Implemented the BuildNewImportTable.

Author: BeneficialCode

PEParser/PEParser.cpp

@@ -190,11 +190,12 @@ class PEParser {
 	bool WriteMemoryToFile(HANDLE hFile, LONG offset, DWORD size, LPVOID pData);
 	bool WriteZeroMemoryToFile(HANDLE hFile, DWORD fileOffset, DWORD size);
 	void GetSectionHeaders();
-
+	DWORD IsMemoryNotNull(BYTE* pData, int dataSize);
 	int GetSectionCount() const;
 	void SetSectionCount(WORD count);
-	const IMAGE_SECTION_HEADER* GetSectionHeader(ULONG section) const;
-	const IMAGE_DATA_DIRECTORY* GetDataDirectory(int index) const;
+	void SetImportTable(DWORD va, DWORD size);
+	IMAGE_SECTION_HEADER* GetSectionHeader(ULONG section) const;
+	IMAGE_DATA_DIRECTORY* GetDataDirectory(int index) const;
 	const IMAGE_DOS_HEADER& GetDosHeader() const;
 	void* GetBaseAddress() const;
 	void AlignAllSectionHeaders();
@@ -243,11 +244,6 @@ class PEParser {
 		return *_opt32;
 	}
 
-	//IMAGE_COR20_HEADER* GetCLRHeader() const;
-	//CLRMetadataParser* GetCLRParser() const;
-	//std::vector<std::pair<DWORD, WIN_CERTIFICATE>> EnumCertificates() const;
-	//const IMAGE_LOAD_CONFIG_DIRECTORY64* GetLoadConfiguration64() const;
-	//const IMAGE_LOAD_CONFIG_DIRECTORY32* GetLoadConfiguration32() const;
 	PVOID GetDataDirectoryAddress(UINT index, PULONG size) const;
 	void SetDefaultFileAligment();
 	DWORD GetSectionAlignment();
@@ -294,10 +290,13 @@ class PEParser {
 	HANDLE _hFile{ INVALID_HANDLE_VALUE };
 	IMAGE_DOS_HEADER* _dosHeader = nullptr;
 	IMAGE_NT_HEADERS64* _ntHeader = nullptr;
+	IMAGE_NT_HEADERS64 _ntHeader64Copy;
+	IMAGE_NT_HEADERS32 _ntHeader32Copy;
 	IMAGE_FILE_HEADER* _fileHeader = nullptr;
 	IMAGE_SECTION_HEADER* _sections = nullptr;
 	IMAGE_OPTIONAL_HEADER32* _opt32{ nullptr };
 	IMAGE_OPTIONAL_HEADER64* _opt64{ nullptr };
+
 	//CComPtr<IMetaDataImport> _spMetadata;
 	std::wstring _path;
 	mutable HMODULE _resModule{ nullptr };

PEParser/PEParser.h

@@ -28,7 +28,10 @@ void ApiReader::ParseModule(ModuleInfo* pModule) {
 			ParseModuleWithMapping(pModule);
 		}
 		else {
-			ParseModuleWithProcess(pModule);
+			bool success = ParseModuleWithProcess(pModule);
+			if (!success) {
+				ParseModuleWithMapping(pModule);
+			}
 		}
 	}
 }
@@ -37,7 +40,7 @@ void ApiReader::ParseModuleWithMapping(ModuleInfo* pModule) {
 	ParseExportTable(pModule, true, true);
 }
 
-void ApiReader::ParseExportTable(ModuleInfo* pModule,bool isMapping,bool ownProcess) {
+bool ApiReader::ParseExportTable(ModuleInfo* pModule,bool isMapping,bool ownProcess) {
 	if (isMapping) {
 		PEParser parser(pModule->_fullPath);
 		auto exports = parser.GetExports();
@@ -61,7 +64,7 @@ void ApiReader::ParseExportTable(ModuleInfo* pModule,bool isMapping,bool ownProc
 		pPE = new BYTE[pModule->_modBaseSize];
 		if (!ReadMemoryFromProcess(pModule->_modBaseAddr, pModule->_modBaseSize, pPE)) {
 			delete[] pPE;
-			return;
+			return false;
 		}
 
 		PEParser parser(pPE);
@@ -101,6 +104,7 @@ void ApiReader::ParseExportTable(ModuleInfo* pModule,bool isMapping,bool ownProc
 			}
 		}
 	}
+	return true;
 }
 
 void ApiReader::FindApiByModuleAndOrdinal(ModuleInfo* pModule, WORD ordinal, DWORD_PTR* pVA, DWORD_PTR* pRVA)
@@ -166,24 +170,44 @@ void ApiReader::FindApiInProcess(ModuleInfo* pModule, char* pSearchName, WORD or
 	PIMAGE_DOS_HEADER pDosHeader = nullptr;
 	BYTE* pPE = new BYTE[pModule->_modBaseSize];
 
-	ReadMemoryFromProcess(pModule->_modBaseAddr, pModule->_modBaseSize, pPE);
-	
-	PEParser parser(pPE);
+	bool success = ReadMemoryFromProcess(pModule->_modBaseAddr, pModule->_modBaseSize, pPE);
+	if (success) {
+		PEParser parser(pPE);
 
-	auto exports = parser.GetExports();
+		auto exports = parser.GetExports();
 
-	for (ExportedSymbol symbol : exports) {
-		if (pSearchName != nullptr) {
-			if (!strcmp(symbol.Name.c_str(), pSearchName)) {
+		for (ExportedSymbol symbol : exports) {
+			if (pSearchName != nullptr) {
+				if (!strcmp(symbol.Name.c_str(), pSearchName)) {
+					*pVA = symbol.Address + pModule->_modBaseAddr;
+					*pRVA = symbol.Address;
+					break;
+				}
+			}
+			if (symbol.Ordinal == ordinal) {
 				*pVA = symbol.Address + pModule->_modBaseAddr;
 				*pRVA = symbol.Address;
 				break;
 			}
 		}
-		if (symbol.Ordinal == ordinal) {
-			*pVA = symbol.Address + pModule->_modBaseAddr;
-			*pRVA = symbol.Address;
-			break;
+	}
+	else {
+		PEParser parser(pModule->_fullPath);
+		auto exports = parser.GetExports();
+
+		for (ExportedSymbol symbol : exports) {
+			if (pSearchName != nullptr) {
+				if (!strcmp(symbol.Name.c_str(), pSearchName)) {
+					*pVA = symbol.Address + pModule->_modBaseAddr;
+					*pRVA = symbol.Address;
+					break;
+				}
+			}
+			if (symbol.Ordinal == ordinal) {
+				*pVA = symbol.Address + pModule->_modBaseAddr;
+				*pRVA = symbol.Address;
+				break;
+			}
 		}
 	}
 
@@ -839,8 +863,8 @@ void ApiReader::HandleForwardedApi(const char* pForwardName, const char* pFuncti
 	}
 }
 
-void ApiReader::ParseModuleWithProcess(ModuleInfo* pModule) {
-	ParseExportTable(pModule, false);
+bool ApiReader::ParseModuleWithProcess(ModuleInfo* pModule) {
+	return ParseExportTable(pModule, false);
 }
 
 ModuleInfo* ApiReader::FindModuleByName(WCHAR* name) {

WinArk/ApiReader.cpp

@@ -37,8 +37,8 @@ class ApiReader : public ProcessAccessHelper
 	inline bool IsApiForwarded(DWORD_PTR rva, PIMAGE_NT_HEADERS pNtHeader);
 	void HandleForwardedApi(const char* pForwardName, const char* pFunctionNameParent, DWORD_PTR rvaParent, WORD ordinalParent, ModuleInfo* pModuleParent);
 	void ParseModule(ModuleInfo* pModule);
-	void ParseModuleWithProcess(ModuleInfo* pModule);
-	void ParseExportTable(ModuleInfo* pModule, bool isMapping, bool ownProcess = false);
+	bool ParseModuleWithProcess(ModuleInfo* pModule);
+	bool ParseExportTable(ModuleInfo* pModule, bool isMapping, bool ownProcess = false);
 
 	ModuleInfo* FindModuleByName(WCHAR* name);