 25 jump off fixed offset
if (data.Length == 2 && (data[0] == 0xE9 || (data[0] == 0xFF && data[1] == 0x25)))
{
// This is a jump table call, we need to extract the actual call destination
if (data[0] == 0xE9)
{
// Far jump
uint offset = oMemoryFunctions.ReadMemoryDword(oProcess.activeProcess, destination + 1);
destination = destination + offset + 5;
}
else if (data[0] == 0xEB)
{
// Short jump
uint offset = (uint)oMemoryFunctions.ReadMemoryByte(oProcess.activeProcess, destination + 1);
destination = destination + offset + 2;
}
else if (data[0] == 0xFF && data[1] == 0x25)
{
// Read the address
uint address = oMemoryFunctions.ReadMemoryDword(oProcess.activeProcess, destination + 2);
uint destinationNew = oMemoryFunctions.ReadMemoryDword(oProcess.activeProcess, address);
if (destinationNew == 0)
{
return;
}
// This is a PE call jump table call, but the linked address has not been loaded yet.
// Standard PE jump table format
type = oFunction.CALL_TYPE.JUMP_TABLE_PE;
destination = destinationNew;
}
// Recurse this add call, incase we have a jump chain.
addCall(source, destination, type, name);
return;
}
}
// Add the call to the system
if (destinationToFunction.ContainsKey(destination))
{
// Function already exists, add this call source.
((oFunction)destinationToFunction[destination]).addCaller(source, type, name);
numCalls++;
}
else
{
// Function does not exist, create it
numCalls++;
numFunctions++;
// Add the call to the function list
functions.Add(new oFunction(source, destination, type, name));
// Add the function to the hash table
destinationToFunction.Add(destination, functions[functions.Count - 1]);
}
}
