BearParser
Portable Executable parsing library (from PE-bear)
Loading...
Searching...
No Matches
BoundImpDirWrapper.cpp
Go to the documentation of this file.
1#include "pe/BoundImpDirWrapper.h"
2#include "pe/PEFile.h"
3
4/*
5typedef struct _IMAGE_BOUND_IMPORT_DESCRIPTOR {
6 DWORD TimeDateStamp;
7 WORD OffsetModuleName;
8 WORD NumberOfModuleForwarderRefs;
9 // Array of zero or more IMAGE_BOUND_FORWARDER_REF follows
10} IMAGE_BOUND_IMPORT_DESCRIPTOR, *PIMAGE_BOUND_IMPORT_DESCRIPTOR;
11
12typedef struct _IMAGE_BOUND_FORWARDER_REF {
13 DWORD TimeDateStamp;
14 WORD OffsetModuleName;
15 WORD Reserved;
16} IMAGE_BOUND_FORWARDER_REF, *PIMAGE_BOUND_FORWARDER_REF;
17
18*/
19
20IMAGE_BOUND_IMPORT_DESCRIPTOR* BoundImpDirWrapper::boundImp()
21{
22 offset_t rva = getDirEntryAddress();
23
24 BYTE *ptr = m_Exe->getContentAt(rva, Executable::RVA, sizeof(IMAGE_BOUND_IMPORT_DESCRIPTOR));
25 if (ptr == NULL) return NULL;
26 return (IMAGE_BOUND_IMPORT_DESCRIPTOR*) ptr;
27}
28
29bool BoundImpDirWrapper::loadNextEntry(size_t entryNum)
30{
31 BoundEntryWrapper* imp = new BoundEntryWrapper(m_Exe, this, entryNum);
32 if (!imp || !imp->getPtr()) {
33 delete imp;
34 return false;
35 }
36 // TODO! do it in proper way!
37 bool isOk = false;
38 uint64_t offset = imp->getNumValue(BoundEntryWrapper::MODULE_NAME_OFFSET, &isOk);
39 if (!isOk || offset == 0) {
40 delete imp;
41 return false;
42 }
43 entries.push_back(imp);
44 return true;
45}
46
47bool BoundImpDirWrapper::wrap()
48{
49 clear();
50 size_t oldCount = this->importsCount;
51 this->importsCount = 0;
52
53 if (!getDataDirectory()) {
54 return (oldCount != this->importsCount); //has count changed
55 }
56
57 size_t cntr = 0;
58 while (loadNextEntry(cntr)) {
59 cntr++;
60 }
61
62 this->importsCount = cntr;
63 return (oldCount != this->importsCount); //has count changed
64}
65
66bufsize_t BoundImpDirWrapper::getSize()
67{
68 if (getPtr() == NULL) return 0;
69 bufsize_t entrySize = static_cast<bufsize_t>(sizeof(IMAGE_BOUND_IMPORT_DESCRIPTOR));
70 return entrySize * static_cast<bufsize_t>(this->entries.size());
71}
72
73//-------------------------------------------------------------
74
75void* BoundEntryWrapper::getPtr()
76{
77 BoundImpDirWrapper* parent = dynamic_cast<BoundImpDirWrapper*> (this->getParentNode());
78 if (!parent) return NULL;
79
80 IMAGE_BOUND_IMPORT_DESCRIPTOR* firstEntry = parent->boundImp();
81 if (firstEntry == NULL) return NULL;
82
83 uint64_t descAddr = parent->getOffset(firstEntry);
84 if (descAddr == INVALID_ADDR) return NULL;
85
86 uint64_t entryOffset = descAddr + (this->entryNum * sizeof(IMAGE_BOUND_IMPORT_DESCRIPTOR));
87 if (entryOffset == INVALID_ADDR) return NULL;
88
89 BYTE *content = this->m_Exe->getContentAt(entryOffset, Executable::RAW, sizeof(IMAGE_BOUND_IMPORT_DESCRIPTOR));
90 if (!content) return NULL;
91
92 return content;
93}
94
95
96bufsize_t BoundEntryWrapper::getSize()
97{
98 if (getPtr() == NULL) return 0;
99 return sizeof(IMAGE_BOUND_IMPORT_DESCRIPTOR);
100}
101
102QString BoundEntryWrapper::getName()
103{
104 char* name = getLibraryName();
105 if (!name) return "";
106 return QString(name);
107}
108
109char* BoundEntryWrapper::getLibraryName()
110{
111 //----
112 BoundImpDirWrapper* parent = dynamic_cast<BoundImpDirWrapper*> (this->getParentNode());
113 if (!parent) return NULL;
114
115 IMAGE_BOUND_IMPORT_DESCRIPTOR* firstEntry = parent->boundImp();
116 if (firstEntry == NULL) return NULL;
117
118 uint64_t offset = this->getOffset(firstEntry);
119 if (offset == INVALID_ADDR) return NULL;
120 //----
121 IMAGE_BOUND_IMPORT_DESCRIPTOR* bImp = (IMAGE_BOUND_IMPORT_DESCRIPTOR*) this->getPtr();
122 if (bImp == NULL) return NULL;
123
124 WORD mnOff = bImp->OffsetModuleName;
125
126 offset += mnOff;
127
128 char *ptr = (char*) m_Exe->getContentAt(offset, Executable::RAW, 1);
129 return ptr;
130}
131
132void* BoundEntryWrapper::getFieldPtr(size_t fId, size_t subField)
133{
134 BoundImpDirWrapper* parent = dynamic_cast<BoundImpDirWrapper*> (this->getParentNode());
135 if (!parent) return NULL;
136
137 IMAGE_BOUND_IMPORT_DESCRIPTOR* bImp = (IMAGE_BOUND_IMPORT_DESCRIPTOR*) this->getPtr();
138 if (bImp == NULL) return NULL;
139
140 switch (fId) {
141 case TIMESTAMP : return &bImp->TimeDateStamp;
142 case MODULE_NAME_OFFSET : return &bImp->OffsetModuleName;
143 case MODULE_FORWARDERS_NUM : return &bImp->NumberOfModuleForwarderRefs;
144 }
145 return this->getPtr();
146}
147
148QString BoundEntryWrapper::getFieldName(size_t fieldId)
149{
150 switch (fieldId) {
151 case TIMESTAMP : return "TimeDateStamp";
152 case MODULE_NAME_OFFSET : return "OffsetModuleName";
153 case MODULE_FORWARDERS_NUM : return "NumberOfModuleForwarderRefs";
154 }
155 return getName();
156}
157
bufsize_t
uint32_t bufsize_t
Definition AbstractByteBuffer.h:14
INVALID_ADDR
const offset_t INVALID_ADDR
Definition AbstractByteBuffer.h:18
offset_t
uint64_t offset_t
Definition AbstractByteBuffer.h:17
BoundEntryWrapper
Definition BoundImpDirWrapper.h:34
BoundEntryWrapper::getFieldPtr
virtual void * getFieldPtr(size_t fieldId, size_t subField)
Definition BoundImpDirWrapper.cpp:132
BoundEntryWrapper::getLibraryName
virtual char * getLibraryName()
Definition BoundImpDirWrapper.cpp:109
BoundEntryWrapper::TIMESTAMP
@ TIMESTAMP
Definition BoundImpDirWrapper.h:38
BoundEntryWrapper::MODULE_FORWARDERS_NUM
@ MODULE_FORWARDERS_NUM
Definition BoundImpDirWrapper.h:40
BoundEntryWrapper::MODULE_NAME_OFFSET
@ MODULE_NAME_OFFSET
Definition BoundImpDirWrapper.h:39
BoundEntryWrapper::getSize
virtual bufsize_t getSize()
Definition BoundImpDirWrapper.cpp:96
BoundEntryWrapper::getFieldName
virtual QString getFieldName(size_t fieldId)
Definition BoundImpDirWrapper.cpp:148
BoundEntryWrapper::getName
virtual QString getName()
Definition BoundImpDirWrapper.cpp:102
BoundEntryWrapper::getPtr
virtual void * getPtr()
Definition BoundImpDirWrapper.cpp:75
BoundImpDirWrapper::loadNextEntry
bool loadNextEntry(size_t entryNum)
Definition BoundImpDirWrapper.cpp:29
BoundImpDirWrapper::boundImp
IMAGE_BOUND_IMPORT_DESCRIPTOR * boundImp()
Definition BoundImpDirWrapper.cpp:20
BoundImpDirWrapper::getPtr
virtual void * getPtr()
Definition BoundImpDirWrapper.h:13
BoundImpDirWrapper::BoundEntryWrapper
friend class BoundEntryWrapper
Definition BoundImpDirWrapper.h:30
BoundImpDirWrapper::getSize
virtual bufsize_t getSize()
Definition BoundImpDirWrapper.cpp:66
DataDirEntryWrapper::getDirEntryAddress
offset_t getDirEntryAddress()
Definition DataDirEntryWrapper.cpp:19
DataDirEntryWrapper::getDataDirectory
IMAGE_DATA_DIRECTORY * getDataDirectory()
Definition DataDirEntryWrapper.cpp:10
ExeElementWrapper::getOffset
virtual offset_t getOffset()
Definition ExeElementWrapper.cpp:39
ExeElementWrapper::getNumValue
virtual uint64_t getNumValue(size_t fieldId, size_t subField, bool *isOk)
Definition ExeElementWrapper.cpp:73
ExeNodeWrapper::entries
std::vector< ExeNodeWrapper * > entries
Definition ExeNodeWrapper.h:56
ExeNodeWrapper::clear
virtual void clear()
Definition ExeNodeWrapper.cpp:30
ExeNodeWrapper::getParentNode
virtual ExeNodeWrapper * getParentNode()
Definition ExeNodeWrapper.h:24
Executable::getContentAt
BYTE * getContentAt(offset_t offset, bufsize_t size, bool allowExceptions=false)
Definition Executable.h:65
Generated by doxygen 1.12.0