Exemplo n.º 1
0
 public ExportedFunctions ReadExports()
 {
     try {
         var exportedFuncs = new ExportedFunctions();
         ReadExports(exportedFuncs);
         return(exportedFuncs);
     }
     catch (IOException) {
         throw new DbgHookException($"Invalid PE file: {peImage.Filename}");
     }
 }
Exemplo n.º 2
0
        void ReadExports(ExportedFunctions exportedFuncs)
        {
            var exportHdr = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[0];

            if (exportHdr.VirtualAddress == 0 || exportHdr.Size < 0x28)
            {
                return;
            }

            var reader = peImage.CreateReader();

            reader.Position  = (uint)peImage.ToFileOffset(exportHdr.VirtualAddress);
            reader.Position += 16;
            uint ordinalBase         = reader.ReadUInt32();
            int  numFuncs            = reader.ReadInt32();
            int  numNames            = reader.ReadInt32();
            uint offsetOfFuncs       = (uint)peImage.ToFileOffset((RVA)reader.ReadUInt32());
            uint offsetOfNames       = (uint)peImage.ToFileOffset((RVA)reader.ReadUInt32());
            uint offsetOfNameIndexes = (uint)peImage.ToFileOffset((RVA)reader.ReadUInt32());

            var names = ReadNames(ref reader, peImage, numNames, offsetOfNames, offsetOfNameIndexes);

            reader.Position = offsetOfFuncs;
            var allRvas = new uint[numFuncs];

            for (int i = 0; i < numFuncs; i++)
            {
                uint rva = reader.ReadUInt32();
                allRvas[i] = rva;
                if (rva != 0)
                {
                    exportedFuncs.Add((ushort)(ordinalBase + (uint)i), baseAddress + rva);
                }
            }

            foreach (var info in names)
            {
                int index = info.index;
                if ((uint)index >= (uint)allRvas.Length)
                {
                    continue;
                }
                uint rva = allRvas[index];
                if (rva == 0)
                {
                    continue;
                }
                exportedFuncs.Add(info.name, baseAddress + rva);
            }
        }