public static Tuple <ModuleSearchStrategy, PE> ResolveModule(PE RootPe, string ModuleName, SxsEntries SxsCache) { Tuple <ModuleSearchStrategy, string> ResolvedFilepath; string ApiSetName = LookupApiSetLibrary(ModuleName); if (ApiSetName != null) { ModuleName = ApiSetName; } ResolvedFilepath = FindPe.FindPeFromDefault(RootPe, ModuleName, SxsCache); // ApiSet override the underneath search location if found ModuleSearchStrategy ModuleLocation = ResolvedFilepath.Item1; if ((ApiSetName != null) && (ResolvedFilepath.Item2 != null)) { ModuleLocation = ModuleSearchStrategy.ApiSetSchema; } // PE ResolvedModule = null; if (ResolvedFilepath.Item2 != null) { ResolvedModule = LoadPe(ResolvedFilepath.Item2); } return(new Tuple <ModuleSearchStrategy, PE>(ModuleLocation, ResolvedModule)); }
/// <summary> /// Background processing of a single PE file. /// It can be lengthy since there are disk access (and misses). /// </summary> /// <param name="NewTreeContexts"> This variable is passed as reference to be updated since this function is run in a separate thread. </param> /// <param name="newPe"> Current PE file analyzed </param> private void ProcessPe(List <ImportContext> NewTreeContexts, PE newPe) { List <PeImportDll> PeImports = newPe.GetImports(); foreach (PeImportDll DllImport in PeImports) { bool FoundApiSet = false; string ImportDllName = DllImport.Name; // Look for api set target if (ImportDllName.StartsWith("api-") || ImportDllName.StartsWith("ext-")) { // Strip the .dll extension and the last number (which is probably a build counter) string ImportDllNameWithoutExtension = Path.GetFileNameWithoutExtension(ImportDllName); string ImportDllHashKey = ImportDllNameWithoutExtension.Substring(0, ImportDllNameWithoutExtension.LastIndexOf("-")); if (this.ApiSetmapCache.ContainsKey(ImportDllHashKey)) { ApiSetTarget Targets = this.ApiSetmapCache[ImportDllHashKey]; if (Targets.Count > 0) { FoundApiSet = true; ImportDllName = Targets[0]; } } } ImportContext ImportModule = new ImportContext(); ImportModule.PeFilePath = null; ImportModule.PeProperties = null; ImportModule.ModuleName = DllImport.Name; ImportModule.IsApiSet = FoundApiSet; ImportModule.ApiSetModuleName = ImportDllName; ImportModule.IsDelayLoadImport = (DllImport.Flags & 0x01) == 0x01; // TODO : Use proper macros // Find Dll in "paths" Tuple <ModuleSearchStrategy, String> FoundPe = FindPe.FindPeFromDefault(this.Pe, ImportDllName, this.SxsEntriesCache); ImportModule.ModuleLocation = FoundPe.Item1; if (ImportModule.ModuleLocation != ModuleSearchStrategy.NOT_FOUND) { ImportModule.PeFilePath = FoundPe.Item2; ImportModule.PeProperties = BinaryCache.LoadPe(ImportModule.PeFilePath); } NewTreeContexts.Add(ImportModule); } }
public void SetImports(List <PeImportDll> Imports, PE rootPe, SxsEntries SxsCache, PhSymbolProvider SymPrv) { this.ImportList.Items.Clear(); foreach (PeImportDll DllImport in Imports) { Tuple <ModuleSearchStrategy, String> PeFilePath = FindPe.FindPeFromDefault(rootPe, DllImport.Name, SxsCache); foreach (PeImport Import in DllImport.ImportList) { this.ImportList.Items.Add(new DisplayPeImport(Import, SymPrv, PeFilePath.Item2)); } } // Refresh search view ImportSearchFilter_OnTextChanged(null, null); }
public static Tuple <ModuleSearchStrategy, PE> ResolveModule(PE RootPe, string ModuleName, SxsEntries SxsCache) { Tuple <ModuleSearchStrategy, string> ResolvedFilepath; // if no extension is used, assume a .dll if (Path.GetExtension(ModuleName) == String.Empty) { ModuleName = String.Format("{0:s}.dll", ModuleName); } string ApiSetName = LookupApiSetLibrary(ModuleName); if (ApiSetName != null) { ModuleName = ApiSetName; } ResolvedFilepath = FindPe.FindPeFromDefault(RootPe, ModuleName, SxsCache); // ApiSet override the underneath search location if found ModuleSearchStrategy ModuleLocation = ResolvedFilepath.Item1; if ((ApiSetName != null) && (ResolvedFilepath.Item2 != null)) { ModuleLocation = ModuleSearchStrategy.ApiSetSchema; } // PE ResolvedModule = null; if (ResolvedFilepath.Item2 != null) { ResolvedModule = LoadPe(ResolvedFilepath.Item2); } return(new Tuple <ModuleSearchStrategy, PE>(ModuleLocation, ResolvedModule)); }