bearparser/_import_dir_wrapper_8h_source.html

#pragma once


#include "ImportBaseDirWrapper.h"

#include "pe_formats.h"


/*

typedef struct _IMAGE_THUNK_DATA32 {

    union {

        DWORD ForwarderString;    // PBYTE

        DWORD Function;        // PDWORD

        DWORD Ordinal;

        DWORD AddressOfData;    // PIMAGE_IMPORT_BY_NAME

    } u1;

} IMAGE_THUNK_DATA32;


typedef struct _IMAGE_THUNK_DATA64 {

    union {

        ULONGLONG ForwarderString;    // PBYTE

        ULONGLONG Function;        // PDWORD

        ULONGLONG Ordinal;

        ULONGLONG AddressOfData;    //PIMAGE_IMPORT_BY_NAME

    } u1;

} IMAGE_THUNK_DATA64;

*/


class ImportDirWrapper;

class ImportEntryWrapper;

class ImportedFuncWrapper;


class ImportDirWrapper : public ImportBaseDirWrapper

{

public:


    ImportDirWrapper(PEFile *pe)

        : ImportBaseDirWrapper(pe, pe::DIR_IMPORT) { wrap(); }


    virtual void* getPtr() { return firstDescriptor(); }

    virtual bufsize_t getSize();

    virtual QString getName() { return "Imports"; }


protected:

    virtual bool loadNextEntry(size_t cntr);


    IMAGE_DATA_DIRECTORY* getDataDirectory();

    IMAGE_IMPORT_DESCRIPTOR *firstDescriptor();


friend class ImportEntryWrapper;

};


class ImportEntryWrapper : public ImportBaseEntryWrapper

{

public:

    /* fields :*/


    enum FieldID {

        NONE = FIELD_NONE,

        ORIG_FIRST_THUNK,

        TIMESTAMP,

        FORWARDER,

        NAME,

        FIRST_THUNK,

        FIELD_COUNTER

    };


    ImportEntryWrapper(PEFile *pe, ImportDirWrapper *importsDir, size_t entryNumber)

        : ImportBaseEntryWrapper(pe, importsDir, entryNumber) { wrap(); }


    //virtual bool wrap();

    //bool isValid();


    /* full structure boundaries */

    virtual void* getPtr();


    virtual bufsize_t getSize();

    bool isBound();

    virtual QString getName();

    virtual size_t getFieldsCount() { return FIELD_COUNTER; }


    /* specific field boundaries */

    virtual void* getFieldPtr(size_t fieldId, size_t subField = FIELD_NONE);

    virtual QString getFieldName(size_t fieldId);

    virtual Executable::addr_type containsAddrType(size_t fieldId, size_t subField = FIELD_NONE);


    bufsize_t geEntrySize()

    {

        if (m_Exe == NULL) return 0;

        return ImportBaseDirWrapper::thunkSize(m_Exe->getBitMode());

    }


    virtual offset_t getNextEntryOffset()

    {

         offset_t nextOffset = INVALID_ADDR;

        //get after existing entries:

        if (this->getEntriesCount() > 0) {

            return ExeNodeWrapper::getNextEntryOffset();

        }

        //get by thunk:

        IMAGE_IMPORT_DESCRIPTOR* desc = (IMAGE_IMPORT_DESCRIPTOR*) this->getPtr();

        if (!desc) return INVALID_ADDR;


        offset_t firstThunk = desc->FirstThunk;

        if (firstThunk == 0) {

            firstThunk = desc->OriginalFirstThunk;

        }

        nextOffset = m_Exe->convertAddr(desc->FirstThunk, Executable::RVA, Executable::RAW);

        return nextOffset;

    }


    char* getLibraryName();


protected:

     bool loadNextEntry(size_t entryNum);


friend class ImportDirWrapper;

};


class ImportedFuncWrapper : public ImportBaseFuncWrapper

{

public:

    /* fields :*/


    enum FieldID {

        NONE = FIELD_NONE,

        ORIG_THUNK,

        THUNK,

        FORWARDER,

        HINT,

        FIELD_COUNTER

    };


    ImportedFuncWrapper(PEFile *pe, ImportEntryWrapper* parentLib, size_t entryNumber)

        : ImportBaseFuncWrapper(pe, parentLib, entryNumber) {}// this->parentLib = parentLib; }


    /* full structure boundaries */

    virtual void* getPtr();

    virtual IMAGE_IMPORT_BY_NAME* getImportByNamePtr();


    virtual bufsize_t getSize();

    //virtual QString getName();

    virtual size_t getFieldsCount() { return FIELD_COUNTER; }

    virtual size_t getSubFieldsCount() { return 1; }


    /* specific field boundaries */

    virtual void* getFieldPtr(size_t fieldId, size_t subField = FIELD_NONE);

    virtual bufsize_t getFieldSize(size_t fieldId, size_t subField = FIELD_NONE);

    virtual QString getFieldName(size_t fieldId);

    virtual Executable::addr_type containsAddrType(size_t fieldId, size_t subField = FIELD_NONE);


    uint64_t getThunkValue();


    offset_t getFieldRVA(ImportEntryWrapper::FieldID fId);

    void* getValuePtr(ImportEntryWrapper::FieldID fId);


    virtual offset_t callVia() { return getFieldRVA(ImportEntryWrapper::FIRST_THUNK); }

    bool isByOrdinal();

    virtual uint64_t getOrdinal() { return getThunkValue(); }

    char* getFunctionName();


friend class ImportDirWrapper;

};


INVALID_ADDR
const offset_t INVALID_ADDR
Definition AbstractByteBuffer.h:21

offset_t
uint64_t offset_t
Definition AbstractByteBuffer.h:20

bufsize_t
size_t bufsize_t
Definition AbstractByteBuffer.h:17

FIELD_NONE
#define FIELD_NONE
Definition ExeElementWrapper.h:9

ImportBaseDirWrapper.h

DataDirEntryWrapper::PEFile
friend class PEFile
Definition DataDirEntryWrapper.h:22

ExeElementWrapper::m_Exe
Executable * m_Exe
Definition ExeElementWrapper.h:65

ExeNodeWrapper::getNextEntryOffset
virtual offset_t getNextEntryOffset()
Definition ExeNodeWrapper.cpp:92

ExeNodeWrapper::getEntriesCount
virtual size_t getEntriesCount()
Definition ExeNodeWrapper.h:20

ExeNodeWrapper::entryNum
size_t entryNum
Definition ExeNodeWrapper.h:54

Executable::addr_type
addr_type
Definition Executable.h:42

Executable::RVA
@ RVA
Definition Executable.h:45

Executable::RAW
@ RAW
Definition Executable.h:44

ImportBaseDirWrapper::thunkSize
static bufsize_t thunkSize(Executable::exe_bits bits)
Definition ImportBaseDirWrapper.cpp:23

ImportBaseDirWrapper::wrap
virtual bool wrap()
Definition ImportBaseDirWrapper.cpp:114

ImportBaseDirWrapper::ImportBaseDirWrapper
ImportBaseDirWrapper(PEFile *pe, pe::dir_entry v_entryType)
Definition ImportBaseDirWrapper.h:45

ImportBaseEntryWrapper::wrap
bool wrap()
Definition ImportBaseDirWrapper.cpp:168

ImportBaseEntryWrapper::ImportBaseEntryWrapper
ImportBaseEntryWrapper(PEFile *pe, ImportBaseDirWrapper *importsDir, size_t entryNumber)
Definition ImportBaseDirWrapper.h:77

ImportBaseFuncWrapper::ImportBaseFuncWrapper
ImportBaseFuncWrapper(PEFile *pe, ImportBaseEntryWrapper *parentLib, size_t entryNumber)
Definition ImportBaseDirWrapper.h:96

ImportDirWrapper
Definition ImportDirWrapper.h:31

ImportDirWrapper::ImportDirWrapper
ImportDirWrapper(PEFile *pe)
Definition ImportDirWrapper.h:33

ImportDirWrapper::getDataDirectory
IMAGE_DATA_DIRECTORY * getDataDirectory()
Definition ImportDirWrapper.cpp:304

ImportDirWrapper::getPtr
virtual void * getPtr()
Definition ImportDirWrapper.h:36

ImportDirWrapper::getName
virtual QString getName()
Definition ImportDirWrapper.h:38

ImportDirWrapper::getSize
virtual bufsize_t getSize()
Definition ImportDirWrapper.cpp:355

ImportDirWrapper::loadNextEntry
virtual bool loadNextEntry(size_t cntr)
Definition ImportDirWrapper.cpp:329

ImportDirWrapper::firstDescriptor
IMAGE_IMPORT_DESCRIPTOR * firstDescriptor()
Definition ImportDirWrapper.cpp:313

ImportDirWrapper::ImportEntryWrapper
friend class ImportEntryWrapper
Definition ImportDirWrapper.h:46

ImportEntryWrapper
Definition ImportDirWrapper.h:51

ImportEntryWrapper::isBound
bool isBound()
Definition ImportDirWrapper.cpp:225

ImportEntryWrapper::FieldID
FieldID
Definition ImportDirWrapper.h:54

ImportEntryWrapper::FIRST_THUNK
@ FIRST_THUNK
Definition ImportDirWrapper.h:60

ImportEntryWrapper::FORWARDER
@ FORWARDER
Definition ImportDirWrapper.h:58

ImportEntryWrapper::ORIG_FIRST_THUNK
@ ORIG_FIRST_THUNK
Definition ImportDirWrapper.h:56

ImportEntryWrapper::NONE
@ NONE
Definition ImportDirWrapper.h:55

ImportEntryWrapper::NAME
@ NAME
Definition ImportDirWrapper.h:59

ImportEntryWrapper::TIMESTAMP
@ TIMESTAMP
Definition ImportDirWrapper.h:57

ImportEntryWrapper::FIELD_COUNTER
@ FIELD_COUNTER
Definition ImportDirWrapper.h:61

ImportEntryWrapper::getName
virtual QString getName()
Definition ImportDirWrapper.cpp:218

ImportEntryWrapper::geEntrySize
bufsize_t geEntrySize()
Definition ImportDirWrapper.h:83

ImportEntryWrapper::getLibraryName
char * getLibraryName()
Definition ImportDirWrapper.cpp:274

ImportEntryWrapper::getFieldName
virtual QString getFieldName(size_t fieldId)
Definition ImportDirWrapper.cpp:251

ImportEntryWrapper::ImportEntryWrapper
ImportEntryWrapper(PEFile *pe, ImportDirWrapper *importsDir, size_t entryNumber)
Definition ImportDirWrapper.h:64

ImportEntryWrapper::loadNextEntry
bool loadNextEntry(size_t entryNum)
Definition ImportDirWrapper.cpp:173

ImportEntryWrapper::getFieldsCount
virtual size_t getFieldsCount()
Definition ImportDirWrapper.h:76

ImportEntryWrapper::getPtr
virtual void * getPtr()
Definition ImportDirWrapper.cpp:190

ImportEntryWrapper::containsAddrType
virtual Executable::addr_type containsAddrType(size_t fieldId, size_t subField=FIELD_NONE)
Definition ImportDirWrapper.cpp:263

ImportEntryWrapper::getFieldPtr
virtual void * getFieldPtr(size_t fieldId, size_t subField=FIELD_NONE)
Definition ImportDirWrapper.cpp:235

ImportEntryWrapper::ImportDirWrapper
friend class ImportDirWrapper
Definition ImportDirWrapper.h:113

ImportEntryWrapper::getNextEntryOffset
virtual offset_t getNextEntryOffset()
Definition ImportDirWrapper.h:89

ImportEntryWrapper::getSize
virtual bufsize_t getSize()
Definition ImportDirWrapper.cpp:213

ImportedFuncWrapper
Definition ImportDirWrapper.h:117

ImportedFuncWrapper::getOrdinal
virtual uint64_t getOrdinal()
Definition ImportDirWrapper.h:154

ImportedFuncWrapper::getFieldPtr
virtual void * getFieldPtr(size_t fieldId, size_t subField=FIELD_NONE)
Definition ImportDirWrapper.cpp:121

ImportedFuncWrapper::ImportedFuncWrapper
ImportedFuncWrapper(PEFile *pe, ImportEntryWrapper *parentLib, size_t entryNumber)
Definition ImportDirWrapper.h:129

ImportedFuncWrapper::getPtr
virtual void * getPtr()
Definition ImportDirWrapper.cpp:6

ImportedFuncWrapper::FieldID
FieldID
Definition ImportDirWrapper.h:120

ImportedFuncWrapper::NONE
@ NONE
Definition ImportDirWrapper.h:121

ImportedFuncWrapper::FORWARDER
@ FORWARDER
Definition ImportDirWrapper.h:124

ImportedFuncWrapper::HINT
@ HINT
Definition ImportDirWrapper.h:125

ImportedFuncWrapper::ORIG_THUNK
@ ORIG_THUNK
Definition ImportDirWrapper.h:122

ImportedFuncWrapper::THUNK
@ THUNK
Definition ImportDirWrapper.h:123

ImportedFuncWrapper::FIELD_COUNTER
@ FIELD_COUNTER
Definition ImportDirWrapper.h:126

ImportedFuncWrapper::getSize
virtual bufsize_t getSize()
Definition ImportDirWrapper.cpp:116

ImportedFuncWrapper::containsAddrType
virtual Executable::addr_type containsAddrType(size_t fieldId, size_t subField=FIELD_NONE)
Definition ImportDirWrapper.cpp:158

ImportedFuncWrapper::getFieldsCount
virtual size_t getFieldsCount()
Definition ImportDirWrapper.h:138

ImportedFuncWrapper::isByOrdinal
bool isByOrdinal()
Definition ImportDirWrapper.cpp:88

ImportedFuncWrapper::getFieldName
virtual QString getFieldName(size_t fieldId)
Definition ImportDirWrapper.cpp:147

ImportedFuncWrapper::getFunctionName
char * getFunctionName()
Definition ImportDirWrapper.cpp:106

ImportedFuncWrapper::ImportDirWrapper
friend class ImportDirWrapper
Definition ImportDirWrapper.h:157

ImportedFuncWrapper::getValuePtr
void * getValuePtr(ImportEntryWrapper::FieldID fId)
Definition ImportDirWrapper.cpp:44

ImportedFuncWrapper::getFieldRVA
offset_t getFieldRVA(ImportEntryWrapper::FieldID fId)
Definition ImportDirWrapper.cpp:25

ImportedFuncWrapper::callVia
virtual offset_t callVia()
Definition ImportDirWrapper.h:152

ImportedFuncWrapper::getThunkValue
uint64_t getThunkValue()
Definition ImportDirWrapper.cpp:66

ImportedFuncWrapper::getImportByNamePtr
virtual IMAGE_IMPORT_BY_NAME * getImportByNamePtr()
Definition ImportDirWrapper.cpp:13

ImportedFuncWrapper::getSubFieldsCount
virtual size_t getSubFieldsCount()
Definition ImportDirWrapper.h:139

ImportedFuncWrapper::getFieldSize
virtual bufsize_t getFieldSize(size_t fieldId, size_t subField=FIELD_NONE)
Definition ImportDirWrapper.cpp:140

PENodeWrapper::PEFile
friend class PEFile
Definition PENodeWrapper.h:39