/// <summary>
/// Parse a library's delayed import information.
/// </summary>
/// <returns>A dictionary containing the location of import information keyed against the IAT address.</returns>
public IDictionary <IntPtr, IntPtr> ParseDelayedImports()
{
if (_delayed_imports != null)
{
return(_delayed_imports);
}
_delayed_imports = new Dictionary <IntPtr, IntPtr>();
IntPtr delayed_imports = Win32NativeMethods.ImageDirectoryEntryToData(handle, true, IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT, out int size);
if (delayed_imports == null)
{
return(new ReadOnlyDictionary <IntPtr, IntPtr>(_delayed_imports));
}
int i = 0;
int desc_size = Marshal.SizeOf(typeof(IMAGE_DELAY_IMPORT_DESCRIPTOR));
// Should really only do up to sizeof image delay import desc
while (i <= (size - desc_size))
{
IMAGE_DELAY_IMPORT_DESCRIPTOR desc = (IMAGE_DELAY_IMPORT_DESCRIPTOR)Marshal.PtrToStructure(delayed_imports, typeof(IMAGE_DELAY_IMPORT_DESCRIPTOR));
if (desc.szName == 0)
{
break;
}
ParseDelayedImport(_delayed_imports, desc);
delayed_imports += desc_size;
size -= desc_size;
}
return(new ReadOnlyDictionary <IntPtr, IntPtr>(_delayed_imports));
}
public void ImageDelayImportDescriptorConstructorWorks_Test()
{
var delayImportDescriptor = new IMAGE_DELAY_IMPORT_DESCRIPTOR(RawStructures.RawDelayImportDescriptor, 0x2);
Assert.Equal((uint)0x33221100, delayImportDescriptor.grAttrs);
Assert.Equal((uint)0x77665544, delayImportDescriptor.szName);
Assert.Equal((uint)0xbbaa9988, delayImportDescriptor.phmod);
Assert.Equal((uint)0xffeeddcc, delayImportDescriptor.pIAT);
Assert.Equal((uint)0x44332211, delayImportDescriptor.pINT);
Assert.Equal((uint)0xccbbaa99, delayImportDescriptor.pUnloadIAT);
Assert.Equal((uint)0x00ffeedd, delayImportDescriptor.dwTimeStamp);
}
private void ParseDelayedImport(Dictionary <IntPtr, IntPtr> imports, IMAGE_DELAY_IMPORT_DESCRIPTOR desc)
{
if (desc.pIAT == 0 || desc.pINT == 0)
{
return;
}
string name = Marshal.PtrToStringAnsi(RvaToVA(desc.szName));
IntPtr IAT = RvaToVA(desc.pIAT);
IntPtr INT = RvaToVA(desc.pINT);
try
{
using (SafeLoadLibraryHandle lib = SafeLoadLibraryHandle.LoadLibrary(name))
{
IntPtr import_name_rva = Marshal.ReadIntPtr(INT);
while (import_name_rva != IntPtr.Zero)
{
IntPtr import;
// Ordinal
if (import_name_rva.ToInt64() < 0)
{
import = lib.GetProcAddress(new IntPtr(import_name_rva.ToInt64() & 0xFFFF));
}
else
{
IntPtr import_ofs = RvaToVA(import_name_rva.ToInt64() + 2);
string import_name = Marshal.PtrToStringAnsi(import_ofs);
import = lib.GetProcAddress(import_name);
}
if (import != IntPtr.Zero)
{
imports[IAT] = import;
}
INT += IntPtr.Size;
IAT += IntPtr.Size;
import_name_rva = Marshal.ReadIntPtr(INT);
}
}
}
catch (Win32Exception)
{
}
}
internal DelayedImportDirectoryEntry(PortableExecutableImage image, Location location, IMAGE_DELAY_IMPORT_DESCRIPTOR descriptor, string name) : base(image, location, true)
{
_name = name;
Attributes = descriptor.Attributes;
Name = descriptor.Name;
ModuleHandle = descriptor.ModuleHandle;
DelayAddressTable = descriptor.DelayAddressTable;
DelayNameTable = descriptor.DelayNameTable;
BoundDelayIAT = descriptor.BoundDelayIAT;
UnloadDelayIAT = descriptor.UnloadDelayIAT;
TimeDateStamp = descriptor.TimeDateStamp;
}