/// <summary>
/// Get the manifests from a file.
/// </summary>
/// <param name="filename">The file to extract the manifests from.</param>
/// <returns>The list of manifests.</returns>
public static IEnumerable <ExecutableManifest> GetManifests(string filename)
{
string fullpath = Path.GetFullPath(filename);
using (SafeLoadLibraryHandle library =
SafeLoadLibraryHandle.LoadLibrary(fullpath, LoadLibraryFlags.LoadLibraryAsImageResource | LoadLibraryFlags.LoadLibraryAsDataFile))
{
List <ExecutableManifest> manifests = new List <ExecutableManifest>();
Win32NativeMethods.EnumResourceNames(library, new IntPtr((int)ResType.MANIFEST), (a, b, c, d) =>
{
try
{
manifests.Add(new ExecutableManifest(library, fullpath, c));
}
catch (Win32Exception)
{
}
catch (ArgumentException)
{
}
return(true);
}, IntPtr.Zero);
return(manifests);
}
}
/// <summary>
/// Parse all RPC servers from a PE file.
/// </summary>
/// <param name="file">The PE file to parse.</param>
/// <param name="dbghelp_path">Path to a DBGHELP DLL to resolve symbols.</param>
/// <param name="symbol_path">Symbol path for DBGHELP</param>
/// <param name="parse_clients">True to parse client RPC interfaces.</param>
/// <remarks>This only works for PE files with the same bitness as the current process.</remarks>
/// <returns>A list of parsed RPC server.</returns>
public static IEnumerable <RpcServer> ParsePeFile(string file, string dbghelp_path, string symbol_path, bool parse_clients)
{
List <RpcServer> servers = new List <RpcServer>();
using (var lib = SafeLoadLibraryHandle.LoadLibrary(file, LoadLibraryFlags.DontResolveDllReferences))
{
var sections = lib.GetImageSections();
var offsets = sections.SelectMany(s => FindRpcServerInterfaces(s, parse_clients));
if (offsets.Any())
{
using (var sym_resolver = SymbolResolver.Create(NtProcess.Current,
dbghelp_path, symbol_path))
{
foreach (var offset in offsets)
{
IMemoryReader reader = new CurrentProcessMemoryReader(sections.Select(s => Tuple.Create(s.Data.DangerousGetHandle().ToInt64(), (int)s.Data.ByteLength)));
NdrParser parser = new NdrParser(reader, NtProcess.Current,
sym_resolver, NdrParserFlags.IgnoreUserMarshal);
IntPtr ifspec = lib.DangerousGetHandle() + (int)offset.Offset;
var rpc = parser.ReadFromRpcServerInterface(ifspec);
servers.Add(new RpcServer(rpc, parser.ComplexTypes, file, offset.Offset, offset.Client));
}
}
}
}
return(servers.AsReadOnly());
}
/// <summary>
/// Get the manifests from a file.
/// </summary>
/// <param name="filename">The file to extract the manifests from.</param>
/// <returns>The list of manifests.</returns>
public static IEnumerable <ExecutableManifest> GetManifests(string filename)
{
string fullpath = Path.GetFullPath(filename);
using (SafeLoadLibraryHandle library =
SafeLoadLibraryHandle.LoadLibrary(fullpath, LoadLibraryFlags.LoadLibraryAsImageResource | LoadLibraryFlags.LoadLibraryAsDataFile))
{
return(library.GetResources(WellKnownImageResourceType.Manifest).Where(m => m.Size > 0)
.Select(m => new ExecutableManifest(fullpath, m.ToArray())).ToArray());
}
}
/// <summary>
/// Parse all RPC servers from a PE file.
/// </summary>
/// <param name="file">The PE file to parse.</param>
/// <param name="dbghelp_path">Path to a DBGHELP DLL to resolve symbols.</param>
/// <param name="symbol_path">Symbol path for DBGHELP</param>
/// <param name="flags">Flags for the RPC parser.</param>
/// <remarks>This only works for PE files with the same bitness as the current process.</remarks>
/// <returns>A list of parsed RPC server.</returns>
public static IEnumerable <RpcServer> ParsePeFile(string file, string dbghelp_path, string symbol_path, RpcServerParserFlags flags)
{
List <RpcServer> servers = new List <RpcServer>();
using (var result = SafeLoadLibraryHandle.LoadLibrary(file, LoadLibraryFlags.DontResolveDllReferences, false))
{
if (!result.IsSuccess)
{
return(servers.AsReadOnly());
}
var lib = result.Result;
var sections = lib.GetImageSections();
var offsets = sections.SelectMany(s => FindRpcServerInterfaces(s, flags.HasFlagSet(RpcServerParserFlags.ParseClients)));
if (offsets.Any())
{
SymbolResolverFlags symbol_flags = flags.HasFlagSet(RpcServerParserFlags.SymSrvFallback) ? SymbolResolverFlags.SymSrvFallback : SymbolResolverFlags.None;
using (var sym_resolver = !flags.HasFlagSet(RpcServerParserFlags.IgnoreSymbols) ? SymbolResolver.Create(NtProcess.Current,
dbghelp_path, symbol_path, symbol_flags, null) : null)
{
NdrParserFlags parser_flags = NdrParserFlags.IgnoreUserMarshal;
if (flags.HasFlagSet(RpcServerParserFlags.ResolveStructureNames))
{
parser_flags |= NdrParserFlags.ResolveStructureNames;
}
foreach (var offset in offsets)
{
IMemoryReader reader = new CurrentProcessMemoryReader(sections.Select(s => Tuple.Create(s.Data.DangerousGetHandle().ToInt64(), (int)s.Data.ByteLength)));
NdrParser parser = new NdrParser(reader, NtProcess.Current,
sym_resolver, parser_flags);
IntPtr ifspec = lib.DangerousGetHandle() + (int)offset.Offset;
try
{
var rpc = parser.ReadFromRpcServerInterface(ifspec, lib.DangerousGetHandle());
servers.Add(new RpcServer(rpc, parser.ComplexTypes, file, offset.Offset, offset.Client));
}
catch (NdrParserException)
{
}
}
}
}
}
return(servers.AsReadOnly());
}
private void ParseDelayedImport(Dictionary <IntPtr, IntPtr> imports, IMAGE_DELAY_IMPORT_DESCRIPTOR desc)
{
if (desc.pIAT == 0 || desc.pINT == 0)
{
return;
}
string name = Marshal.PtrToStringAnsi(RvaToVA(desc.szName));
IntPtr IAT = RvaToVA(desc.pIAT);
IntPtr INT = RvaToVA(desc.pINT);
try
{
using (SafeLoadLibraryHandle lib = SafeLoadLibraryHandle.LoadLibrary(name))
{
IntPtr import_name_rva = Marshal.ReadIntPtr(INT);
while (import_name_rva != IntPtr.Zero)
{
IntPtr import;
// Ordinal
if (import_name_rva.ToInt64() < 0)
{
import = lib.GetProcAddress(new IntPtr(import_name_rva.ToInt64() & 0xFFFF));
}
else
{
IntPtr import_ofs = RvaToVA(import_name_rva.ToInt64() + 2);
string import_name = Marshal.PtrToStringAnsi(import_ofs);
import = lib.GetProcAddress(import_name);
}
if (import != IntPtr.Zero)
{
imports[IAT] = import;
}
INT += IntPtr.Size;
IAT += IntPtr.Size;
import_name_rva = Marshal.ReadIntPtr(INT);
}
}
}
catch (Win32Exception)
{
}
}
internal DbgHelpSymbolResolver(NtProcess process, string dbghelp_path, string symbol_path)
{
Process = process.Duplicate();
_dbghelp_lib = SafeLoadLibraryHandle.LoadLibrary(dbghelp_path);
GetFunc(ref _sym_init);
GetFunc(ref _sym_cleanup);
GetFunc(ref _sym_from_name);
GetFunc(ref _sym_set_options);
GetFunc(ref _sym_enum_modules);
GetFunc(ref _sym_from_addr);
GetFunc(ref _sym_get_module_info);
GetFunc(ref _sym_load_module);
GetFunc(ref _sym_refresh_module_list);
_sym_set_options(SymOptions.INCLUDE_32BIT_MODULES | SymOptions.UNDNAME | SymOptions.DEFERRED_LOADS);
if (!_sym_init(Handle, symbol_path, true))
{
// If SymInitialize failed then we'll have to bootstrap modules manually.
if (!_sym_init(Handle, symbol_path, false))
{
throw new Win32Exception();
}
IntPtr[] modules = new IntPtr[1024];
int return_length;
if (EnumProcessModulesEx(Handle, modules, modules.Length * IntPtr.Size, out return_length,
process.Is64Bit ? EnumProcessModulesFilter.LIST_MODULES_64BIT : EnumProcessModulesFilter.LIST_MODULES_32BIT))
{
foreach (IntPtr module in modules.Take(return_length / IntPtr.Size))
{
StringBuilder dllpath = new StringBuilder(260);
if (GetModuleFileNameEx(Handle, module, dllpath, dllpath.Capacity) > 0)
{
if (_sym_load_module(Handle, IntPtr.Zero, dllpath.ToString(),
Path.GetFileNameWithoutExtension(dllpath.ToString()), module.ToInt64(), GetImageSize(module)) == 0)
{
System.Diagnostics.Debug.WriteLine($"Couldn't load {dllpath}");
}
}
}
}
}
}