pe-sieve/imp__reconstructor_8cpp_source.html

#include "imp_reconstructor.h"


#include "iat_finder.h"

#include "import_table_finder.h"


#include <fstream>


using namespace pesieve;


#define MIN_THUNKS_COUNT 2


namespace pesieve {


    BYTE* get_buffer_space_at(IN BYTE* buffer, IN const size_t buffer_size, IN const DWORD buffer_rva, IN const DWORD required_rva, IN const size_t required_size)

    {

        if (!buffer || buffer_rva > required_rva) return nullptr;

        size_t offset = required_rva - buffer_rva;


        BYTE* req_ptr = offset + buffer;

        if (peconv::validate_ptr(buffer, buffer_size, req_ptr, required_size)) {

            return req_ptr;

        }

        return nullptr;

    }


};


//---


BYTE* pesieve::ImportTableBuffer::getNamesSpaceAt(const DWORD rva, size_t required_size)

{

    return get_buffer_space_at(this->namesBuf, this->namesBufSize, this->namesRVA, rva, required_size);

}


BYTE* pesieve::ImportTableBuffer::getDllSpaceAt(const DWORD rva, size_t required_size)

{

    return get_buffer_space_at(this->dllsBuf, this->dllsBufSize, this->dllsRVA, rva, required_size);

}


//---


bool pesieve::ImpReconstructor::hasDynamicIAT() const

{

    size_t maxSize = getMaxDynamicIATSize(true);

    return (maxSize >= MIN_THUNKS_COUNT);

}


size_t pesieve::ImpReconstructor::getMainIATSize() const

{

    std::map<DWORD, IATBlock*>::const_iterator iats_itr;


    //the main IAT can be in chunks, so join them together...

    size_t totalIatSize = 0;

    for (iats_itr = foundIATs.cbegin(); iats_itr != foundIATs.cend(); ++iats_itr) {

        const IATBlock* iblock = iats_itr->second;

        const size_t currCount = iblock->countThunks();


        if (iblock->isInMain) {

            totalIatSize += currCount;

        }

    }

    return totalIatSize;

}


size_t pesieve::ImpReconstructor::getMaxDynamicIATSize(IN bool isIatTerminated) const

{

    std::map<DWORD, IATBlock*>::const_iterator iats_itr;


    size_t maxIATSize = 0;

    for (iats_itr = foundIATs.cbegin(); iats_itr != foundIATs.cend(); ++iats_itr) {

        const IATBlock* iblock = iats_itr->second;

        const size_t currCount = iblock->countThunks();


        if (!iblock->isInMain // is it a dynamic IAT

            && (iblock->isTerminated == isIatTerminated))

        {

            if (currCount > maxIATSize) {

                maxIATSize = currCount;

            }

        }

    }

    return maxIATSize;

}


pesieve::ImpReconstructor::t_imprec_res pesieve::ImpReconstructor::_recreateImportTableFiltered(const IN peconv::ExportsMapper* exportsMap, IN const pesieve::t_imprec_mode& imprec_mode)

{

    // convert to filter:


    int filter = IMP_REC0;

    switch (imprec_mode) {

    case PE_IMPREC_REBUILD0:

        filter = IMP_REC0; break;

    case PE_IMPREC_REBUILD1:

        filter = IMP_REC1; break;

    case PE_IMPREC_REBUILD2:

        filter = IMP_REC2; break;

    }


    // in AUTO mode: chose higher filter if the unterminated IAT is bigger than the main IAT, or any terminated:


    if (imprec_mode == PE_IMPREC_AUTO) {


        const size_t untermIATSize = getMaxDynamicIATSize(false);

        if (untermIATSize > MIN_THUNKS_COUNT) {

            const size_t mainIATSize = getMainIATSize();

            const size_t termIATSize = getMaxDynamicIATSize(true);


            if ((untermIATSize > mainIATSize) && (untermIATSize > termIATSize)) {

                filter = IMP_REC1;

            }

        }

    }


    // Try to rebuild ImportTable for module


    while (!findIATsCoverage(exportsMap, (t_imprec_filter)filter)) {

        if (imprec_mode != PE_IMPREC_AUTO) {

            // no autodetect: don't try different modes

            return IMP_RECOVERY_ERROR;

        }

        // try next filter:

        filter++;

        //limit exceeded, quit with error:

        if (filter == IMP_REC_COUNT) {

            return IMP_RECOVERY_ERROR;

        }

    }


    //coverage found, try to rebuild:

    bool isOk = false;

    ImportTableBuffer* impBuf = constructImportTable();

    if (impBuf) {

        if (appendImportTable(*impBuf)) {

            isOk = true;

        }

    }

    delete impBuf;


    if (!isOk) {

        return IMP_RECOVERY_ERROR;

    }

    // convert results:

    switch (filter) {

    case IMP_REC0:

        return IMP_RECREATED_FILTER0;

    case IMP_REC1:

        return IMP_RECREATED_FILTER1;

    case IMP_REC2:

        return IMP_RECREATED_FILTER2;

    }

    return IMP_RECREATED_FILTER0;

}


pesieve::ImpReconstructor::t_imprec_res pesieve::ImpReconstructor::rebuildImportTable(const IN peconv::ExportsMapper* exportsMap, IN const pesieve::t_imprec_mode &imprec_mode)

{

    if (!exportsMap || imprec_mode == pesieve::PE_IMPREC_NONE) {

        return IMP_RECOVERY_SKIPPED;

    }


    if (!collectIATs(exportsMap)) {

        return IMP_NOT_FOUND;

    }


    if (!peBuffer.isValidPe()) {

        // this is possibly a shellcode, stop after collecting the IATs

        return IMP_RECOVERY_NOT_APPLICABLE;

    }

    if (!peconv::is_pe_raw_eq_virtual(peBuffer.vBuf, peBuffer.vBufSize)

        && peconv::is_pe_raw(peBuffer.vBuf, peBuffer.vBufSize))

    {

        // Do not proceed, the PE is in a raw format

        return IMP_RECOVERY_NOT_APPLICABLE;

    }


    if (imprec_mode == PE_IMPREC_UNERASE ||

        (imprec_mode == PE_IMPREC_AUTO && !this->hasDynamicIAT()))

    {

        const bool is_default_valid = this->isDefaultImportValid(exportsMap);

        if (is_default_valid) {

            // Valid Import Table already set

            return pesieve::ImpReconstructor::IMP_ALREADY_OK;

        }

        if (findImportTable(exportsMap)) {

            // ImportTable found and set:

            return pesieve::ImpReconstructor::IMP_DIR_FIXED;

        }

    }

    const bool isDotnet = peconv::is_dot_net(peBuffer.vBuf, peBuffer.vBufSize);

    if (isDotnet && imprec_mode == PE_IMPREC_AUTO) {

        // Valid Import Table already set

        return pesieve::ImpReconstructor::IMP_ALREADY_OK;

    }


    // Try to rebuild ImportTable for module

    if ((imprec_mode == PE_IMPREC_REBUILD0 || imprec_mode == PE_IMPREC_REBUILD1 || imprec_mode == PE_IMPREC_REBUILD2)

        || imprec_mode == PE_IMPREC_AUTO)

    {

        return _recreateImportTableFiltered(exportsMap, imprec_mode);

    }

    return IMP_RECOVERY_ERROR;

}


bool pesieve::ImpReconstructor::printFoundIATs(const std::string& reportPath)

{

    if (!foundIATs.size()) {

        return false;

    }

    std::ofstream report;

    report.open(reportPath);

    if (report.is_open() == false) {

        return false;

    }


    std::map<DWORD, IATBlock*>::iterator itr;

    for (itr = foundIATs.begin(); itr != foundIATs.end(); ++itr) {

        report << itr->second->toString();

    }

    report.close();

    return true;

}


bool pesieve::ImpReconstructor::isDefaultImportValid(IN const peconv::ExportsMapper* exportsMap)

{

    BYTE *vBuf = this->peBuffer.vBuf;

    const size_t vBufSize = this->peBuffer.vBufSize;

    if (!vBuf || !vBufSize) return false;


    IMAGE_DATA_DIRECTORY *iat_dir = peconv::get_directory_entry(vBuf, IMAGE_DIRECTORY_ENTRY_IAT, true);

    if (!iat_dir) return false;


    IMAGE_DATA_DIRECTORY *imp_dir = peconv::get_directory_entry(vBuf, IMAGE_DIRECTORY_ENTRY_IMPORT, true);

    if (!imp_dir) return false;


    if (imp_dir->VirtualAddress == 0 && imp_dir->Size == 0

        && iat_dir->VirtualAddress == 0 && iat_dir->Size == 0)

    {

        // the PE has no Import Table, and no artefacts indicating that it was erased. Probably legit no-import PE.

        return false;

    }


    if (iat_dir->VirtualAddress != 0 && imp_dir->VirtualAddress == 0) {

        // the PE has IAT, but no Import Table. Import Table Address was probably erased.

        return false;

    }


    // verify if the Import Table that is currently set is fine:


    DWORD iat_offset = iat_dir->VirtualAddress;

    IATBlock* iat_block = this->findIATBlock(exportsMap, iat_offset);

    if (!iat_block) {

        //could not find any IAT Block at this IAT offset. The IAT offset may be incorrect.

        return false;

    }

    const size_t start_offset = peconv::get_hdrs_size(vBuf);

    const bool is64bit = peconv::is64bit(vBuf);

    size_t table_size = 0;

    IMAGE_IMPORT_DESCRIPTOR *import_table = find_import_table(

        is64bit,

        vBuf,

        vBufSize,

        exportsMap,

        iat_offset,

        table_size,

        start_offset

    );

    if (!import_table) {

        // could not find Import Table for this IAT offset

        return false;

    }

    // Import Table found and it fits the address that was already set

    DWORD imp_table_offset = DWORD((ULONG_PTR)import_table - (ULONG_PTR)vBuf);

    if (imp_dir->VirtualAddress == imp_table_offset) {

        return true;

    }

    return false;

}


IATBlock* pesieve::ImpReconstructor::findIATBlock(IN const peconv::ExportsMapper* exportsMap, size_t start_offset)

{

    if (!exportsMap) return nullptr;


    // filter calls to the own exports

    class ThunkFilterSelfCallback : public ThunkFoundCallback

    {

    public:

        ThunkFilterSelfCallback(const ULONGLONG mod_start, size_t mod_size)

            : startAddr(mod_start), endAddr(mod_start + mod_size)

        {

        }


        virtual bool shouldProcessVA(ULONGLONG va)

        {

            if (va >= startAddr && va < endAddr) {

                // the address is in the current module: this may be a call to module's own function

                return false;

            }

            return true;

        }


        virtual bool shouldAcceptExport(ULONGLONG va, const peconv::ExportedFunc &exp)

        {

            // accept any

            return true;

        }


    protected:

        const ULONGLONG startAddr;

        const ULONGLONG endAddr;

    };

    //---

    ThunkFilterSelfCallback filter = ThunkFilterSelfCallback(peBuffer.moduleBase, peBuffer.getBufferSize());


    IATBlock* iat_block = nullptr;

    if (this->is64bit) {

        iat_block = find_iat<ULONGLONG>(this->peBuffer.vBuf, this->peBuffer.vBufSize, exportsMap, start_offset, &filter);

    }

    else {

        iat_block = find_iat<DWORD>(this->peBuffer.vBuf, this->peBuffer.vBufSize, exportsMap, start_offset, &filter);

    }

    return iat_block;

}


void pesieve::ImpReconstructor::collectMainIatData()

{

    BYTE* vBuf = this->peBuffer.vBuf;

    const size_t vBufSize = this->peBuffer.vBufSize;

    if (!vBuf) return;


    if (!peconv::has_valid_import_table(vBuf, vBufSize)) {

        // No import table

        return;

    }

    peconv::collect_thunks(vBuf, vBufSize, mainIatThunks);

}


IATBlock* pesieve::ImpReconstructor::findIAT(IN const peconv::ExportsMapper* exportsMap, size_t start_offset)

{

    BYTE *vBuf = this->peBuffer.vBuf;

    const size_t vBufSize = this->peBuffer.vBufSize;

    if (!vBuf) return nullptr;


    IATBlock* iat_block = findIATBlock(exportsMap, start_offset);

    if (!iat_block) {

        return nullptr;

    }

    DWORD mainIatRVA = 0;

    DWORD mainIatSize = 0;

    IMAGE_DATA_DIRECTORY* dir = peconv::get_directory_entry(vBuf, IMAGE_DIRECTORY_ENTRY_IAT, true);

    if (dir) {

        mainIatRVA = dir->VirtualAddress;

        mainIatSize = dir->Size;

    }

    if ( (mainIatRVA != 0 && iat_block->iatOffset >= mainIatRVA && iat_block->iatOffset < (mainIatRVA + mainIatSize) )

        || mainIatThunks.find(iat_block->iatOffset) != mainIatThunks.end() )

    {

        iat_block->isInMain = true;

    }

    return iat_block;

}


size_t pesieve::ImpReconstructor::collectIATs(IN const peconv::ExportsMapper* exportsMap)

{

    BYTE *vBuf = this->peBuffer.vBuf;

    const size_t vBufSize = this->peBuffer.vBufSize;

    if (!vBuf) return 0;


    size_t found = 0;

    const size_t pe_hdr_size = peconv::get_hdrs_size(vBuf); //if the buffer is not a valid PE, it will be 0


    for (size_t search_offset = pe_hdr_size; search_offset < vBufSize;) {


        IATBlock *currIAT = findIAT(exportsMap, search_offset);

        if (!currIAT) {

            //can't find any more IAT

            break;

        }

        found++;

        const DWORD iat_offset = currIAT->iatOffset;

        const size_t iat_end = iat_offset + currIAT->iatSize;

        if (!appendFoundIAT(iat_offset, currIAT)) {

            delete currIAT; //this IAT already exist in the map

        }

        // next search should be after thie current IAT:

        if (iat_end <= search_offset) {

            break; //this should never happen

        }

        search_offset = iat_end;

    }

    return found;

}


bool pesieve::ImpReconstructor::findImportTable(IN const peconv::ExportsMapper* exportsMap)

{

    BYTE *vBuf = this->peBuffer.vBuf;

    const size_t vBufSize = this->peBuffer.vBufSize;

    if (!vBuf) return false;


    IMAGE_DATA_DIRECTORY* imp_dir = peconv::get_directory_entry(vBuf, IMAGE_DIRECTORY_ENTRY_IMPORT, true);

    if (!imp_dir) {

        return false;

    }

    IMAGE_DATA_DIRECTORY *iat_dir = peconv::get_directory_entry(vBuf, IMAGE_DIRECTORY_ENTRY_IAT, true);

    if (!iat_dir) {

        return false;

    }

    IMAGE_IMPORT_DESCRIPTOR* import_table = nullptr;

    size_t table_size = 0;


    const size_t start_offset = peconv::get_hdrs_size(vBuf);


    std::map<DWORD, IATBlock*>::iterator itr;

    for (itr = foundIATs.begin(); itr != foundIATs.end(); ++itr) {

        IATBlock *currIAT = itr->second;


        const DWORD iat_offset = currIAT->iatOffset;

#ifdef _DEBUG

        std::cout << "[*] Searching import table for IAT: " << std::hex << iat_offset << ", size: " << currIAT->iatSize << std::endl;

#endif

        bool is64bit = peconv::is64bit(vBuf);

        import_table = find_import_table(

            is64bit,

            vBuf,

            vBufSize,

            exportsMap,

            iat_offset,

            table_size,

            start_offset

        );

        if (import_table) {

            //import table found, set it in the IATBlock:

            currIAT->importTableOffset = DWORD((ULONG_PTR)import_table - (ULONG_PTR)vBuf);

            //overwrite the Data Directory:

            iat_dir->VirtualAddress = iat_offset;

            iat_dir->Size = MASK_TO_DWORD(currIAT->iatSize);

            break;

        }

    }


    if (!import_table) return false;


    DWORD imp_offset = MASK_TO_DWORD((ULONG_PTR)import_table - (ULONG_PTR)vBuf);

    if (imp_dir->VirtualAddress == imp_offset && imp_dir->Size == table_size) {

        //std::cout << "[*] Validated Imports offset!\n";

        return true;

    }

#ifdef _DEBUG

    if (imp_dir->Size == table_size) {

        std::cout << "[*] Validated Imports size!\n";

    }

#endif

    //overwrite the Data Directory:

    imp_dir->VirtualAddress = imp_offset;

    imp_dir->Size = MASK_TO_DWORD(table_size);

    return true;

}


bool pesieve::ImpReconstructor::findIATsCoverage(IN const peconv::ExportsMapper* exportsMap, t_imprec_filter filter)

{

    size_t neededIATs = 0;

    size_t covered = 0;

    std::map<DWORD, IATBlock*>::iterator itr;

    for (itr = foundIATs.begin(); itr != foundIATs.end(); ++itr) {

        IATBlock* iat = itr->second;


        switch (filter) {

        case IMP_REC0:

            if (!iat->isInMain && !iat->isTerminated) {

                continue;

            }

        case IMP_REC1:

            if (!iat->isInMain && !iat->isTerminated && iat->countThunks() < MIN_THUNKS_COUNT) {

                continue;

            }

        }

        neededIATs++;


        if (iat->makeCoverage(exportsMap)) {

            covered++;

        }

        else {

            std::cout << "[-] Failed covering block: " << std::hex << itr->first << " series: " << iat->thunkSeries.size() << "\n";

        }

    }

    if (neededIATs == 0) {

        return false;

    }

    return (covered == neededIATs);

}


ImportTableBuffer* pesieve::ImpReconstructor::constructImportTable()

{

    BYTE *vBuf = this->peBuffer.vBuf;

    const size_t vBufSize = this->peBuffer.vBufSize;

    if (!vBuf || !vBufSize) return nullptr;


    size_t ready_blocks = 0;

    std::map<DWORD, IATBlock*>::iterator itr;

    for (itr = foundIATs.begin(); itr != foundIATs.end(); ++itr) {

        IATBlock* iat = itr->second;

        if (iat->isValid()) {

            ready_blocks += iat->thunkSeries.size();

        }

    }

    if (ready_blocks == 0) {

        return nullptr;

    }

    const DWORD end_rva = MASK_TO_DWORD(vBufSize);

    ImportTableBuffer *importTableBuffer = new(std::nothrow) ImportTableBuffer(end_rva);

    if (!importTableBuffer) {

        return nullptr;

    }

    importTableBuffer->allocDesciptors(ready_blocks + 1);


    const DWORD names_start_rva = MASK_TO_DWORD(importTableBuffer->getRVA() + importTableBuffer->getDescriptorsSize());

    DWORD orig_thunk_rva = names_start_rva;

    size_t names_space = 0;

    size_t i = 0;

    for (itr = foundIATs.begin(); itr != foundIATs.end(); ++itr) {

        IATBlock* iat = itr->second;

        if (!iat->isValid()) {

            continue;

        }

        IATThunksSeriesSet::iterator sItr;

        for (sItr = iat->thunkSeries.begin(); sItr != iat->thunkSeries.end(); ++sItr, ++i) {

            IATThunksSeries *series = *sItr;

            importTableBuffer->descriptors[i].FirstThunk = series->startOffset;

            importTableBuffer->descriptors[i].OriginalFirstThunk = orig_thunk_rva;

            //calculate size for names

            const DWORD names_space_size = MASK_TO_DWORD(series->sizeOfNamesSpace(this->is64bit));

            names_space += names_space_size;

            orig_thunk_rva += names_space_size;

        }

    }

    //fill functions' names:

    importTableBuffer->allocNamesSpace(names_start_rva, names_space);

    const DWORD dlls_rva = MASK_TO_DWORD(names_start_rva + names_space);

    size_t dlls_area_size = 0;

    i = 0;

    for (itr = foundIATs.begin(); itr != foundIATs.end(); ++itr) {

        IATBlock* iat = itr->second;

        if (!iat->isValid()) {

            continue;

        }

        IATThunksSeriesSet::iterator sItr;

        for (sItr = iat->thunkSeries.begin(); sItr != iat->thunkSeries.end(); ++sItr++, ++i) {

            IATThunksSeries *series = *sItr;

            DWORD name_rva = importTableBuffer->descriptors[i].OriginalFirstThunk;

            const size_t names_space_size = series->sizeOfNamesSpace(this->is64bit);

            BYTE *buf = importTableBuffer->getNamesSpaceAt(name_rva, names_space_size);

            if (!buf) {

                continue;

            }

            series->fillNamesSpace(buf, names_space_size, name_rva, this->is64bit);

        }

        dlls_area_size += iat->sizeOfDllsSpace();

    }

    //fill DLLs' names:

    importTableBuffer->allocDllsSpace(dlls_rva, dlls_area_size);

    DWORD dll_name_rva = dlls_rva;

    i = 0;

    //TODO: optimize it: write the repeating DLL names only once

    for (itr = foundIATs.begin(); itr != foundIATs.end(); ++itr) {

        IATBlock* iat = itr->second;

        if (!iat->isValid()) {

            continue;

        }

        DWORD max_dll_name = MASK_TO_DWORD(iat->maxDllLen());

        IATThunksSeriesSet::iterator sItr;

        for (sItr = iat->thunkSeries.begin(); sItr != iat->thunkSeries.end(); ++sItr, ++i) {

            IATThunksSeries *series = *sItr;

            importTableBuffer->descriptors[i].Name = dll_name_rva;

            BYTE *buf = importTableBuffer->getDllSpaceAt(dll_name_rva, max_dll_name);

            if (buf) {

                //fill the name:

                memcpy(buf, series->getDllName().c_str(), series->getDllName().length() + 1);

            }

            dll_name_rva += max_dll_name;

        }

    }

    return importTableBuffer;

}


bool pesieve::ImpReconstructor::appendImportTable(ImportTableBuffer &importTable)

{

    const size_t import_table_size = importTable.getDescriptorsSize() + importTable.getNamesSize() + importTable.getDllNamesSize();

    const size_t new_size = peBuffer.vBufSize + import_table_size;


    if (!peBuffer.resizeBuffer(new_size)) {

        return false;

    }


    const DWORD imports_start_rva = importTable.getRVA();

    peBuffer.resizeLastSection(imports_start_rva + import_table_size);

    return importTable.setTableInPe(peBuffer.vBuf, peBuffer.vBufSize);

}

pesieve::IATBlock
Definition iat_block.h:79

pesieve::IATBlock::isInMain
bool isInMain
Definition iat_block.h:147

pesieve::IATBlock::iatOffset
DWORD iatOffset
Definition iat_block.h:149

pesieve::IATBlock::countThunks
size_t countThunks() const
Definition iat_block.h:125

pesieve::IATBlock::importTableOffset
DWORD importTableOffset
Definition iat_block.h:152

pesieve::IATBlock::iatSize
size_t iatSize
Definition iat_block.h:150

pesieve::IATBlock::isTerminated
bool isTerminated
Definition iat_block.h:146

pesieve::IATThunksSeries
Definition iat_block.h:12

pesieve::IATThunksSeries::getDllName
std::string getDllName()
Definition iat_block.cpp:101

pesieve::IATThunksSeries::startOffset
DWORD startOffset
Definition iat_block.h:56

pesieve::IATThunksSeries::sizeOfNamesSpace
size_t sizeOfNamesSpace(bool is64b)
Definition iat_block.cpp:78

pesieve::IATThunksSeries::fillNamesSpace
bool fillNamesSpace(const BYTE *buf_start, size_t buf_size, DWORD bufRVA, bool is64b)
Definition iat_block.cpp:39

pesieve::ImpReconstructor::rebuildImportTable
t_imprec_res rebuildImportTable(const IN peconv::ExportsMapper *exportsMap, IN const pesieve::t_imprec_mode &imprec_mode)
Definition imp_reconstructor.cpp:152

pesieve::ImpReconstructor::printFoundIATs
bool printFoundIATs(const std::string &reportPath)
Definition imp_reconstructor.cpp:201

pesieve::ImpReconstructor::IMP_ALREADY_OK
@ IMP_ALREADY_OK
Definition imp_reconstructor.h:191

pesieve::ImpReconstructor::IMP_DIR_FIXED
@ IMP_DIR_FIXED
Definition imp_reconstructor.h:192

pesieve::ImpReconstructor::t_imprec_res
enum pesieve::ImpReconstructor::imprec_res t_imprec_res

pesieve::ImportTableBuffer
Definition imp_reconstructor.h:16

pesieve::ImportTableBuffer::allocDllsSpace
bool allocDllsSpace(DWORD dlls_rva, size_t dlls_area_size)
Definition imp_reconstructor.h:61

pesieve::ImportTableBuffer::getDllNamesSize
size_t getDllNamesSize()
Definition imp_reconstructor.h:93

pesieve::ImportTableBuffer::getRVA
DWORD getRVA()
Definition imp_reconstructor.h:98

pesieve::ImportTableBuffer::allocNamesSpace
bool allocNamesSpace(DWORD names_rva, size_t names_size)
Definition imp_reconstructor.h:47

pesieve::ImportTableBuffer::getDllSpaceAt
BYTE * getDllSpaceAt(const DWORD rva, size_t required_size)
Definition imp_reconstructor.cpp:33

pesieve::ImportTableBuffer::getNamesSize
size_t getNamesSize()
Definition imp_reconstructor.h:87

pesieve::ImportTableBuffer::getNamesSpaceAt
BYTE * getNamesSpaceAt(const DWORD rva, size_t required_size)
Definition imp_reconstructor.cpp:28

pesieve::ImportTableBuffer::setTableInPe
bool setTableInPe(BYTE *vBuf, size_t vBufSize)
Definition imp_reconstructor.h:104

pesieve::ImportTableBuffer::getDescriptorsSize
size_t getDescriptorsSize()
Definition imp_reconstructor.h:80

pesieve::ImportTableBuffer::allocDesciptors
bool allocDesciptors(size_t descriptors_count)
Definition imp_reconstructor.h:34

pesieve::ImportTableBuffer::descriptors
IMAGE_IMPORT_DESCRIPTOR * descriptors
Definition imp_reconstructor.h:139

pesieve::ThunkFoundCallback
A class containing callbacks for functions: find_iat, fill_iat.
Definition iat_finder.h:16

pesieve.t_imprec_mode
Definition pesieve.py:42

iat_finder.h

MASK_TO_DWORD
#define MASK_TO_DWORD(val)
Definition iat_finder.h:9

MIN_THUNKS_COUNT
#define MIN_THUNKS_COUNT
Definition imp_reconstructor.cpp:10

imp_reconstructor.h

import_table_finder.h

demo.iat
iat
Definition demo.py:20

pesieve::util::DWORD
DWORD(__stdcall *_PssCaptureSnapshot)(HANDLE ProcessHandle

pesieve
Definition pesieve.py:1

pesieve::get_buffer_space_at
BYTE * get_buffer_space_at(IN BYTE *buffer, IN const size_t buffer_size, IN const DWORD buffer_rva, IN const DWORD required_rva, IN const size_t required_size)
Definition imp_reconstructor.cpp:13

pesieve::find_import_table
IMAGE_IMPORT_DESCRIPTOR * find_import_table(IN bool is64bit, IN BYTE *vBuf, IN size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN DWORD iat_offset, OUT size_t &table_size, IN OPTIONAL size_t search_offset)
Definition import_table_finder.cpp:3

pesieve::find_iat
IATBlock * find_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN size_t search_offset, IN ThunkFoundCallback *callback)
Definition iat_finder.h:94

PE_IMPREC_AUTO
@ PE_IMPREC_AUTO
try to autodetect the most suitable mode
Definition pe_sieve_types.h:60

PE_IMPREC_REBUILD0
@ PE_IMPREC_REBUILD0
build the import table from the scratch, basing on the found IAT(s): use only terminated blocks (rest...
Definition pe_sieve_types.h:62

PE_IMPREC_UNERASE
@ PE_IMPREC_UNERASE
recover erased parts of the partialy damaged import table
Definition pe_sieve_types.h:61

PE_IMPREC_REBUILD2
@ PE_IMPREC_REBUILD2
build the import table from the scratch, basing on the found IAT(s): use all found blocks (aggressive...
Definition pe_sieve_types.h:64

PE_IMPREC_REBUILD1
@ PE_IMPREC_REBUILD1
build the import table from the scratch, basing on the found IAT(s): use terminated blocks,...
Definition pe_sieve_types.h:63

report
Final summary about the scanned process.
Definition pe_sieve_types.h:150