public static bool IsGoogleTestExecutable(string executable, string customRegex, ILogger logger) { string googleTestIndicatorFile = $"{executable}{GoogleTestIndicator}"; if (File.Exists(googleTestIndicatorFile)) { logger.DebugInfo(String.Format(Resources.FileFound, executable)); return(true); } if (string.IsNullOrWhiteSpace(customRegex)) { if (PeParser.FindImport(executable, GoogleTestConstants.GoogleTestDllMarker, StringComparison.OrdinalIgnoreCase, logger) || Utils.BinaryFileContainsStrings(executable, Encoding.ASCII, GoogleTestConstants.GoogleTestExecutableMarkers)) { logger.DebugInfo($"Google Test indicators found in executable {executable}"); return(true); } } else { if (SafeMatches(executable, customRegex, logger)) { logger.DebugInfo(String.Format(Resources.MatchesCustom, executable, customRegex)); return(true); } } logger.DebugInfo(String.Format(Resources.FileNotFound, executable)); return(false); }
public void TestCanGetMZHeader32() { const string kernel32dump = "..\\..\\..\\..\\basicwindow32_kernel32.bin"; Assert.True(File.Exists(kernel32dump)); var kernel32mem = File.ReadAllBytes(kernel32dump); var dosHeader = Deserialize <PeParser.IMAGE_DOS_HEADER>(kernel32mem, 0); Assert.Equal <ushort>(0x5A4D, dosHeader.e_magic); var peHeaderOffset = dosHeader.e_lfanew; var peHeader = Deserialize <PeParser.IMAGE_FILE_HEADER>(kernel32mem, peHeaderOffset); Assert.Equal <uint>(0x00004550, peHeader.Signature); var optionalHeaderOffset = peHeaderOffset + Marshal.SizeOf(typeof(PeParser.IMAGE_FILE_HEADER)); var optionalHeader = Deserialize <PeParser.IMAGE_OPTIONAL_HEADER32>(kernel32mem, optionalHeaderOffset); // 0x020B for 64 bit, 0x010B for 32 bit Assert.Equal <ushort>(0x010B, optionalHeader.Magic); var exportDirectoryRefOffset = PeParser.GetExportDirectoryRefOffset32(dosHeader); var exportDirectoryRef = Deserialize <PeParser.IMAGE_DATA_DIRECTORY>(kernel32mem, (int)exportDirectoryRefOffset); Assert.Equal <uint>(0x170, exportDirectoryRefOffset); Assert.Equal <uint>(0x10, optionalHeader.NumberOfRvaAndSizes); Assert.Equal <uint>(0x972C0, exportDirectoryRef.VirtualAddress); }
public static bool IsGoogleTestExecutable(string executable, string customRegex, ILogger logger) { string googleTestIndicatorFile = $"{executable}{GoogleTestIndicator}"; if (File.Exists(googleTestIndicatorFile)) { logger.DebugInfo($"Google Test indicator file found for executable {executable} ({googleTestIndicatorFile})"); return(true); } if (string.IsNullOrWhiteSpace(customRegex)) { if (PeParser.FindImport(executable, GoogleTestConstants.GoogleTestDllMarker, StringComparison.OrdinalIgnoreCase, logger) || Utils.BinaryFileContainsStrings(executable, Encoding.ASCII, GoogleTestConstants.GoogleTestExecutableMarkers)) { logger.DebugInfo($"Google Test indicators found in executable {executable}"); return(true); } } else { if (SafeMatches(executable, customRegex, logger)) { logger.DebugInfo($"Custom regex '{customRegex}' matches executable '{executable}'"); return(true); } } logger.DebugInfo($"File does not seem to be Google Test executable: '{executable}'"); return(false); }
internal Dictionary <string, TestCaseLocation> ResolveAllTestCases(string executable, HashSet <string> testMethodSignatures, string symbolFilterString, string pathExtension) { var testCaseLocationsFound = FindTestCaseLocationsInBinary(executable, testMethodSignatures, symbolFilterString, pathExtension); if (testCaseLocationsFound.Count == 0) { List <string> imports = PeParser.ParseImports(executable, _logger); string moduleDirectory = Path.GetDirectoryName(executable); foreach (string import in imports) { // ReSharper disable once AssignNullToNotNullAttribute string importedBinary = Path.Combine(moduleDirectory, import); if (File.Exists(importedBinary)) { foreach (var testCaseLocation in FindTestCaseLocationsInBinary(importedBinary, testMethodSignatures, symbolFilterString, pathExtension)) { testCaseLocationsFound.Add(testCaseLocation.Key, testCaseLocation.Value); } } } } return(testCaseLocationsFound); }
static void Main(string[] args) { var bytes = File.ReadAllBytes("Compiler-2.exe"); var peParser = new PeParser(); var peFile = peParser.Parse(bytes); Console.ReadLine(); }
internal InjectionProperties(string targetProcessName, string dllPath) { DllPath = dllPath; SyscallManager = new SyscallManager(); RemoteProcess = new ProcessInstance(targetProcessName, SyscallManager); MemoryManager = new RemoteMemoryManager(RemoteProcess.Handle, SyscallManager); PeParser = new PeParser(dllPath); }
internal InjectionProperties(string targetProcessName, byte[] dllBytes) { DllBytes = dllBytes; SyscallManager = new SyscallManager(); RemoteProcess = new ProcessInstance(targetProcessName, SyscallManager); MemoryManager = new RemoteMemoryManager(RemoteProcess.Handle, SyscallManager); PeParser = new PeParser(DllBytes); }
internal InjectionWrapper(InjectionMethod injectionMethod, string processName, byte[] dllBytes) { ProcessManager = new ProcessManager(processName); Assembler = new Assembler(ProcessManager.IsWow64); DllBytes = dllBytes; InjectionMethod = injectionMethod; MemoryManager = new MemoryManager(ProcessManager.Process.SafeHandle); PeParser = new PeParser(dllBytes); }
internal InjectionWrapper(InjectionMethod injectionMethod, string processName, byte[] dllBytes) { MemoryManager = new MemoryManager(GetProcess(processName).SafeHandle); RemoteProcess = new ProcessWrapper(GetProcess(processName), MemoryManager); Assembler = new Assembler(RemoteProcess.IsWow64); DllBytes = dllBytes; InjectionMethod = injectionMethod; PeParser = new PeParser(dllBytes); }
private void LoadSymbolsFromImports() { List <string> imports = PeParser.ParseImports(_executable, _logger); string moduleDirectory = Path.GetDirectoryName(_executable); foreach (string import in imports) { // ReSharper disable once AssignNullToNotNullAttribute string importedBinary = Path.Combine(moduleDirectory, import); if (File.Exists(importedBinary)) { AddSymbolsFromBinary(importedBinary); } } }
internal InjectionWrapper(InjectionMethod injectionMethod, string processName, byte[] dllBytes) { RemoteProcess = new ProcessWrapper(processName); Assembler = new Assembler(RemoteProcess.IsWow64); DllBytes = dllBytes; InjectionMethod = injectionMethod; MemoryManager = new MemoryManager(RemoteProcess.Process.SafeHandle); PdbParser = new Lazy <PdbParser>(() => new PdbParser(RemoteProcess.Modules.Find(module => module.Name == "ntdll.dll"))); PeParser = new PeParser(dllBytes); }
internal InjectionWrapper(InjectionMethod injectionMethod, string processName, byte[] dllBytes) { RemoteProcess = new ProcessWrapper(processName, WindowsVersion); Assembler = new Assembler(RemoteProcess.IsWow64); DllBytes = dllBytes; InjectionMethod = injectionMethod; MemoryManager = new MemoryManager(RemoteProcess.Process.SafeHandle); PeParser = new PeParser(dllBytes); WindowsVersion = GetWindowsVersion(); }
internal InjectionWrapper(InjectionMethod injectionMethod, int processId, string dllPath) { MemoryManager = new MemoryManager(GetProcess(processId).SafeHandle); RemoteProcess = new ProcessWrapper(GetProcess(processId), MemoryManager); Assembler = new Assembler(RemoteProcess.IsWow64); DllBytes = File.ReadAllBytes(dllPath); DllPath = dllPath; InjectionMethod = injectionMethod; PeParser = new PeParser(dllPath); }
internal InjectionWrapper(InjectionMethod injectionMethod, string processName, string dllPath) { ProcessManager = new ProcessManager(processName); Assembler = new Assembler(ProcessManager.IsWow64); DllBytes = File.ReadAllBytes(dllPath); DllPath = dllPath; InjectionMethod = injectionMethod; MemoryManager = new MemoryManager(ProcessManager.Process.SafeHandle); PeParser = new PeParser(DllBytes); }
internal InjectionWrapper(InjectionMethod injectionMethod, int processId, string dllPath) { RemoteProcess = new ProcessWrapper(processId); Assembler = new Assembler(RemoteProcess.IsWow64); DllBytes = File.ReadAllBytes(dllPath); DllPath = dllPath; InjectionMethod = injectionMethod; MemoryManager = new MemoryManager(RemoteProcess.Process.SafeHandle); PdbParser = new Lazy <PdbParser>(() => new PdbParser(RemoteProcess.Modules.Find(module => module.Name == "ntdll.dll"))); PeParser = new PeParser(dllPath); }
internal InjectionWrapper(InjectionMethod injectionMethod, int processId, string dllPath) { RemoteProcess = new ProcessWrapper(processId, WindowsVersion); Assembler = new Assembler(RemoteProcess.IsWow64); DllBytes = File.ReadAllBytes(dllPath); DllPath = dllPath; InjectionMethod = injectionMethod; MemoryManager = new MemoryManager(RemoteProcess.Process.SafeHandle); PeParser = new PeParser(dllPath); WindowsVersion = GetWindowsVersion(); }
internal List <TestCaseLocation> ResolveAllTestCases(string executable, List <string> testMethodSignatures, string symbolFilterString, string pathExtension) { List <TestCaseLocation> testCaseLocationsFound = FindTestCaseLocationsInBinary(executable, testMethodSignatures, symbolFilterString, pathExtension).ToList(); if (testCaseLocationsFound.Count == 0) { List <string> imports = PeParser.ParseImports(executable, _testEnvironment); string moduleDirectory = Path.GetDirectoryName(executable); foreach (string import in imports) { // ReSharper disable once AssignNullToNotNullAttribute string importedBinary = Path.Combine(moduleDirectory, import); if (File.Exists(importedBinary)) { testCaseLocationsFound.AddRange(FindTestCaseLocationsInBinary(importedBinary, testMethodSignatures, symbolFilterString, pathExtension)); } } } return(testCaseLocationsFound); }
private void BuildImportTable(InjectionProperties injectionProperties, IntPtr localDllAddress) { var importedFunctions = injectionProperties.PeParser.GetImportedFunctions(); if (importedFunctions.Count == 0) { // The DLL has no imported functions return; } // Group the imported functions by the DLL they reside in var groupedFunctions = importedFunctions.GroupBy(importedFunction => importedFunction.DllName).ToList(); // Get the API set mappings List <ApiSetMapping> apiSetMappings; using (var peParser = new PeParser(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "apisetschema.dll"))) { apiSetMappings = peParser.GetApiSetMappings(); } var systemFolderPath = injectionProperties.RemoteProcess.IsWow64 ? Environment.GetFolderPath(Environment.SpecialFolder.SystemX86) : Environment.GetFolderPath(Environment.SpecialFolder.System); foreach (var dll in groupedFunctions) { var dllName = dll.Key; if (dllName.StartsWith("api-ms")) { dllName = apiSetMappings.Find(apiSetMapping => apiSetMapping.VirtualDll.Equals(dllName, StringComparison.OrdinalIgnoreCase)).MappedToDll; } // Ensure the DLL is loaded in the target process if (!injectionProperties.RemoteProcess.Modules.Any(module => module.Name.Equals(dllName, StringComparison.OrdinalIgnoreCase))) { // Load the DLL into the target process new Injector().CreateRemoteThread(injectionProperties.RemoteProcess.TargetProcess.Id, Path.Combine(systemFolderPath, dllName)); } } injectionProperties.RemoteProcess.Refresh(); foreach (var importedFunction in groupedFunctions.SelectMany(dll => dll.Select(importedFunction => importedFunction))) { var dllName = importedFunction.DllName; if (dllName.StartsWith("api-ms")) { dllName = apiSetMappings.Find(apiSetMapping => apiSetMapping.VirtualDll.Equals(dllName, StringComparison.OrdinalIgnoreCase)).MappedToDll; } // Get the address of the imported function var importedFunctionAddress = injectionProperties.RemoteProcess.GetFunctionAddress(dllName, importedFunction.Name); // Write the imported function into the local process Marshal.WriteInt64(localDllAddress.AddOffset(importedFunction.Offset), (long)importedFunctionAddress); } }
internal PeInstance(string modulePath) { PeParser = new PeParser(modulePath); ExportedFunctions = PeParser.GetExportedFunctions(); }