#include <imports_uneraser.h>

Public Member Functions
	ImportsUneraser (PVOID _modulePtr, size_t _moduleSize)

bool	uneraseDllImports (IN OUT IMAGE_IMPORT_DESCRIPTOR lib_desc, IN ImportedDllCoverage &dllCoverage, OUT OPTIONAL ImpsNotCovered not_covered)

bool	uneraseDllName (IMAGE_IMPORT_DESCRIPTOR *lib_desc, const std::string &dll_name)

Protected Member Functions
bool	writeFoundDllName (IMAGE_IMPORT_DESCRIPTOR *lib_desc, const std::string &dll_name)

template<typename FIELD_T , typename IMAGE_THUNK_DATA_T >
bool	fillImportNames (IN OUT IMAGE_IMPORT_DESCRIPTOR lib_desc, IN const FIELD_T ordinal_flag, IN std::map< ULONGLONG, std::set< ExportedFunc > > &addr_to_func, OUT OPTIONAL ImpsNotCovered not_covered)

template<typename FIELD_T >
bool	findNameInBinaryAndFill (IMAGE_IMPORT_DESCRIPTOR *lib_desc, LPVOID call_via_ptr, LPVOID thunk_ptr, const FIELD_T ordinal_flag, std::map< ULONGLONG, std::set< ExportedFunc > > &addr_to_func)

template<typename FIELD_T , typename IMAGE_THUNK_DATA_T >
bool	writeFoundFunction (IMAGE_THUNK_DATA_T *desc, const FIELD_T ordinal_flag, const ExportedFunc &foundFunc)

Protected Attributes
PBYTE	modulePtr

size_t	moduleSize

bool	is64

Detailed Description

A class responsible for recovering the partially erased Import Table from the PE.

Definition at line 24 of file imports_uneraser.h.

Constructor & Destructor Documentation

◆ ImportsUneraser()

peconv::ImportsUneraser::ImportsUneraser	(	PVOID	_modulePtr,
		size_t	_moduleSize )

inline

Definition at line 27 of file imports_uneraser.h.

Here is the call graph for this function:

Member Function Documentation

◆ fillImportNames()

template<typename FIELD_T , typename IMAGE_THUNK_DATA_T >

bool ImportsUneraser::fillImportNames	(	IN OUT IMAGE_IMPORT_DESCRIPTOR *	lib_desc,
		IN const FIELD_T	ordinal_flag,
		IN std::map< ULONGLONG, std::set< ExportedFunc > > &	addr_to_func,
		OUT OPTIONAL ImpsNotCovered *	not_covered )

protected

Fill the names of imported functions with names of the prepared mapping. Collect addressees of functions that couldn't be filled with the given mapping.

Parameters

lib_desc	: the IMAGE_IMPORT_DESCRIPTOR where the functions' names should be set
ordinal_flag	: the flag that is used to recognize import by ordinal (32 or 64 bit)
addr_to_func	: a mapping assigning functions' addresses to their definitions (names etc.)
not_covered	: a set of addresses that could not be found in the supplied mapping

Returns: true if succeeded

Definition at line 166 of file imports_uneraser.cpp.

Here is the call graph for this function:

◆ findNameInBinaryAndFill()

template<typename FIELD_T >

bool ImportsUneraser::findNameInBinaryAndFill	(	IMAGE_IMPORT_DESCRIPTOR *	lib_desc,
		LPVOID	call_via_ptr,
		LPVOID	thunk_ptr,
		const FIELD_T	ordinal_flag,
		std::map< ULONGLONG, std::set< ExportedFunc > > &	addr_to_func )

protected

Definition at line 65 of file imports_uneraser.cpp.

Here is the call graph for this function:

◆ uneraseDllImports()

bool ImportsUneraser::uneraseDllImports	(	IN OUT IMAGE_IMPORT_DESCRIPTOR *	lib_desc,
		IN ImportedDllCoverage &	dllCoverage,
		OUT OPTIONAL ImpsNotCovered *	not_covered )

Fill the imported functions' names in the given Import Descriptor, using the given coverage. Collect addressees of functions that couldn't be filled with the given mapping.

Parameters

lib_desc	: the IMAGE_IMPORT_DESCRIPTOR where the functions' names should be set
dllCoverage	: a mapping associating addresses with the corresponding exports from available DLLs
not_covered	: a set of addresses that could not be found in the supplied mapping

Returns: true if succeeded

Definition at line 230 of file imports_uneraser.cpp.

Here is the call graph for this function:

◆ uneraseDllName()

bool ImportsUneraser::uneraseDllName	(	IMAGE_IMPORT_DESCRIPTOR *	lib_desc,
		const std::string &	dll_name )

Recover the imported DLL name in the given Import Descriptor, filling it with the given dll_name.

Definition at line 40 of file imports_uneraser.cpp.

Here is the call graph for this function:

◆ writeFoundDllName()

bool ImportsUneraser::writeFoundDllName	(	IMAGE_IMPORT_DESCRIPTOR *	lib_desc,
		const std::string &	dll_name )

protected

Copy the given DLL name into the given IMAGE_IMPORT_DESCRIPTOR. Validates the data correctness before writing.

Parameters

lib_desc	: the IMAGE_IMPORT_DESCRIPTOR where the DLL name should be set
dll_name	: the DLL name that needs to be written into the lib_desc

Returns: true if succeeded

Definition at line 22 of file imports_uneraser.cpp.

Here is the call graph for this function:

◆ writeFoundFunction()

template<typename FIELD_T , typename IMAGE_THUNK_DATA_T >

bool ImportsUneraser::writeFoundFunction	(	IMAGE_THUNK_DATA_T *	desc,
		const FIELD_T	ordinal_flag,
		const ExportedFunc &	foundFunc )

protected

Fill the function data into the given IMAGE_THUNK_DATA.

Parameters

desc	: the poiner to IMAGE_THUNK_DATA that will be filled
ordinal_flag	: an ordinal flag: 32 or 64 bit
foundFunc	: the ExportedFunc that will be used for filling the desc

Definition at line 136 of file imports_uneraser.cpp.

Here is the call graph for this function:

Member Data Documentation

◆ is64

bool peconv::ImportsUneraser::is64

protected

Definition at line 92 of file imports_uneraser.h.

◆ modulePtr

PBYTE peconv::ImportsUneraser::modulePtr

protected

Definition at line 90 of file imports_uneraser.h.

◆ moduleSize

size_t peconv::ImportsUneraser::moduleSize

protected

Definition at line 91 of file imports_uneraser.h.

The documentation for this class was generated from the following files:

libpeconv/include/peconv/imports_uneraser.h
libpeconv/src/imports_uneraser.cpp

Public Member Functions

Protected Member Functions

Protected Attributes

Detailed Description

Constructor & Destructor Documentation

◆ ImportsUneraser()

Member Function Documentation

◆ fillImportNames()

◆ findNameInBinaryAndFill()

◆ uneraseDllImports()

◆ uneraseDllName()

◆ writeFoundDllName()

◆ writeFoundFunction()

Member Data Documentation

◆ is64

◆ modulePtr

◆ moduleSize