/// <summary>
/// Reads the Export Address Table (EAT) of this module from live memory
/// </summary>
/// <param name="memUtils">MemUtils-instance that is used to read data</param>
/// <param name="imageBase">Base-address pf this module in memory</param>
/// <param name="ied">The _IMAGE_EXPORT_DIRECTORY of this module</param>
/// <returns></returns>
public Tuple <string, int>[] ReadExportedFunctions(MemUtils memUtils, IntPtr imageBase,
_IMAGE_EXPORT_DIRECTORY ied)
{
var functions = new List <Tuple <string, int> >();
var lpFunctions = (IntPtr)(imageBase.ToInt64() + ied.AddressOfFunctions);
var lpNames = (IntPtr)(imageBase.ToInt64() + ied.AddressOfNames);
for (var i = 0; i < ied.NumberOfFunctions; i++)
{
var address = memUtils.Read <int>((IntPtr)(lpFunctions.ToInt64() + i * 4));
var name = "?";
if (lpFunctions != lpNames)
{
var nameAddress = memUtils.Read <int>((IntPtr)(lpNames.ToInt64() + i * 4));
name = memUtils.ReadString((IntPtr)(imageBase.ToInt64() + nameAddress), 64, Encoding.ASCII);
}
functions.Add(new Tuple <string, int>(name, address));
}
return(functions.ToArray());
}
/// <summary>
/// Reads the Export Address Table (EAT) of this module from live memory
/// </summary>
/// <param name="memUtils">MemUtils-instance that is used to read data</param>
/// <param name="imageBase">Base-address pf this module in memory</param>
/// <param name="ied">The _IMAGE_EXPORT_DIRECTORY of this module</param>
/// <returns></returns>
public Tuple<string, int>[] ReadExportedFunctions(MemUtils memUtils, IntPtr imageBase,
_IMAGE_EXPORT_DIRECTORY ied)
{
var functions = new List<Tuple<string, int>>();
var lpFunctions = (IntPtr) (imageBase.ToInt64() + ied.AddressOfFunctions);
var lpNames = (IntPtr) (imageBase.ToInt64() + ied.AddressOfNames);
for (var i = 0; i < ied.NumberOfFunctions; i++)
{
var address = memUtils.Read<int>((IntPtr) (lpFunctions.ToInt64() + i*4));
var name = "?";
if (lpFunctions != lpNames)
{
var nameAddress = memUtils.Read<int>((IntPtr) (lpNames.ToInt64() + i*4));
name = memUtils.ReadString((IntPtr) (imageBase.ToInt64() + nameAddress), 64, Encoding.ASCII);
}
functions.Add(new Tuple<string, int>(name, address));
}
return functions.ToArray();
}
/// <summary>
/// Reads the name of this module from live-memory
/// </summary>
/// <param name="memUtils">MemUtils-instance that is used to read data</param>
/// <param name="ied">The _IMAGE_EXPORT_DIRECTORY of this module</param>
/// <param name="imageBase">Base-address pf this module in memory</param>
/// <returns></returns>
public string ReadName(MemUtils memUtils, _IMAGE_EXPORT_DIRECTORY ied, IntPtr imageBase)
{
return(memUtils.ReadString((IntPtr)(imageBase.ToInt64() + ied.Name), 32, Encoding.ASCII));
}
/// <summary>
/// Reads the name of this module from live-memory
/// </summary>
/// <param name="memUtils">MemUtils-instance that is used to read data</param>
/// <param name="ied">The _IMAGE_EXPORT_DIRECTORY of this module</param>
/// <param name="imageBase">Base-address pf this module in memory</param>
/// <returns></returns>
public string ReadName(MemUtils memUtils, _IMAGE_EXPORT_DIRECTORY ied, IntPtr imageBase)
{
return memUtils.ReadString((IntPtr) (imageBase.ToInt64() + ied.Name), 32, Encoding.ASCII);
}
