private unsafe static void dumpImportTable(Log log, RemotePtr <byte> mbase, IMAGE.DATA_DIRECTORY dir)
{
if (dir.VirtualAddress == 0)
{
return;
}
log.WriteLine("============================================================");
log.WriteLine(" IMPORT TABLE ");
log.WriteLine("============================================================");
RemotePtr <IMAGE.IMPORT_DESCRIPTOR> pDesc
= (mbase + dir.VirtualAddress).Reinterpret <IMAGE.IMPORT_DESCRIPTOR>();
RemotePtr <IMAGE.IMPORT_DESCRIPTOR> pDescM
= pDesc.Advance((System.IntPtr)dir.Size);
while (pDesc < pDescM)
{
IMAGE.IMPORT_DESCRIPTOR desc = (pDesc++)[0];
log.WriteVar("Importing from", (mbase + (int)desc.pstrName).ReadAnsiString());
log.WriteVar("ForwarderChain", desc.ForwarderChain);
log.WriteVar("TimeDateStamp", desc.TimeDateStamp);
log.WriteVar("FirstThunk", "0x" + desc.FirstThunk.ToString("X8"));
log.WriteVar("OriginalFirstThunk", "0x" + desc.OriginalFirstThunk.ToString("X8"));
if (desc.FirstThunk == 0)
{
continue;
}
RemotePtr <IMAGE.THUNK_DATA32> pIAT = (mbase + (int)desc.FirstThunk).Reinterpret <IMAGE.THUNK_DATA32>();
RemotePtr <IMAGE.THUNK_DATA32> pINT = (mbase + (int)desc.OriginalFirstThunk).Reinterpret <IMAGE.THUNK_DATA32>();
while (true)
{
IMAGE.THUNK_DATA32 iat_item = pIAT++.Value;
IMAGE.THUNK_DATA32 int_item = pINT++.Value;
if (iat_item.Function == 0)
{
break;
}
string name;
if (int_item.IsSnapByOrdinal)
{
name = "#" + int_item.OrdinalValue.ToString();
}
else
{
const int OffsetName = 2; // IMAGE_IMPORT_BY_NAME.Name メンバのオフセット
name = (mbase + int_item.AddressOfData + OffsetName).ReadAnsiString();
if (name[0] == '?')
{
name = DbgHelp.UnDecorateSymbolName(name, DbgHelp.UNDNAME.COMPLETE);
}
}
log.WriteLine("dllimport {0} \t@ 0x{1:X8}", name, iat_item.Function);
}
log.WriteLine("------------------------------------------------------------");
}
}
private unsafe static void dumpPE32Header(Log log, RemotePtr <byte> mbase, RemotePtr <byte> ohead)
{
IMAGE.NT32_OPTIONAL_HEADER oHeader = ohead.Read <IMAGE.NT32_OPTIONAL_HEADER>();
log.AddIndent();
log.WriteVar("LinkerVersion", oHeader.STD.LinkerVersion);
log.WriteVar("Size of Code", oHeader.STD.SizeOfCode);
log.WriteVar("Size of Initialized Data", oHeader.STD.SizeOfInitializedData);
log.WriteVar("Size of Uninitialized Data", oHeader.STD.SizeOfUninitializedData);
log.WriteVar("Address of EntryPoint", "0x" + oHeader.STD.AddressOfEntryPoint.ToString("X8"));
log.WriteVar("Base of Code", "0x" + oHeader.STD.BaseOfCode.ToString("X8"));
log.WriteVar("Base of Data", "0x" + oHeader.BaseOfData.ToString("X8"));
log.WriteVar("Preferred Base", "0x" + oHeader.ImageBase.ToString("X8"));
log.WriteVar("Section Alignment", "0x" + oHeader.SectionAlignment.ToString("X8"));
log.WriteVar("File Alignment", "0x" + oHeader.FileAlignment.ToString("X8"));
log.WriteVar("OS Version", oHeader.OSVersion);
log.WriteVar("Image Version", oHeader.ImageVersion);
log.WriteVar("Subsystem Version", oHeader.SubsystemVersion);
log.WriteVar("Win32 Version", oHeader.Win32VersionValue.ToString());
log.WriteVar("Size of Image", "0x" + oHeader.SizeOfImage.ToString("X8"));
log.WriteVar("Size of Headers", "0x" + oHeader.SizeOfHeaders.ToString("X8"));
log.WriteVar("CheckSum", "0x" + oHeader.CheckSum.ToString("X8"));
log.WriteVar("Subsystem", oHeader.Subsystem);
log.WriteVar("Dll 属性", oHeader.DllCharacteristics);
log.WriteVar("Size of Stack Reserve", "0x" + oHeader.SizeOfStackReserve.ToString("X8"));
log.WriteVar("Size of Stack Commit", "0x" + oHeader.SizeOfStackCommit.ToString("X8"));
log.WriteVar("Size of Heap Reserve", "0x" + oHeader.SizeOfHeapReserve.ToString("X8"));
log.WriteVar("Size of Heap Commit", "0x" + oHeader.SizeOfHeapCommit.ToString("X8"));
log.WriteVar("Number of RVA and Sizes", oHeader.NumberOfRvaAndSizes);
log.RemoveIndent();
for (int i = 0; i < oHeader.NumberOfRvaAndSizes; i++)
{
IMAGE.DIRECTORY_ENTRY dindex = (IMAGE.DIRECTORY_ENTRY)i;
IMAGE.DATA_DIRECTORY dir = oHeader.DataDirectory[dindex];
if (dir.Size == 0 && dir.VirtualAddress == 0)
{
continue;
}
log.WriteLine("DirectoryEntry: " + afh.Enum.GetDescription(dindex));
log.AddIndent();
log.WriteVar("RVA of Data", "0x" + dir.VirtualAddress.ToString("X8"));
log.WriteVar("Size of Data", "0x" + dir.Size.ToString("X8"));
log.RemoveIndent();
}
if ((int)IMAGE.DIRECTORY_ENTRY.IMPORT < oHeader.NumberOfRvaAndSizes)
{
dumpImportTable(log, mbase, oHeader.DataDirectory.importTable);
}
}