libpeconv/imports__uneraser_8h_source.html

#pragma once


#include <windows.h>


#include <string>


#include <set>

#include <map>


#include <iterator>

#include "fix_imports.h"

#include "caves.h"


namespace peconv {


    class ImportsUneraser

    {

    public:


        ImportsUneraser(PVOID _modulePtr, size_t _moduleSize)

            : modulePtr((PBYTE)_modulePtr), moduleSize(_moduleSize)

        {

            is64 = peconv::is64bit((BYTE*)modulePtr);

        }


        bool uneraseDllImports(IN OUT IMAGE_IMPORT_DESCRIPTOR* lib_desc, IN ImportedDllCoverage &dllCoverage, OUT OPTIONAL ImpsNotCovered* not_covered);


        bool uneraseDllName(IMAGE_IMPORT_DESCRIPTOR* lib_desc, const std::string &dll_name);


    protected:

        bool writeFoundDllName(IMAGE_IMPORT_DESCRIPTOR* lib_desc, const std::string &dll_name);


        template <typename FIELD_T, typename IMAGE_THUNK_DATA_T>

        bool fillImportNames(IN OUT IMAGE_IMPORT_DESCRIPTOR* lib_desc,

                IN const FIELD_T ordinal_flag,

                IN std::map<ULONGLONG, std::set<ExportedFunc>> &addr_to_func,

                OUT OPTIONAL ImpsNotCovered* not_covered

            );


        template <typename FIELD_T>

        bool findNameInBinaryAndFill(IMAGE_IMPORT_DESCRIPTOR* lib_desc,

            LPVOID call_via_ptr,

            LPVOID thunk_ptr,

            const FIELD_T ordinal_flag,

            std::map<ULONGLONG, std::set<ExportedFunc>> &addr_to_func

        );


        template <typename FIELD_T, typename IMAGE_THUNK_DATA_T>

        bool writeFoundFunction(IMAGE_THUNK_DATA_T* desc, const FIELD_T ordinal_flag, const ExportedFunc &foundFunc);


        PBYTE modulePtr;

        size_t moduleSize;

        bool is64;

    };


}

caves.h
Functions related to finding caves in the loaded PE file.

peconv::ExportedFunc
Definition exported_func.h:54

peconv::ImportedDllCoverage
Definition fix_imports.h:53

peconv::ImportsUneraser
Definition imports_uneraser.h:25

peconv::ImportsUneraser::writeFoundDllName
bool writeFoundDllName(IMAGE_IMPORT_DESCRIPTOR *lib_desc, const std::string &dll_name)
Definition imports_uneraser.cpp:22

peconv::ImportsUneraser::ImportsUneraser
ImportsUneraser(PVOID _modulePtr, size_t _moduleSize)
Definition imports_uneraser.h:27

peconv::ImportsUneraser::fillImportNames
bool fillImportNames(IN OUT IMAGE_IMPORT_DESCRIPTOR *lib_desc, IN const FIELD_T ordinal_flag, IN std::map< ULONGLONG, std::set< ExportedFunc > > &addr_to_func, OUT OPTIONAL ImpsNotCovered *not_covered)
Definition imports_uneraser.cpp:166

peconv::ImportsUneraser::modulePtr
PBYTE modulePtr
Definition imports_uneraser.h:90

peconv::ImportsUneraser::moduleSize
size_t moduleSize
Definition imports_uneraser.h:91

peconv::ImportsUneraser::is64
bool is64
Definition imports_uneraser.h:92

peconv::ImportsUneraser::uneraseDllName
bool uneraseDllName(IMAGE_IMPORT_DESCRIPTOR *lib_desc, const std::string &dll_name)
Definition imports_uneraser.cpp:40

peconv::ImportsUneraser::writeFoundFunction
bool writeFoundFunction(IMAGE_THUNK_DATA_T *desc, const FIELD_T ordinal_flag, const ExportedFunc &foundFunc)
Definition imports_uneraser.cpp:136

peconv::ImportsUneraser::uneraseDllImports
bool uneraseDllImports(IN OUT IMAGE_IMPORT_DESCRIPTOR *lib_desc, IN ImportedDllCoverage &dllCoverage, OUT OPTIONAL ImpsNotCovered *not_covered)
Definition imports_uneraser.cpp:230

peconv::ImportsUneraser::findNameInBinaryAndFill
bool findNameInBinaryAndFill(IMAGE_IMPORT_DESCRIPTOR *lib_desc, LPVOID call_via_ptr, LPVOID thunk_ptr, const FIELD_T ordinal_flag, std::map< ULONGLONG, std::set< ExportedFunc > > &addr_to_func)
Definition imports_uneraser.cpp:65

peconv::ImpsNotCovered
Definition fix_imports.h:29

fix_imports.h
Functions and classes responsible for fixing Import Table. A definition of ImportedDllCoverage class.

peconv
Definition buffer_util.h:15

peconv::is64bit
bool is64bit(IN const BYTE *pe_buffer)
Definition pe_hdrs_helper.cpp:121