public static Tuple <ModuleSearchStrategy, PE> ResolveModule(PE RootPe, string ModuleName, SxsEntries SxsCache) { Tuple <ModuleSearchStrategy, string> ResolvedFilepath; string ApiSetName = LookupApiSetLibrary(ModuleName); if (ApiSetName != null) { ModuleName = ApiSetName; } ResolvedFilepath = FindPe.FindPeFromDefault(RootPe, ModuleName, SxsCache); // ApiSet override the underneath search location if found ModuleSearchStrategy ModuleLocation = ResolvedFilepath.Item1; if ((ApiSetName != null) && (ResolvedFilepath.Item2 != null)) { ModuleLocation = ModuleSearchStrategy.ApiSetSchema; } // PE ResolvedModule = null; if (ResolvedFilepath.Item2 != null) { ResolvedModule = LoadPe(ResolvedFilepath.Item2); } return(new Tuple <ModuleSearchStrategy, PE>(ModuleLocation, ResolvedModule)); }
/// <summary> /// Background processing of a single PE file. /// It can be lengthy since there are disk access (and misses). /// </summary> /// <param name="NewTreeContexts"> This variable is passed as reference to be updated since this function is run in a separate thread. </param> /// <param name="newPe"> Current PE file analyzed </param> private void ProcessPe(List <ImportContext> NewTreeContexts, PE newPe) { List <PeImportDll> PeImports = newPe.GetImports(); foreach (PeImportDll DllImport in PeImports) { bool FoundApiSet = false; string ImportDllName = DllImport.Name; // Look for api set target if (ImportDllName.StartsWith("api-") || ImportDllName.StartsWith("ext-")) { // Strip the .dll extension and the last number (which is probably a build counter) string ImportDllNameWithoutExtension = Path.GetFileNameWithoutExtension(ImportDllName); string ImportDllHashKey = ImportDllNameWithoutExtension.Substring(0, ImportDllNameWithoutExtension.LastIndexOf("-")); if (this.ApiSetmapCache.ContainsKey(ImportDllHashKey)) { ApiSetTarget Targets = this.ApiSetmapCache[ImportDllHashKey]; if (Targets.Count > 0) { FoundApiSet = true; ImportDllName = Targets[0]; } } } ImportContext ImportModule = new ImportContext(); ImportModule.PeFilePath = null; ImportModule.PeProperties = null; ImportModule.ModuleName = DllImport.Name; ImportModule.IsApiSet = FoundApiSet; ImportModule.ApiSetModuleName = ImportDllName; ImportModule.IsDelayLoadImport = (DllImport.Flags & 0x01) == 0x01; // TODO : Use proper macros // Find Dll in "paths" Tuple <ModuleSearchStrategy, String> FoundPe = FindPe.FindPeFromDefault(this.Pe, ImportDllName, this.SxsEntriesCache); ImportModule.ModuleLocation = FoundPe.Item1; if (ImportModule.ModuleLocation != ModuleSearchStrategy.NOT_FOUND) { ImportModule.PeFilePath = FoundPe.Item2; ImportModule.PeProperties = BinaryCache.LoadPe(ImportModule.PeFilePath); } NewTreeContexts.Add(ImportModule); } }
public void SetImports(List <PeImportDll> Imports, PE rootPe, SxsEntries SxsCache, PhSymbolProvider SymPrv) { this.ImportList.Items.Clear(); foreach (PeImportDll DllImport in Imports) { Tuple <ModuleSearchStrategy, String> PeFilePath = FindPe.FindPeFromDefault(rootPe, DllImport.Name, SxsCache); foreach (PeImport Import in DllImport.ImportList) { this.ImportList.Items.Add(new DisplayPeImport(Import, SymPrv, PeFilePath.Item2)); } } // Refresh search view ImportSearchFilter_OnTextChanged(null, null); }
public static Tuple <ModuleSearchStrategy, PE> ResolveModule(PE RootPe, string ModuleName, SxsEntries SxsCache) { Tuple <ModuleSearchStrategy, string> ResolvedFilepath; // if no extension is used, assume a .dll if (Path.GetExtension(ModuleName) == String.Empty) { ModuleName = String.Format("{0:s}.dll", ModuleName); } string ApiSetName = LookupApiSetLibrary(ModuleName); if (ApiSetName != null) { ModuleName = ApiSetName; } ResolvedFilepath = FindPe.FindPeFromDefault(RootPe, ModuleName, SxsCache); // ApiSet override the underneath search location if found ModuleSearchStrategy ModuleLocation = ResolvedFilepath.Item1; if ((ApiSetName != null) && (ResolvedFilepath.Item2 != null)) { ModuleLocation = ModuleSearchStrategy.ApiSetSchema; } // PE ResolvedModule = null; if (ResolvedFilepath.Item2 != null) { ResolvedModule = LoadPe(ResolvedFilepath.Item2); } return(new Tuple <ModuleSearchStrategy, PE>(ModuleLocation, ResolvedModule)); }
private void ProcessClrImports(Dictionary <string, ImportContext> NewTreeContexts, PE AnalyzedPe, ImportContext ImportModule) { List <PeImportDll> PeImports = AnalyzedPe.GetImports(); // only mscorre triggers clr parsing string User32Filepath = Path.Combine(FindPe.GetSystemPath(this.Pe), "mscoree.dll"); if (ImportModule.PeFilePath != User32Filepath) { return; } var resolver = new DefaultAssemblyResolver(); resolver.AddSearchDirectory(RootFolder); // Parse it via cecil AssemblyDefinition PeAssembly = null; try { PeAssembly = AssemblyDefinition.ReadAssembly(AnalyzedPe.Filepath); } catch (BadImageFormatException) { MessageBoxResult result = MessageBox.Show( String.Format("Cecil could not correctly parse {0:s}, which can happens on .NET Core executables. CLR imports will be not shown", AnalyzedPe.Filepath), "CLR parsing fail" ); return; } foreach (var module in PeAssembly.Modules) { // Process CLR referenced assemblies foreach (var assembly in module.AssemblyReferences) { AssemblyDefinition definition; try { definition = resolver.Resolve(assembly); } catch (AssemblyResolutionException) { ImportContext AppInitImportModule = new ImportContext(); AppInitImportModule.PeFilePath = null; AppInitImportModule.PeProperties = null; AppInitImportModule.ModuleName = Path.GetFileName(assembly.Name); AppInitImportModule.ApiSetModuleName = null; AppInitImportModule.Flags = ModuleFlag.ClrReference; AppInitImportModule.ModuleLocation = ModuleSearchStrategy.ClrAssembly; AppInitImportModule.Flags |= ModuleFlag.NotFound; if (!NewTreeContexts.ContainsKey(AppInitImportModule.ModuleName)) { NewTreeContexts.Add(AppInitImportModule.ModuleName, AppInitImportModule); } continue; } foreach (var AssemblyModule in definition.Modules) { Debug.WriteLine("Referenced Assembling loading " + AssemblyModule.Name + " : " + AssemblyModule.FileName); // Do not process twice the same imported module if (null != PeImports.Find(mod => mod.Name == Path.GetFileName(AssemblyModule.FileName))) { continue; } ImportContext AppInitImportModule = new ImportContext(); AppInitImportModule.PeFilePath = null; AppInitImportModule.PeProperties = null; AppInitImportModule.ModuleName = Path.GetFileName(AssemblyModule.FileName); AppInitImportModule.ApiSetModuleName = null; AppInitImportModule.Flags = ModuleFlag.ClrReference; AppInitImportModule.ModuleLocation = ModuleSearchStrategy.ClrAssembly; Tuple <ModuleSearchStrategy, PE> ResolvedAppInitModule = BinaryCache.ResolveModule( this.Pe, AssemblyModule.FileName, this.SxsEntriesCache, this.CustomSearchFolders, this.WorkingDirectory ); if (ResolvedAppInitModule.Item1 != ModuleSearchStrategy.NOT_FOUND) { AppInitImportModule.PeProperties = ResolvedAppInitModule.Item2; AppInitImportModule.PeFilePath = ResolvedAppInitModule.Item2.Filepath; } else { AppInitImportModule.Flags |= ModuleFlag.NotFound; } if (!NewTreeContexts.ContainsKey(AppInitImportModule.ModuleName)) { NewTreeContexts.Add(AppInitImportModule.ModuleName, AppInitImportModule); } } } // Process unmanaged dlls for native calls foreach (var UnmanagedModule in module.ModuleReferences) { // some clr dll have a reference to an "empty" dll if (UnmanagedModule.Name.Length == 0) { continue; } Debug.WriteLine("Referenced module loading " + UnmanagedModule.Name); // Do not process twice the same imported module if (null != PeImports.Find(m => m.Name == UnmanagedModule.Name)) { continue; } ImportContext AppInitImportModule = new ImportContext(); AppInitImportModule.PeFilePath = null; AppInitImportModule.PeProperties = null; AppInitImportModule.ModuleName = UnmanagedModule.Name; AppInitImportModule.ApiSetModuleName = null; AppInitImportModule.Flags = ModuleFlag.ClrReference; AppInitImportModule.ModuleLocation = ModuleSearchStrategy.ClrAssembly; Tuple <ModuleSearchStrategy, PE> ResolvedAppInitModule = BinaryCache.ResolveModule( this.Pe, UnmanagedModule.Name, this.SxsEntriesCache, this.CustomSearchFolders, this.WorkingDirectory ); if (ResolvedAppInitModule.Item1 != ModuleSearchStrategy.NOT_FOUND) { AppInitImportModule.PeProperties = ResolvedAppInitModule.Item2; AppInitImportModule.PeFilePath = ResolvedAppInitModule.Item2.Filepath; } if (!NewTreeContexts.ContainsKey(AppInitImportModule.ModuleName)) { NewTreeContexts.Add(AppInitImportModule.ModuleName, AppInitImportModule); } } } }
private void ProcessAppInitDlls(Dictionary <string, ImportContext> NewTreeContexts, PE AnalyzedPe, ImportContext ImportModule) { List <PeImportDll> PeImports = AnalyzedPe.GetImports(); // only user32 triggers appinit dlls string User32Filepath = Path.Combine(FindPe.GetSystemPath(this.Pe), "user32.dll"); if (ImportModule.PeFilePath != User32Filepath) { return; } string AppInitRegistryKey = (this.Pe.IsArm32Dll()) ? "SOFTWARE\\WowAA32Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows" : (this.Pe.IsWow64Dll()) ? "SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows" : "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"; // Opening registry values RegistryKey localKey = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, RegistryView.Registry64); localKey = localKey.OpenSubKey(AppInitRegistryKey); int LoadAppInitDlls = (int)localKey.GetValue("LoadAppInit_DLLs", 0); string AppInitDlls = (string)localKey.GetValue("AppInit_DLLs", ""); if (LoadAppInitDlls == 0 || String.IsNullOrEmpty(AppInitDlls)) { return; } // Extremely crude parser. TODO : Add support for quotes wrapped paths with spaces foreach (var AppInitDll in AppInitDlls.Split(' ')) { Debug.WriteLine("AppInit loading " + AppInitDll); // Do not process twice the same imported module if (null != PeImports.Find(module => module.Name == AppInitDll)) { continue; } if (NewTreeContexts.ContainsKey(AppInitDll)) { continue; } ImportContext AppInitImportModule = new ImportContext(); AppInitImportModule.PeFilePath = null; AppInitImportModule.PeProperties = null; AppInitImportModule.ModuleName = AppInitDll; AppInitImportModule.ApiSetModuleName = null; AppInitImportModule.Flags = 0; AppInitImportModule.ModuleLocation = ModuleSearchStrategy.AppInitDLL; Tuple <ModuleSearchStrategy, PE> ResolvedAppInitModule = BinaryCache.ResolveModule( this.Pe, AppInitDll, this.SxsEntriesCache, this.CustomSearchFolders, this.WorkingDirectory ); if (ResolvedAppInitModule.Item1 != ModuleSearchStrategy.NOT_FOUND) { AppInitImportModule.PeProperties = ResolvedAppInitModule.Item2; AppInitImportModule.PeFilePath = ResolvedAppInitModule.Item2.Filepath; } else { AppInitImportModule.Flags |= ModuleFlag.NotFound; } NewTreeContexts.Add(AppInitDll, AppInitImportModule); } }