Skip to content

Commit

Permalink
Renamed LookupTables to ILT and added IAT support.
Browse files Browse the repository at this point in the history
  • Loading branch information
@lkinsella
lkinsella committed Jan 18, 2016
1 parent d60e5b3 commit e39fbe0
Show file tree
Hide file tree
Showing 2 changed files with 115 additions and 13 deletions.
73 changes: 62 additions & 11 deletions Src/Workshell.PE/Imports/ImportContent.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ public class ImportContent : SectionContent, ILocationSupport, IRawDataSupport,
private StreamLocation location;
private ImportDirectory directory;
private ImportLookupTables ilt;
private ImportLookupTables iat;
private ImportHintNameTable hint_name_table;
private List<ImportLibrary> libraries;

Expand All @@ -54,7 +55,8 @@ internal ImportContent(DataDirectory dataDirectory, Section section) : base(data
Stream stream = Section.Sections.Reader.Stream;

LoadDirectory(stream);
LoadLookupTables(stream);
LoadILT(stream);
LoadIAT(stream);
LoadHintNameTable(stream);
LoadLibraries(stream);
}
Expand Down Expand Up @@ -105,7 +107,7 @@ private void LoadDirectory(Stream stream)
directory = new ImportDirectory(this,descriptors,directory_location);
}

private void LoadLookupTables(Stream stream)
private void LoadILT(Stream stream)
{
ilt = new ImportLookupTables(this);

Expand All @@ -116,13 +118,10 @@ private void LoadLookupTables(Stream stream)
long ilt_offset = 0;

if (entry.OriginalFirstThunk != 0)
{
ilt_offset = Convert.ToInt32(Section.RVAToOffset(entry.OriginalFirstThunk));
}
else
{
ilt_offset = Convert.ToInt32(Section.RVAToOffset(entry.FirstThunk));
}

if (ilt_offset == 0)
return;

stream.Seek(ilt_offset,SeekOrigin.Begin);

Expand Down Expand Up @@ -154,6 +153,52 @@ private void LoadLookupTables(Stream stream)
}
}

private void LoadIAT(Stream stream)
{
iat = new ImportLookupTables(this);

for(int i = 0; i < directory.Count; i++)
{
ImportDirectoryEntry entry = directory[i];
List<ulong> iat_entries = new List<ulong>();
long iat_offset = 0;

if (entry.FirstThunk != 0)
iat_offset = Convert.ToInt32(Section.RVAToOffset(entry.OriginalFirstThunk));

if (iat_offset == 0)
return;

stream.Seek(iat_offset,SeekOrigin.Begin);

while (true)
{
if (!Section.Sections.Reader.Is64Bit)
{
uint iat_entry = Utils.ReadUInt32(stream);

if (iat_entry == 0)
break;

iat_entries.Add(iat_entry);
}
else
{
ulong iat_entry = Utils.ReadUInt64(stream);

if (iat_entry == 0)
break;

iat_entries.Add(iat_entry);
}
}

long iat_size = (iat_entries.Count + 1) * (Section.Sections.Reader.Is64Bit ? sizeof(ulong) : sizeof(uint));

iat.Create(entry,iat_offset,iat_size,iat_entries);
}
}

private void LoadHintNameTable(Stream stream)
{
hint_name_table = new ImportHintNameTable(this);
Expand Down Expand Up @@ -240,8 +285,6 @@ private void LoadLibraries(Stream stream)
}
}
}

//libraries = libraries.OrderBy(lib => lib.Name).ToList();
}

#endregion
Expand All @@ -264,14 +307,22 @@ public ImportDirectory Directory
}
}

public ImportLookupTables LookupTables
public ImportLookupTables ILT
{
get
{
return ilt;
}
}

public ImportLookupTables IAT
{
get
{
return iat;
}
}

public ImportHintNameTable HintNameTable
{
get
Expand Down
55 changes: 53 additions & 2 deletions Src/Workshell.PE/Imports/ImportDirectory.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,14 @@ public class ImportDirectoryEntry : ILocationSupport, IRawDataSupport

private static readonly int size = Utils.SizeOf<IMAGE_IMPORT_DESCRIPTOR>();

private ImportDirectory directory;
private IMAGE_IMPORT_DESCRIPTOR descriptor;
private StreamLocation location;
private string name;

internal ImportDirectoryEntry(IMAGE_IMPORT_DESCRIPTOR importDescriptor, long descriptorOffset)
internal ImportDirectoryEntry(ImportDirectory importDirectory, IMAGE_IMPORT_DESCRIPTOR importDescriptor, long descriptorOffset)
{
directory = importDirectory;
descriptor = importDescriptor;
location = new StreamLocation(descriptorOffset,size);
}
Expand All @@ -36,6 +39,37 @@ public byte[] GetBytes()
return mem.ToArray();
}
}

public DateTime GetTimeDateStamp()
{
return Utils.ConvertTimeDateStamp(descriptor.TimeDateStamp);
}

public string GetName()
{
if (String.IsNullOrWhiteSpace(name))
{
StringBuilder builder = new StringBuilder();
Stream stream = directory.Content.Section.Sections.Reader.Stream;
long offset = Convert.ToInt64(directory.Content.Section.RVAToOffset(descriptor.Name));

stream.Seek(offset,SeekOrigin.Begin);

while (true)
{
int b = stream.ReadByte();

if (b <= 0)
break;

builder.Append((char)b);
}

name = builder.ToString();
}

return name;
}

#endregion

Expand All @@ -53,6 +87,14 @@ public static int Size

#region Properties

public ImportDirectory Directory
{
get
{
return directory;
}
}

public StreamLocation Location
{
get
Expand Down Expand Up @@ -127,7 +169,7 @@ internal ImportDirectory(ImportContent importContent, IEnumerable<IMAGE_IMPORT_D

foreach(IMAGE_IMPORT_DESCRIPTOR descriptor in importDescriptors)
{
ImportDirectoryEntry entry = new ImportDirectoryEntry(descriptor,offset);
ImportDirectoryEntry entry = new ImportDirectoryEntry(this,descriptor,offset);

entries.Add(entry);

Expand Down Expand Up @@ -166,6 +208,14 @@ public byte[] GetBytes()

#region Properties

public ImportContent Content
{
get
{
return content;
}
}

public StreamLocation Location
{
get
Expand Down Expand Up @@ -193,4 +243,5 @@ public ImportDirectoryEntry this[int index]
#endregion

}

}

0 comments on commit e39fbe0

Please sign in to comment.