bool IBinaryAppender <ImportFunctionModule.ImageBoundImportDescription, ReaderWithOffsetArgs> .Attach(ref ImportFunctionModule.ImageBoundImportDescription s, uint size, ReaderWithOffsetArgs arg) { if (s.TimeDateStamp == 0) { return(false); } ImportFunctionSection ifs = arg.Tag as ImportFunctionSection; if (ifs == null) { return(false); } string name = arg.Source.ReadStringAnsiAt(arg.Offset + s.OffsetModuleName); ImportFunctionModule ifm = ifs[name]; // if there is a module to update: if (ifm != null) { ReaderWithOffsetArgs mArg = new ReaderWithOffsetArgs(arg.Source, arg.Offset, 0, null); ifm.BoundDate = new DateTime(1970, 1, 1).AddSeconds(s.TimeDateStamp); // append given number of forwarders, having the same size as the current structure // and lying just after: for (ushort i = 0; i < s.NumberOfModuleForwarderRefs; i++) { Append <ImportFunctionModule.ImageBoundImportForwarderRef, ImportFunctionModule, ReaderWithOffsetArgs>( arg.Source, ifm, mArg); } } return(true); }
private void AppendRelocationSection(UnmanagedDataReader s, DataSectionDescription relocationSection) { uint delta; uint offset = GetVirtualRelativeAddress(relocationSection.VirtualAddress, out delta); ReaderWithOffsetArgs arg; RelocationSection section; if (offset == 0) { return; } // read the info: s.Jump(offset); // add all sections: section = new RelocationSection(); arg = new ReaderWithOffsetArgs(s, offset, delta, section); while (Append <RelocationSection.ImageBaseRelocation, WindowsPortableExecutable, ReaderWithOffsetArgs> (s, this, arg)) { } // append relocation section when any data was read from file: if (section.Count > 0) { section.UpdateFileInfo(RelocationSection.DefaultName, offset, s.CurrentOffset - offset); section.UpdateVirtualInfo(offset, s.CurrentOffset - offset); Add(section); } }
/// <summary> /// Extracts info about Import section. /// </summary> private void AppendImportSection(UnmanagedDataReader s, DataSectionDescription importSection, DataSectionDescription importBoundSection, NtHeaderSection ntSection) { ImportFunctionSection ifs = new ImportFunctionSection(); uint delta; uint offset = GetVirtualRelativeAddress(importSection.VirtualAddress, out delta); if (offset == 0 || ntSection == null) { return; } // analize data inside given section: ReaderWithOffsetArgs arg = new ReaderWithOffsetArgs(s, offset, delta, ifs); // read the info: s.Jump(offset); while (Append <ImportFunctionModule.ImageImportDescriptor, WindowsPortableExecutable, ReaderWithOffsetArgs> (s, this, arg)) { // store the current location: offset = s.CurrentOffset; // read functions assigned to given module: if (ntSection.MachineType == MachineType.Intel_x86) { ReadImportData <ImportFunctionModule.ImageImportData32, WindowsPortableExecutable>(s, arg.Tag as ImportFunctionModule); } else if (ntSection.MachineType == MachineType.Intel_x64) { ReadImportData <ImportFunctionModule.ImageImportData64, WindowsPortableExecutable>(s, arg.Tag as ImportFunctionModule); } // restore the offset: s.Jump(offset); arg.Tag = ifs; } // check if there is additional bound-import infor available and read it: if (importBoundSection != null) { ReaderWithOffsetArgs iArg = new ReaderWithOffsetArgs(s, importBoundSection.VirtualAddress, 0, ifs); s.Jump(importBoundSection.VirtualAddress); while (Append <ImportFunctionModule.ImageBoundImportDescription, WindowsPortableExecutable, ReaderWithOffsetArgs>(s, this, iArg)) { } } // if import section was correctly filled by at least one element then store it: if (ifs.Count > 0) { ifs.UpdateFileInfo(ImportFunctionSection.DefaultName, offset, s.LastReadSize * (uint)ifs.Count); ifs.UpdateVirtualInfo(importSection.VirtualAddress, importSection.Size); Add(ifs); } }
internal bool Read(ReaderWithOffsetArgs e) { const uint sizeOfUInt32 = 4; const uint sizeOfUInt16 = 2; string forwardedName; List <ExportFunctionDescription> r = new List <ExportFunctionDescription>(); // update the pointers with offset: NameAddress -= e.Delta; FunctionAddress -= e.Delta; OrdinalAddress -= e.Delta; ModuleNameAddress -= e.Delta; // read the module name: ModuleName = e.Source.ReadStringAnsiAt(ModuleNameAddress); // read functions: for (uint i = 0; i < Count; i++) { uint entryPointRVA = e.Source.ReadUInt32At(FunctionAddress + sizeOfUInt32 * i); uint ordinal = i + OrdinalBase; uint nameAddress; if (entryPointRVA != 0) { // check if this function has an associated name exported: for (uint j = 0; j < Count; j++) { if (e.Source.ReadUInt16At(OrdinalAddress + sizeOfUInt16 * j) == i) { nameAddress = e.Source.ReadUInt32At(NameAddress + sizeOfUInt32 * j) - e.Delta; forwardedName = ContainsVirtual(entryPointRVA) ? e.Source.ReadStringAnsiAt(entryPointRVA - e.Delta) : null; r.Add(new ExportFunctionDescription(e.Source.ReadStringAnsiAt(nameAddress), forwardedName, ordinal, entryPointRVA, j)); } } } } Functions = r; // calculate the function dictionary by names: HashFunctions = new Dictionary <string, ExportFunctionDescription>(); foreach (ExportFunctionDescription f in r) { if (!HashFunctions.ContainsKey(f.Name)) { HashFunctions.Add(f.Name, f); } } return(true); }
bool IBinaryAppender <RelocationSection.ImageBaseRelocation, ReaderWithOffsetArgs> .Attach(ref RelocationSection.ImageBaseRelocation s, uint size, ReaderWithOffsetArgs arg) { UnmanagedDataReader r = arg.Source; RelocationSection section = arg.Tag as RelocationSection; RelocationDescription desc; ushort data = 0; RelocationType type; uint count; uint offset; // validate input data: if (s.SizeOfBlock == 0 || s.VirtualAddress == 0 || section == null) { return(false); } // append data to section: count = (s.SizeOfBlock - (uint)Marshal.SizeOf(typeof(RelocationSection.ImageBaseRelocation))) / (uint)Marshal.SizeOf(typeof(ushort)); if (count > 0) { desc = new RelocationDescription(s.VirtualAddress, s.SizeOfBlock); for (uint i = 0; i < count; i++) { if (r.Read(ref data)) { type = (RelocationType)((data & 0xF000) >> 12); offset = (uint)(data & 0x0FFF); if (type == RelocationType.BasedHighAdjust) { if (r.Read(ref data)) { offset += ((uint)data) << 12; count--; } } desc.Add(new RelocationItem(type, offset)); } else { break; } } // if data is defined inside the given description: if (desc.Count > 0) { section.Add(desc); } } return(true); }
bool IBinaryAppender <ImportFunctionModule.ImageImportData64, ReaderWithOffsetArgs> .Attach(ref ImportFunctionModule.ImageImportData64 s, uint size, ReaderWithOffsetArgs arg) { return(AttachImportData(ref s, arg.Source, arg.Delta, arg.Tag as ImportFunctionModule)); }
bool IBinaryAppender <ImportFunctionModule.ImageImportDescriptor, ReaderWithOffsetArgs> .Attach(ref ImportFunctionModule.ImageImportDescriptor s, uint size, ReaderWithOffsetArgs arg) { ImportFunctionSection imports = arg.Tag as ImportFunctionSection; IBinaryAppender <ImportFunctionModule.ImageImportDescriptor, ReaderWithOffsetArgs> t = new ImportFunctionModule(); // read the next import module description: if (t.Attach(ref s, size, arg)) { if (imports != null) { imports.Add(t as ImportFunctionModule); arg.Tag = t; return(true); } } return(false); }
/// <summary> /// Setup internal data based on given input read from native image. /// </summary> bool IBinaryAppender <ExportFunctionSection.ImageExportDirectory, ReaderWithOffsetArgs> .Attach(ref ExportFunctionSection.ImageExportDirectory s, uint size, ReaderWithOffsetArgs arg) { ExportFunctionSection x = new ExportFunctionSection(); IBinaryConverter <ExportFunctionSection.ImageExportDirectory> c = x; DataSectionDescription e = arg.Tag as DataSectionDescription; if (!c.Convert(ref s, arg.Offset, size)) { return(false); } if (e != null) { x.UpdateVirtualInfo(e.VirtualAddress, e.Size); } if (x.Read(arg)) { Add(x); return(true); } return(false); }