10template <
typename FIELD_T>
13 size_t addrCounter = 0;
15 LPVOID call_via_ptr = (LPVOID)((ULONGLONG)modulePtr + call_via);
16 if (call_via_ptr ==
nullptr)
break;
18 LPVOID thunk_ptr = (LPVOID)((ULONGLONG)modulePtr + thunk_addr);
19 if (thunk_ptr ==
nullptr)
break;
21 if (!
validate_ptr(modulePtr, moduleSize, thunk_ptr,
sizeof(FIELD_T))) {
24 if (!
validate_ptr(modulePtr, moduleSize, call_via_ptr,
sizeof(FIELD_T))) {
27 FIELD_T *thunk_val =
reinterpret_cast<FIELD_T*
>(thunk_ptr);
28 FIELD_T *call_via_val =
reinterpret_cast<FIELD_T*
>(call_via_ptr);
29 if ((*call_via_val) == 0) {
34 ULONGLONG searchedAddr = ULONGLONG(*call_via_val);
35 if (exportsMap.find_export_by_va(searchedAddr) !=
nullptr) {
36 addresses.insert(searchedAddr);
40 call_via +=
sizeof(FIELD_T);
41 thunk_addr +=
sizeof(FIELD_T);
49 std::set<std::string> currDllNames;
51 const std::set<ExportedFunc>* exports_for_va = exportsMap.
find_exports_by_va(func_addr);
52 if (!exports_for_va) {
53 LOG_WARNING(
"Cannot find any DLL exporting: 0x%llx.", (
unsigned long long)func_addr);
57 for (std::set<ExportedFunc>::iterator strItr = exports_for_va->begin();
58 strItr != exports_for_va->end();
61 currDllNames.insert(strItr->libName);
66std::set<std::string>
get_dlls_intersection(
const std::set<std::string> &dllNames,
const std::set<std::string> &currDllNames)
68 std::set<std::string> resultSet;
69 std::set_intersection(dllNames.begin(), dllNames.end(),
70 currDllNames.begin(), currDllNames.end(),
71 std::inserter(resultSet, resultSet.begin())
79 std::set<std::string> mainDllsSet;
80 std::set<std::string> reserveDllSet;
85 std::set<ULONGLONG>::iterator addrItr;
87 for (addrItr = addresses.begin(); addrItr != addresses.end(); ++addrItr) {
88 ULONGLONG searchedAddr = *addrItr;
96 mainDllsSet = currDllNames;
102 if (resultSet.size() > 0) {
104 mainDllsSet = resultSet;
109 if (resultSet.size() > 0) {
111 reserveDllSet = mainDllsSet;
112 mainDllsSet = resultSet;
116 reserveDllSet = currDllNames;
118 if (mainDllsSet.size() > 0) {
119 const std::string main_dll = *(mainDllsSet.begin());
128 if (found_name.length() == 0) {
133 LOG_DEBUG(
"Found DLL name: %s.", found_name.c_str());
138 IN
const std::string &chosenDll,
140 OUT std::map<ULONGLONG, std::set<ExportedFunc>> &addr_to_func,
141 OUT std::set<ULONGLONG> ¬_found
144 std::set<ULONGLONG> coveredAddresses;
145 std::set<ULONGLONG>::iterator addrItr;
146 for (addrItr = addresses.begin(); addrItr != addresses.end(); ++addrItr) {
148 ULONGLONG searchedAddr = *addrItr;
150 const std::set<ExportedFunc>* exports_for_va = exportsMap.find_exports_by_va(searchedAddr);
151 if (exports_for_va ==
nullptr) {
152 not_found.insert(searchedAddr);
153 LOG_WARNING(
"Cannot find any DLL exporting: 0x%llx.", (
unsigned long long)searchedAddr);
157 for (std::set<ExportedFunc>::iterator strItr = exports_for_va->begin();
158 strItr != exports_for_va->end();
161 std::string dll_name = strItr->libName;
162 if (dll_name != chosenDll) {
166 addr_to_func[searchedAddr].insert(func);
167 coveredAddresses.insert(searchedAddr);
169 if (addr_to_func.find(searchedAddr) == addr_to_func.end()) {
170 const ExportedFunc* func = exportsMap.find_export_by_va(searchedAddr);
171 not_found.insert(searchedAddr);
173 LOG_WARNING(
"Function '%s' not found in the covering DLL: %s.", func->
toString().c_str(), chosenDll.c_str());
176 LOG_WARNING(
"Function at [0x%llx] not found in the covering DLL: %s.", (
unsigned long long)searchedAddr, chosenDll.c_str());
180 return coveredAddresses.size();
203 LOG_WARNING(
"Function not recovered: [0x%llx].", (
unsigned long long)searchedAddr);
210 bool skip_bound =
false;
216 DWORD maxSize = importsDir->Size;
217 DWORD impAddr = importsDir->VirtualAddress;
219 IMAGE_IMPORT_DESCRIPTOR* lib_desc =
nullptr;
220 DWORD parsedSize = 0;
223 while (parsedSize < maxSize) {
225 lib_desc = (IMAGE_IMPORT_DESCRIPTOR*)(impAddr + parsedSize + (ULONG_PTR) modulePtr);
226 if (!
validate_ptr(modulePtr, moduleSize, lib_desc,
sizeof(IMAGE_IMPORT_DESCRIPTOR))) {
227 LOG_ERROR(
"Invalid import descriptor pointer.");
230 parsedSize +=
sizeof(IMAGE_IMPORT_DESCRIPTOR);
231 if (!lib_desc->OriginalFirstThunk && !lib_desc->FirstThunk) {
234 const bool is_bound = (lib_desc->TimeDateStamp == (-1));
235 if (is_bound && skip_bound) {
238 LOG_DEBUG(
"Imported Lib: %x : %x : %x", lib_desc->FirstThunk, lib_desc->OriginalFirstThunk, lib_desc->Name);
240 std::string lib_name =
"";
241 if (lib_desc->Name != 0) {
242 LPSTR name_ptr = (LPSTR)((ULONGLONG) modulePtr + lib_desc->Name);
244 lib_name = (LPSTR)((ULONGLONG) modulePtr + lib_desc->Name);
248 DWORD call_via = lib_desc->FirstThunk;
249 DWORD thunk_addr = lib_desc->OriginalFirstThunk;
250 std::set<ULONGLONG> addresses;
252 find_addresses_to_fill<DWORD>(call_via, thunk_addr, modulePtr, moduleSize, exportsMap, addresses);
254 find_addresses_to_fill<ULONGLONG>(call_via, thunk_addr, modulePtr, moduleSize, exportsMap, addresses);
258 bool is_lib_erased =
false;
262 if (lib_name.length() == 0) {
263 is_lib_erased =
true;
264 if (is_all_covered) {
266 lib_name = dllCoverage.
dllName;
269 if (lib_name.length() == 0) {
284 const std::string dll_with_ext = exportsMap.get_dll_fullname(dllCoverage.
dllName);
std::string toString() const
const std::set< ExportedFunc > * find_exports_by_va(ULONGLONG va) const
std::string mappedDllName
const peconv::ExportsMapper & exportsMap
size_t mapAddressesToFunctions(const std::string &_mappedDllName)
std::set< ULONGLONG > notFound
std::set< ULONGLONG > & addresses
std::map< ULONGLONG, std::set< ExportedFunc > > addrToFunc
bool uneraseDllName(IMAGE_IMPORT_DESCRIPTOR *lib_desc, const std::string &dll_name)
bool uneraseDllImports(IN OUT IMAGE_IMPORT_DESCRIPTOR *lib_desc, IN ImportedDllCoverage &dllCoverage, OUT OPTIONAL ImpsNotCovered *not_covered)
void insert(DWORD thunkRVA, ULONGLONG searchedAddr)
std::map< DWORD, ULONGLONG > thunkToAddr
Functions related to operations on files. Wrappers for read/write.
std::string find_covering_dll(std::set< ULONGLONG > &addresses, const peconv::ExportsMapper &exportsMap)
size_t map_addresses_to_functions(std::set< ULONGLONG > &addresses, IN const std::string &chosenDll, IN const peconv::ExportsMapper &exportsMap, OUT std::map< ULONGLONG, std::set< ExportedFunc > > &addr_to_func, OUT std::set< ULONGLONG > ¬_found)
std::set< std::string > get_all_dlls_exporting_function(ULONGLONG func_addr, const peconv::ExportsMapper &exportsMap)
size_t find_addresses_to_fill(FIELD_T call_via, FIELD_T thunk_addr, LPVOID modulePtr, size_t moduleSize, IN const peconv::ExportsMapper &exportsMap, OUT std::set< ULONGLONG > &addresses)
std::set< std::string > get_dlls_intersection(const std::set< std::string > &dllNames, const std::set< std::string > &currDllNames)
Functions and classes responsible for fixing Import Table. A definition of ImportedDllCoverage class.
A definition of ImportsUneraser class - for recovery of a partialy erased Import Table.
#define LOG_DEBUG(fmt,...)
#define LOG_ERROR(fmt,...)
#define LOG_WARNING(fmt,...)
bool fix_imports(IN OUT PVOID modulePtr, IN size_t moduleSize, IN const peconv::ExportsMapper &exportsMap, OUT OPTIONAL peconv::ImpsNotCovered *notCovered)
bool validate_ptr(IN const void *buffer_bgn, IN size_t buffer_size, IN const void *field_bgn, IN size_t field_size)
bool is64bit(IN const BYTE *pe_buffer)
IMAGE_DATA_DIRECTORY * get_directory_entry(IN const BYTE *pe_buffer, IN DWORD dir_id, IN bool allow_empty=false)
std::string get_dll_shortname(const std::string &str)