Page Menu
Home
desp's stash
Search
Configure Global Search
Log In
Files
F527252
ApiReader.h
No One
Temporary
Actions
Download File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
3 KB
Subscribers
None
ApiReader.h
View Options
#pragma once
#include
"ProcessAccessHelp.h"
#include
"Thunks.h"
typedef
std
::
pair
<
DWORD_PTR
,
ApiInfo
*>
API_Pair
;
class
ApiReader
:
public
ProcessAccessHelp
{
public
:
static
stdext
::
hash_multimap
<
DWORD_PTR
,
ApiInfo
*>
apiList
;
//api look up table
static
std
::
map
<
DWORD_PTR
,
ImportModuleThunk
>
*
moduleThunkList
;
//store found apis
static
DWORD_PTR
minApiAddress
;
static
DWORD_PTR
maxApiAddress
;
/*
* Read all APIs from target process
*/
void
readApisFromModuleList
();
bool
isApiAddressValid
(
DWORD_PTR
virtualAddress
);
ApiInfo
*
getApiByVirtualAddress
(
DWORD_PTR
virtualAddress
,
bool
*
isSuspect
);
void
readAndParseIAT
(
DWORD_PTR
addressIAT
,
DWORD
sizeIAT
,
std
::
map
<
DWORD_PTR
,
ImportModuleThunk
>
&
moduleListNew
);
void
clearAll
();
private
:
void
parseIAT
(
DWORD_PTR
addressIAT
,
BYTE
*
iatBuffer
,
SIZE_T
size
);
void
addApi
(
char
*
functionName
,
WORD
hint
,
DWORD_PTR
ordinal
,
DWORD_PTR
va
,
DWORD_PTR
rva
,
bool
isForwarded
,
ModuleInfo
*
moduleInfo
);
void
addApiWithoutName
(
DWORD_PTR
ordinal
,
DWORD_PTR
va
,
DWORD_PTR
rva
,
bool
isForwarded
,
ModuleInfo
*
moduleInfo
);
inline
bool
isApiForwarded
(
DWORD_PTR
rva
,
PIMAGE_NT_HEADERS
pNtHeader
);
void
handleForwardedApi
(
DWORD_PTR
vaStringPointer
,
char
*
functionNameParent
,
DWORD_PTR
rvaParent
,
DWORD_PTR
ordinalParent
,
ModuleInfo
*
moduleParent
);
void
parseModule
(
ModuleInfo
*
module
);
void
parseModuleWithProcess
(
ModuleInfo
*
module
);
void
parseExportTable
(
ModuleInfo
*
module
,
PIMAGE_NT_HEADERS
pNtHeader
,
PIMAGE_EXPORT_DIRECTORY
pExportDir
,
DWORD_PTR
deltaAddress
);
ModuleInfo
*
findModuleByName
(
WCHAR
*
name
);
void
findApiByModuleAndOrdinal
(
ModuleInfo
*
module
,
DWORD_PTR
ordinal
,
DWORD_PTR
*
vaApi
,
DWORD_PTR
*
rvaApi
);
void
findApiByModuleAndName
(
ModuleInfo
*
module
,
char
*
searchFunctionName
,
DWORD_PTR
*
vaApi
,
DWORD_PTR
*
rvaApi
);
void
findApiByModule
(
ModuleInfo
*
module
,
char
*
searchFunctionName
,
DWORD_PTR
ordinal
,
DWORD_PTR
*
vaApi
,
DWORD_PTR
*
rvaApi
);
bool
isModuleLoadedInOwnProcess
(
ModuleInfo
*
module
);
void
parseModuleWithOwnProcess
(
ModuleInfo
*
module
);
bool
isPeAndExportTableValid
(
PIMAGE_NT_HEADERS
pNtHeader
);
void
findApiInProcess
(
ModuleInfo
*
module
,
char
*
searchFunctionName
,
DWORD_PTR
ordinal
,
DWORD_PTR
*
vaApi
,
DWORD_PTR
*
rvaApi
);
bool
findApiInExportTable
(
ModuleInfo
*
module
,
PIMAGE_EXPORT_DIRECTORY
pExportDir
,
DWORD_PTR
deltaAddress
,
char
*
searchFunctionName
,
DWORD_PTR
ordinal
,
DWORD_PTR
*
vaApi
,
DWORD_PTR
*
rvaApi
);
BYTE
*
getHeaderFromProcess
(
ModuleInfo
*
module
);
BYTE
*
getExportTableFromProcess
(
ModuleInfo
*
module
,
PIMAGE_NT_HEADERS
pNtHeader
);
void
setModulePriority
(
ModuleInfo
*
module
);
void
setMinMaxApiAddress
(
DWORD_PTR
virtualAddress
);
void
parseModuleWithMapping
(
ModuleInfo
*
moduleInfo
);
//not used
void
addFoundApiToModuleList
(
DWORD_PTR
iatAddress
,
ApiInfo
*
apiFound
,
bool
isNewModule
,
bool
isSuspect
);
bool
addModuleToModuleList
(
const
WCHAR
*
moduleName
,
DWORD_PTR
firstThunk
);
bool
addFunctionToModuleList
(
ApiInfo
*
apiFound
,
DWORD_PTR
va
,
DWORD_PTR
rva
,
DWORD_PTR
ordinal
,
bool
valid
,
bool
suspect
);
bool
addNotFoundApiToModuleList
(
DWORD_PTR
iatAddressVA
,
DWORD_PTR
apiAddress
);
void
addUnknownModuleToModuleList
(
DWORD_PTR
firstThunk
);
bool
isApiBlacklisted
(
const
char
*
functionName
);
bool
isWinSxSModule
(
ModuleInfo
*
module
);
};
File Metadata
Details
Attached
Mime Type
text/x-c++
Expires
Wed, Jan 7, 1:48 PM (8 h, 2 m)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
33/30/36b5e867d5fd9ca05989b7d96618
Attached To
rSCY Scylla
Event Timeline
Log In to Comment