/// <summary>
/// This method is used to detect if a trampoline (call [foo] where foo: jmp bar)
/// is jumping into the body of a procedure that was loaded with GetProcAddress or
/// the like.
/// </summary>
/// <param name="addrImportThunk"></param>
/// <returns></returns>
public ExternalProcedure GetInterceptedCall(Address addrImportThunk)
{
if (!image.IsValidAddress(addrImportThunk))
{
return(null);
}
var rdr = program.CreateImageReader(addrImportThunk);
uint uDest;
if (!rdr.TryReadUInt32(out uDest))
{
return(null);
}
var addrDest = Address.Ptr32(uDest);
ExternalProcedure ep;
program.InterceptedCalls.TryGetValue(addrDest, out ep);
return(ep);
}
public bool IsValidAddress(Address addr)
{
return(image.IsValidAddress(addr));
}
