72 return static_cast<DWORD
>(
diff);
147 if (!isHdrReady && !
init()) {
155 if (!isHdrReady)
return false;
161 if (!isHdrReady)
return 0;
167 if (!isHdrReady)
return 0;
181 return peconv::MAX_HEADER_SIZE;
A scanner for detection of IAT hooking.
Loads a module from the disk, corresponding to the module in the scanned process' memory.
bool autoswichIfWow64Mapping()
ULONGLONG rvaToVa(DWORD rva, ULONGLONG module_base=0)
ModuleData(HANDLE _processHandle, HMODULE _module, bool _isPEBConnected, bool _useCache)
bool relocateToBase(ULONGLONG new_base)
DWORD vaToRva(ULONGLONG va, ULONGLONG module_base=0)
bool loadRelocatedFields(std::set< DWORD > &fields_rvas)
bool _loadOriginal(bool disableFSredir)
ModuleData(HANDLE _processHandle, HMODULE _module, std::string module_name, bool _useCache)
ULONGLONG getHdrImageBase()
bool loadImportsList(peconv::ImportsCollection &collection)
bool loadImportThunks(std::set< DWORD > &fields_rvas)
bool isDotNetManagedCode()
Buffers the defined PE section belonging to the module loaded in the scanned process into the local m...
Buffers the data from the module loaded in the scanned process into the local memory.
bool _loadFullImage(size_t v_size)
virtual ~RemoteModuleData()
ULONGLONG getHdrImageBase()
bool loadImportsList(peconv::ImportsCollection &collection)
static std::string getModuleName(HANDLE _processHandle, HMODULE _modBaseAddr)
BYTE headerBuffer[peconv::MAX_HEADER_SIZE]
bool hasExecutableSection(bool allow_data, bool allow_inaccessible)
bool isSectionExecutable(const size_t section_number, bool allow_data, bool allow_inaccessible)
static std::string getMappedName(HANDLE _processHandle, LPVOID _modBaseAddr)
RemoteModuleData(HANDLE _processHandle, bool _isRefl, HMODULE _modBaseAddr)
ULONGLONG getRemoteSectionVa(const size_t section_num)
bool isSectionEntry(const size_t section_number)
ULONGLONG getModuleBase()
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)