private void loadImportTable(Process process, uint importTableAddress, uint length, uint baseAddress) { // Read in the first import descriptor structure byte[] image_import_descriptor_rawData = oMemoryFunctions.readMemory(process, importTableAddress, (uint)Marshal.SizeOf(typeof(image_import_descriptor))); image_import_descriptor descriptor = (image_import_descriptor)oMemoryFunctions.RawDataToObject(ref image_import_descriptor_rawData, typeof(image_import_descriptor)); List<image_import_by_name> imports = new List<image_import_by_name>(0); while (descriptor.FirstThunk != 0 || descriptor.OriginalFirstThunk != 0 || descriptor.Name != 0) { // Process this descriptor imports.Add(new image_import_by_name(process, descriptor, (int)baseAddress)); // Read next descriptor image_import_descriptor_rawData = oMemoryFunctions.readMemory(process, oMemoryFunctions.addressAdd(importTableAddress, (ulong)(imports.Count * Marshal.SizeOf(typeof(image_import_descriptor)))), (uint)Marshal.SizeOf(typeof(image_import_descriptor))); descriptor = (image_import_descriptor)oMemoryFunctions.RawDataToObject(ref image_import_descriptor_rawData, typeof(image_import_descriptor)); } // Now lets process the array of descriptors foreach (image_import_by_name dllDescriptor in imports) { for (int i = 0; i < dllDescriptor.ImportTableAddresses.Count; i++) { // Process this function import try { IMPORT_FUNCTION newImport = new IMPORT_FUNCTION(); newImport.name = dllDescriptor.Names[i]; newImport.memoryAddress = (uint) dllDescriptor.ImportTableAddresses[i]; newImport.targetAddress = oMemoryFunctions.readMemoryDword(process, (ulong) newImport.memoryAddress); importTable.Add(newImport); }catch { // Not a critical error } } } }
public image_import_by_name(Process process, image_import_descriptor descriptor, int baseAddress) { AddressOfData = new List<uint>(0); ImportTableAddresses = new List<int>(0); Names = new List<string>(0); // Read the AddressOfData array in if (descriptor.OriginalFirstThunk != 0 && descriptor.FirstThunk != 0) { // Read in the descriptor table with names int i = 0; uint newAddress = oMemoryFunctions.readMemoryDword(process, ((ulong) descriptor.OriginalFirstThunk + (ulong) baseAddress + (ulong) i*4) & 0x7fffffff); while (newAddress != 0) { // Add this new address AddressOfData.Add(newAddress & 0x7fffffff); // Add the string corresponding to this new function if ((newAddress & 0x80000000) > 0) { // Export by ordinal newAddress = newAddress & 0x7fffffff; Names.Add("ordinal 0x" + oMemoryFunctions.readMemoryUShort(process, (ulong)(newAddress + baseAddress) & 0x7fffffff). ToString("X")); } else if (newAddress > 0) { // Export by name Names.Add(oMemoryFunctions.readMemoryString(process, (ulong)(newAddress + baseAddress + 2) & 0x7fffffff, 256)); } else { // There is no name or ordinal given, probably obfuscated? Names.Add("obfuscated?"); } // Add the pe table address corresponding to this function ImportTableAddresses.Add((descriptor.FirstThunk + baseAddress + i*4) & 0x7fffffff); // Read in the next value i++; newAddress = oMemoryFunctions.readMemoryDword(process, ((ulong) descriptor.OriginalFirstThunk + (ulong) baseAddress + (ulong) i*4) & 0x7fffffff); } }else { // Read in the descriptor table without names int i = 0; ulong addressThunk = (ulong) (descriptor.OriginalFirstThunk != 0 ? descriptor.OriginalFirstThunk : descriptor.FirstThunk); if( addressThunk == 0 ) return; // We have no imports that we can read in. uint newAddress = oMemoryFunctions.readMemoryDword(process, (addressThunk + (ulong)baseAddress + (ulong)i * 4) & 0x7fffffff); while (newAddress != 0) { // Add this new address AddressOfData.Add(newAddress & 0x7fffffff); Names.Add(""); ImportTableAddresses.Add( ( (int)addressThunk + baseAddress + i * 4 ) & 0x7fffffff); // Read in the next value i++; newAddress = oMemoryFunctions.readMemoryDword(process, (addressThunk + (ulong)baseAddress + (ulong)i * 4) & 0x7fffffff); } } }