pe-sieve/iat__block_8h_source.html

#pragma once


#include <peconv.h>


#include <sstream>

#include <map>

#include <set>


namespace pesieve {


    class IATThunksSeries

    {

    public:


        IATThunksSeries(DWORD start_offset)

            : startOffset(start_offset), endOffset(start_offset), cov(nullptr), covered(false)

        {

        }

        IATThunksSeries(DWORD start_offset) {…}


        ~IATThunksSeries()

        {

            delete cov;

        }

        ~IATThunksSeries() {…}


        bool operator<(const IATThunksSeries &other) const

        {

            return startOffset < other.startOffset;

        }

        bool operator<(const IATThunksSeries &other) const {…}


        bool insert(DWORD rva, ULONGLONG funcAddr)

        {

            rvaToFuncVA[rva] = funcAddr;

            funcAddresses.insert(funcAddr);

            if (rva > endOffset) {

                endOffset = rva;

            }

            return true;

        }

        bool insert(DWORD rva, ULONGLONG funcAddr) {…}


        bool makeCoverage(IN const peconv::ExportsMapper* exportsMap);


        bool isCovered()

        {

            return covered;

        }

        bool isCovered() {…}


        size_t funcCount()

        {

            return rvaToFuncVA.size();

        }

        size_t funcCount() {…}


        std::string getDllName();


        //calculate the number of bytes required for filling imports names

        size_t sizeOfNamesSpace(bool is64b);


        // fill the buffer with imports thunks and names

        bool fillNamesSpace(const BYTE* buf_start, size_t buf_size, DWORD bufRVA, bool is64b);


        std::map<DWORD, ULONGLONG> getRvaToFuncMap()

        {

            return rvaToFuncVA;

        }

        std::map<DWORD, ULONGLONG> getRvaToFuncMap() {…}


        DWORD startOffset;

        DWORD endOffset;


    private:

        bool covered;

        std::string dllFullName;

        std::set<ULONGLONG> funcAddresses;

        std::map<DWORD, ULONGLONG> rvaToFuncVA;


        peconv::ImportedDllCoverage *cov;

    };

    class IATThunksSeries {…};


    struct IATThunksSeriesPtrCompare

    {


        bool operator()(const IATThunksSeries* lhs, const IATThunksSeries* rhs) const

        {

            if (!lhs || !rhs) return false;

            return *lhs < *rhs;

        }

        bool operator()(const IATThunksSeries* lhs, const IATThunksSeries* rhs) const {…}

    };

    struct IATThunksSeriesPtrCompare {…};


    typedef std::set<IATThunksSeries*, IATThunksSeriesPtrCompare> IATThunksSeriesSet;


    class IATBlock

    {

    public:


        IATBlock(bool _is64bit, DWORD _iat_offset)

            : is64bit(_is64bit),

            iatOffset(_iat_offset), iatSize(0),

            isInMain(false), isTerminated(false), isCoverageComplete(false),

            importTableOffset(0)

        {

        }

        IATBlock(bool _is64bit, DWORD _iat_offset) {…}


        ~IATBlock()

        {

            deleteThunkSeries();

        }

        ~IATBlock() {…}


        bool operator<(const IATBlock &other) const

        {

            return iatOffset < other.iatOffset;

        }

        bool operator<(const IATBlock &other) const {…}


        bool append(DWORD rva, ULONGLONG functionVA, const peconv::ExportedFunc *exp)

        {

            if (!exp) return false;


            functions[rva] = exp;

            addrToFunctionVA[rva] = functionVA;


            IATThunksSeries* mySeries = nullptr;

            for (auto itr = thunkSeries.begin(); itr != thunkSeries.end(); ++itr) {

                IATThunksSeries* series = *itr;

                // is the next offset in the series:

                if ((series->endOffset + sizeof(rva)) == rva) {

                    mySeries = series;

                    break;

                }

            }

            if (!mySeries) {

                mySeries = new IATThunksSeries(rva);

                thunkSeries.insert(mySeries);

            }

            mySeries->insert(rva, functionVA);

            return true;

        }

        bool append(DWORD rva, ULONGLONG functionVA, const peconv::ExportedFunc *exp) {…}


        bool isCovered() const

        {

            return isCoverageComplete;

        }

        bool isCovered() const {…}


        bool isValid() const

        {

            //allow for every block with complete coverage

            return isCovered();

        }

        bool isValid() const {…}


        //how many functions the IAT has


        size_t countThunks() const

        {

            return functions.size();

        }

        size_t countThunks() const {…}


        std::string toString();


        void deleteThunkSeries()

        {

            IATThunksSeriesSet::iterator itr;

            for (itr = this->thunkSeries.begin(); itr != thunkSeries.end(); ++itr) {

                delete *itr;

            }

            thunkSeries.clear();

        }

        void deleteThunkSeries() {…}


        bool makeCoverage(IN const peconv::ExportsMapper* exportsMap);


        size_t maxDllLen();

        size_t sizeOfDllsSpace();


        bool isTerminated; // is the IAT finished by 0

        bool isInMain; // is the IAT included in the one set in the Data Directory


        DWORD iatOffset;

        size_t iatSize;


        DWORD importTableOffset;


    protected:

        IATThunksSeriesSet splitSeries(IN IATThunksSeries* notCoveredSeries, IN const peconv::ExportsMapper& exportsMap);


        IATThunksSeriesSet thunkSeries;


        bool is64bit;

        bool isCoverageComplete;


        std::map<ULONGLONG, const peconv::ExportedFunc*> functions;

        std::map<ULONGLONG, ULONGLONG> addrToFunctionVA;


        friend class ImpReconstructor;

    };

    class IATBlock {…};


};

pesieve::IATBlock::isCoverageComplete
bool isCoverageComplete
Definition iat_block.h:179

pesieve::IATBlock::isInMain
bool isInMain
Definition iat_block.h:166

pesieve::IATBlock::IATBlock
IATBlock(bool _is64bit, DWORD _iat_offset)
Definition iat_block.h:90

pesieve::IATBlock::~IATBlock
~IATBlock()
Definition iat_block.h:98

pesieve::IATBlock::functions
std::map< ULONGLONG, const peconv::ExportedFunc * > functions
Definition iat_block.h:181

pesieve::IATBlock::iatOffset
DWORD iatOffset
Definition iat_block.h:168

pesieve::IATBlock::ImpReconstructor
friend class ImpReconstructor
Definition iat_block.h:184

pesieve::IATBlock::countThunks
size_t countThunks() const
Definition iat_block.h:144

pesieve::IATBlock::operator<
bool operator<(const IATBlock &other) const
Definition iat_block.h:103

pesieve::IATBlock::maxDllLen
size_t maxDllLen()
Definition iat_block.cpp:197

pesieve::IATBlock::append
bool append(DWORD rva, ULONGLONG functionVA, const peconv::ExportedFunc *exp)
Definition iat_block.h:108

pesieve::IATBlock::isValid
bool isValid() const
Definition iat_block.h:137

pesieve::IATBlock::isCovered
bool isCovered() const
Definition iat_block.h:132

pesieve::IATBlock::importTableOffset
DWORD importTableOffset
Definition iat_block.h:171

pesieve::IATBlock::is64bit
bool is64bit
Definition iat_block.h:178

pesieve::IATBlock::deleteThunkSeries
void deleteThunkSeries()
Definition iat_block.h:151

pesieve::IATBlock::toString
std::string toString()
Definition iat_block.cpp:215

pesieve::IATBlock::iatSize
size_t iatSize
Definition iat_block.h:169

pesieve::IATBlock::sizeOfDllsSpace
size_t sizeOfDllsSpace()
Definition iat_block.cpp:209

pesieve::IATBlock::makeCoverage
bool makeCoverage(IN const peconv::ExportsMapper *exportsMap)
Definition iat_block.cpp:108

pesieve::IATBlock::thunkSeries
IATThunksSeriesSet thunkSeries
Definition iat_block.h:176

pesieve::IATBlock::addrToFunctionVA
std::map< ULONGLONG, ULONGLONG > addrToFunctionVA
Definition iat_block.h:182

pesieve::IATBlock::splitSeries
IATThunksSeriesSet splitSeries(IN IATThunksSeries *notCoveredSeries, IN const peconv::ExportsMapper &exportsMap)
Definition iat_block.cpp:159

pesieve::IATBlock::isTerminated
bool isTerminated
Definition iat_block.h:165

pesieve::IATThunksSeries
Definition iat_block.h:12

pesieve::IATThunksSeries::makeCoverage
bool makeCoverage(IN const peconv::ExportsMapper *exportsMap)
Definition iat_block.cpp:25

pesieve::IATThunksSeries::getDllName
std::string getDllName()
Definition iat_block.cpp:101

pesieve::IATThunksSeries::~IATThunksSeries
~IATThunksSeries()
Definition iat_block.h:19

pesieve::IATThunksSeries::startOffset
DWORD startOffset
Definition iat_block.h:64

pesieve::IATThunksSeries::IATThunksSeries
IATThunksSeries(DWORD start_offset)
Definition iat_block.h:14

pesieve::IATThunksSeries::endOffset
DWORD endOffset
Definition iat_block.h:65

pesieve::IATThunksSeries::insert
bool insert(DWORD rva, ULONGLONG funcAddr)
Definition iat_block.h:29

pesieve::IATThunksSeries::operator<
bool operator<(const IATThunksSeries &other) const
Definition iat_block.h:24

pesieve::IATThunksSeries::sizeOfNamesSpace
size_t sizeOfNamesSpace(bool is64b)
Definition iat_block.cpp:80

pesieve::IATThunksSeries::fillNamesSpace
bool fillNamesSpace(const BYTE *buf_start, size_t buf_size, DWORD bufRVA, bool is64b)
Definition iat_block.cpp:39

pesieve::IATThunksSeries::funcCount
size_t funcCount()
Definition iat_block.h:46

pesieve::IATThunksSeries::getRvaToFuncMap
std::map< DWORD, ULONGLONG > getRvaToFuncMap()
Definition iat_block.h:59

pesieve::IATThunksSeries::isCovered
bool isCovered()
Definition iat_block.h:41

pesieve
Definition pesieve.py:1

pesieve::IATThunksSeriesSet
std::set< IATThunksSeries *, IATThunksSeriesPtrCompare > IATThunksSeriesSet
Definition iat_block.h:85

pesieve::IATThunksSeriesPtrCompare
Definition iat_block.h:77

pesieve::IATThunksSeriesPtrCompare::operator()
bool operator()(const IATThunksSeries *lhs, const IATThunksSeries *rhs) const
Definition iat_block.h:78