Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filling imports #61

Closed
ghost opened this issue Jan 12, 2019 · 1 comment
Closed

Filling imports #61

ghost opened this issue Jan 12, 2019 · 1 comment

Comments

@ghost
Copy link

ghost commented Jan 12, 2019
edited by ghost
Loading

There does not appear to be any way to easily translate an imported function to its IAT address (for mapping an image into memory.) The following code works. 64 bit only, was in a hurry!

    public struct BetterImportedFunction
    {
        /// <summary>
        /// The module of the import.
        /// </summary>
        public string Module;
        /// <summary>
        /// The function being imported.
        /// </summary>
        public string Function;
        /// <summary>
        /// The ordinal being imported.
        /// </summary>
        public int Ordinal;
        /// <summary>
        /// The IAT address to fill.
        /// </summary>
        public ulong FillAddress;
    }

    public static class PeFileExtensions
    {
        private const ulong OrdinalBit = 0x8000000000000000ul;
        private const ulong OrdinalMask = 0x7FFFFFFFFFFFFFFFul;


        public static void IterateImports(this PeFile file, Action<BetterImportedFunction> handler)
        {
            var headers = file.ImageSectionHeaders;
            foreach (var import in file.ImageImportDescriptors)
            {
                var module = file.Buff.GetCString(import.Name.RVAtoFileMapping(headers));
                var round = 0u;

                var thunkAddr = import.FirstThunk.RVAtoFileMapping(headers);
                var thunk = new IMAGE_THUNK_DATA(file.Buff, thunkAddr, true);
                while (thunk.AddressOfData != 0)
                {
                    if ((thunk.Ordinal & OrdinalBit) == OrdinalBit)
                    {
                        handler.Invoke(new BetterImportedFunction
                        {
                            Module = module,
                            Function = null,
                            Ordinal = (ushort)(thunk.Ordinal & OrdinalMask),
                            FillAddress = import.FirstThunk + (round * 8)
                        });
                    }
                    else
                    {
                        var addrOfNameData = ((uint)thunk.AddressOfData).RVAtoFileMapping(headers);
                        var nameData = new IMAGE_IMPORT_BY_NAME(file.Buff, addrOfNameData);

                        handler.Invoke(new BetterImportedFunction
                        {
                            Module = module,
                            Function = nameData.Name,
                            Ordinal = -1,
                            FillAddress = import.FirstThunk + (round * 8)
                        });
                    }

                    round += 1;
                    thunk = new IMAGE_THUNK_DATA(file.Buff, thunkAddr + (round * 8u), true);
                }
            }
        }
    }
`
@jdu2600 jdu2600 mentioned this issue Dec 5, 2019
Merged
@secana
Copy link
Owner

secana commented Dec 6, 2019

Added in v1.2.0

@secana secana closed this as completed Dec 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@secana