private void ProcessClrImports(Dictionary <string, ImportContext> NewTreeContexts, PE AnalyzedPe, ImportContext ImportModule)
{
List <PeImportDll> PeImports = AnalyzedPe.GetImports();
// only mscorre triggers clr parsing
string User32Filepath = Path.Combine(FindPe.GetSystemPath(this.Pe), "mscoree.dll");
if (ImportModule.PeFilePath != User32Filepath)
{
return;
}
var resolver = new DefaultAssemblyResolver();
resolver.AddSearchDirectory(RootFolder);
// Parse it via cecil
AssemblyDefinition PeAssembly = null;
try
{
PeAssembly = AssemblyDefinition.ReadAssembly(AnalyzedPe.Filepath);
}
catch (BadImageFormatException)
{
MessageBoxResult result = MessageBox.Show(
String.Format("Cecil could not correctly parse {0:s}, which can happens on .NET Core executables. CLR imports will be not shown", AnalyzedPe.Filepath),
"CLR parsing fail"
);
return;
}
foreach (var module in PeAssembly.Modules)
{
// Process CLR referenced assemblies
foreach (var assembly in module.AssemblyReferences)
{
AssemblyDefinition definition;
try
{
definition = resolver.Resolve(assembly);
}
catch (AssemblyResolutionException)
{
ImportContext AppInitImportModule = new ImportContext();
AppInitImportModule.PeFilePath = null;
AppInitImportModule.PeProperties = null;
AppInitImportModule.ModuleName = Path.GetFileName(assembly.Name);
AppInitImportModule.ApiSetModuleName = null;
AppInitImportModule.Flags = ModuleFlag.ClrReference;
AppInitImportModule.ModuleLocation = ModuleSearchStrategy.ClrAssembly;
AppInitImportModule.Flags |= ModuleFlag.NotFound;
if (!NewTreeContexts.ContainsKey(AppInitImportModule.ModuleName))
{
NewTreeContexts.Add(AppInitImportModule.ModuleName, AppInitImportModule);
}
continue;
}
foreach (var AssemblyModule in definition.Modules)
{
Debug.WriteLine("Referenced Assembling loading " + AssemblyModule.Name + " : " + AssemblyModule.FileName);
// Do not process twice the same imported module
if (null != PeImports.Find(mod => mod.Name == Path.GetFileName(AssemblyModule.FileName)))
{
continue;
}
ImportContext AppInitImportModule = new ImportContext();
AppInitImportModule.PeFilePath = null;
AppInitImportModule.PeProperties = null;
AppInitImportModule.ModuleName = Path.GetFileName(AssemblyModule.FileName);
AppInitImportModule.ApiSetModuleName = null;
AppInitImportModule.Flags = ModuleFlag.ClrReference;
AppInitImportModule.ModuleLocation = ModuleSearchStrategy.ClrAssembly;
Tuple <ModuleSearchStrategy, PE> ResolvedAppInitModule = BinaryCache.ResolveModule(
this.Pe,
AssemblyModule.FileName,
this.SxsEntriesCache,
this.CustomSearchFolders,
this.WorkingDirectory
);
if (ResolvedAppInitModule.Item1 != ModuleSearchStrategy.NOT_FOUND)
{
AppInitImportModule.PeProperties = ResolvedAppInitModule.Item2;
AppInitImportModule.PeFilePath = ResolvedAppInitModule.Item2.Filepath;
}
else
{
AppInitImportModule.Flags |= ModuleFlag.NotFound;
}
if (!NewTreeContexts.ContainsKey(AppInitImportModule.ModuleName))
{
NewTreeContexts.Add(AppInitImportModule.ModuleName, AppInitImportModule);
}
}
}
// Process unmanaged dlls for native calls
foreach (var UnmanagedModule in module.ModuleReferences)
{
// some clr dll have a reference to an "empty" dll
if (UnmanagedModule.Name.Length == 0)
{
continue;
}
Debug.WriteLine("Referenced module loading " + UnmanagedModule.Name);
// Do not process twice the same imported module
if (null != PeImports.Find(m => m.Name == UnmanagedModule.Name))
{
continue;
}
ImportContext AppInitImportModule = new ImportContext();
AppInitImportModule.PeFilePath = null;
AppInitImportModule.PeProperties = null;
AppInitImportModule.ModuleName = UnmanagedModule.Name;
AppInitImportModule.ApiSetModuleName = null;
AppInitImportModule.Flags = ModuleFlag.ClrReference;
AppInitImportModule.ModuleLocation = ModuleSearchStrategy.ClrAssembly;
Tuple <ModuleSearchStrategy, PE> ResolvedAppInitModule = BinaryCache.ResolveModule(
this.Pe,
UnmanagedModule.Name,
this.SxsEntriesCache,
this.CustomSearchFolders,
this.WorkingDirectory
);
if (ResolvedAppInitModule.Item1 != ModuleSearchStrategy.NOT_FOUND)
{
AppInitImportModule.PeProperties = ResolvedAppInitModule.Item2;
AppInitImportModule.PeFilePath = ResolvedAppInitModule.Item2.Filepath;
}
if (!NewTreeContexts.ContainsKey(AppInitImportModule.ModuleName))
{
NewTreeContexts.Add(AppInitImportModule.ModuleName, AppInitImportModule);
}
}
}
}
private void ProcessAppInitDlls(Dictionary <string, ImportContext> NewTreeContexts, PE AnalyzedPe, ImportContext ImportModule)
{
List <PeImportDll> PeImports = AnalyzedPe.GetImports();
// only user32 triggers appinit dlls
string User32Filepath = Path.Combine(FindPe.GetSystemPath(this.Pe), "user32.dll");
if (ImportModule.PeFilePath != User32Filepath)
{
return;
}
string AppInitRegistryKey =
(this.Pe.IsArm32Dll()) ?
"SOFTWARE\\WowAA32Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows" :
(this.Pe.IsWow64Dll()) ?
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows" :
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows";
// Opening registry values
RegistryKey localKey = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, RegistryView.Registry64);
localKey = localKey.OpenSubKey(AppInitRegistryKey);
int LoadAppInitDlls = (int)localKey.GetValue("LoadAppInit_DLLs", 0);
string AppInitDlls = (string)localKey.GetValue("AppInit_DLLs", "");
if (LoadAppInitDlls == 0 || String.IsNullOrEmpty(AppInitDlls))
{
return;
}
// Extremely crude parser. TODO : Add support for quotes wrapped paths with spaces
foreach (var AppInitDll in AppInitDlls.Split(' '))
{
Debug.WriteLine("AppInit loading " + AppInitDll);
// Do not process twice the same imported module
if (null != PeImports.Find(module => module.Name == AppInitDll))
{
continue;
}
if (NewTreeContexts.ContainsKey(AppInitDll))
{
continue;
}
ImportContext AppInitImportModule = new ImportContext();
AppInitImportModule.PeFilePath = null;
AppInitImportModule.PeProperties = null;
AppInitImportModule.ModuleName = AppInitDll;
AppInitImportModule.ApiSetModuleName = null;
AppInitImportModule.Flags = 0;
AppInitImportModule.ModuleLocation = ModuleSearchStrategy.AppInitDLL;
Tuple <ModuleSearchStrategy, PE> ResolvedAppInitModule = BinaryCache.ResolveModule(
this.Pe,
AppInitDll,
this.SxsEntriesCache,
this.CustomSearchFolders,
this.WorkingDirectory
);
if (ResolvedAppInitModule.Item1 != ModuleSearchStrategy.NOT_FOUND)
{
AppInitImportModule.PeProperties = ResolvedAppInitModule.Item2;
AppInitImportModule.PeFilePath = ResolvedAppInitModule.Item2.Filepath;
}
else
{
AppInitImportModule.Flags |= ModuleFlag.NotFound;
}
NewTreeContexts.Add(AppInitDll, AppInitImportModule);
}
}
