// File64.cpp: implementation of the File64 class. // ////////////////////////////////////////////////////////////////////// #include #include #include #include "File64.h" #include "depend.h" ////////////////////////////////////////////////////////////////////// // Construction/Destruction ////////////////////////////////////////////////////////////////////// //pszFileName - file to be loaded, including path File64::File64(TCHAR *pszFileName) : File(pszFileName) { HANDLE hFileMap; //open the file if ((hFile = CreateFile(pszFileName,GENERIC_READ,0,0,OPEN_EXISTING,0,0)) == INVALID_HANDLE_VALUE) { if(bNoisy) { _putws( GetFormattedMessage( ThisModule, FALSE, Message, sizeof(Message)/sizeof(Message[0]), MSG_ERROR_FILE_OPEN, pszFileName) ); } dwERROR = errFILE_LOCKED; throw errFILE_LOCKED; } //create a memory map hFileMap = CreateFileMapping(hFile,0,PAGE_READONLY,0,0,0); pImageBase = MapViewOfFile(hFileMap,FILE_MAP_READ,0,0,0); //try to create an NTHeader structure to give file information if (pNthdr = ImageNtHeader(pImageBase)) { if ((pNthdr->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64) || (pNthdr->FileHeader.Machine == IMAGE_FILE_MACHINE_IA64)) { pNthdr64 = (PIMAGE_NT_HEADERS64)pNthdr; return; } else { CloseHandle(hFile); hFile = INVALID_HANDLE_VALUE; throw 0; } } else { CloseHandle(hFile); hFile = INVALID_HANDLE_VALUE; throw 0; } } File64::~File64() { delete pImageBase; pImageBase = 0; } //Checks the dependencies of this file, and adds the dependencies to the queue so //their dependencies can be checked later //If a file comes up missing add it to the MissingFiles queue. Add the file that was looking for it to the missing files' //list of broken files. //This function has logic in it to handle the special case of 'ntoskrnl.exe'. If a file is //looking for 'ntoskrnl.exe' and it is missing then the function also looks for 'ntkrnlmp.exe' void File64::CheckDependencies() { char *pszDllName = new char[256]; TCHAR*pwsDllName = new TCHAR[256],*pszBuf = new TCHAR[256],*pszBufName; int temp = 0; File* pTempFile; DWORD dwOffset; DWORD dwVA = pNthdr64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; PIMAGE_SECTION_HEADER pSectHdr = IMAGE_FIRST_SECTION( pNthdr64 ),pImportHdr = 0; PIMAGE_IMPORT_DESCRIPTOR pImportDir; //figure out which section the imports table is in for ( unsigned i = 0; i < pNthdr64->FileHeader.NumberOfSections; i++, pSectHdr++ ) { DWORD cbMaxOnDisk = min( pSectHdr->Misc.VirtualSize, pSectHdr->SizeOfRawData ); DWORD startSectRVA = pSectHdr->VirtualAddress; DWORD endSectRVA = startSectRVA + cbMaxOnDisk; if ( (dwVA >= startSectRVA) && (dwVA < endSectRVA) ) { dwOffset = pSectHdr->PointerToRawData + (dwVA - startSectRVA); pImportHdr = pSectHdr; i = pNthdr64->FileHeader.NumberOfSections; } } //if we found the imports table, create a pointer to it if (pImportHdr) { pImportDir = (PIMAGE_IMPORT_DESCRIPTOR) (((PBYTE)pImageBase) + (DWORD)dwOffset); //go through each import, try and find it, and add it to the queue while ((DWORD)(pImportDir->Name)!=0) { strcpy(pszDllName,(char*)(pImportDir->Name + ((PBYTE)pImageBase) - pImportHdr->VirtualAddress + pImportHdr->PointerToRawData)); _strlwr(pszDllName); //if the ListDependencies flag is set, add this file to the dependencies list if (bListDependencies) { MultiByteToWideChar(CP_ACP,0,pszDllName,-1,pwsDllName,256); if (!dependencies->Find(pwsDllName)) dependencies->Add(new StringNode(pwsDllName)); } if (strcmp(pszDllName,"ntoskrnl.exe")) { //if the file is already known to be missing temp = MultiByteToWideChar(CP_ACP,0,pszDllName,-1,pwsDllName,256); if (pTempFile = (File*)pMissingFiles->Find(pwsDllName)) { dwERROR = errMISSING_DEPENDENCY; //add this file to the list of broken files pTempFile->AddDependant(new StringNode(fileName)); } else { //either search the windows path or the path specified in the command line if ( ((!pSearchPath)&&(!(SearchPath(0,pwsDllName,0,256,pszBuf,&pszBufName))))|| ((pSearchPath)&&(!SearchPath(pwsDllName,pszBuf))) ) { //if the file is not found, add it to missing files list and throw an error pMissingFiles->Add(new File(pwsDllName)); ((File*)(pMissingFiles->head))->AddDependant(new StringNode(fileName)); dwERROR = errMISSING_DEPENDENCY; if (!bNoisy) goto CLEANUP; } else { //if the file is found, add it to the queue _wcslwr(pszBuf); if (!(pQueue->Find(pszBuf))) pQueue->Add(new StringNode(pszBuf)); } } } else { //if the file is already known to be missing if ((pTempFile = (File*)pMissingFiles->Find(L"ntoskrnl.exe"))) { dwERROR = errMISSING_DEPENDENCY; pTempFile->AddDependant(new StringNode(fileName)); } else { //either search the windows path or the path specified in the command line if ( (((!pSearchPath)&&(!(SearchPath(0,L"ntoskrnl.exe",0,256,pszBuf,&pszBufName))))||((pSearchPath)&&(!SearchPath(L"ntoskrnl.exe",pszBuf)))) &&(((!pSearchPath)&&(!(SearchPath(0,L"ntkrnlmp.exe",0,256,pszBuf,&pszBufName))))||((pSearchPath)&&(!SearchPath(L"ntkrnlmp.exe",pszBuf))))) { //if the file is not found, add it to missing files list and throw an error pMissingFiles->Add(new File(L"ntoskrnl.exe")); ((File*)(pMissingFiles->head))->AddDependant(new StringNode(fileName)); dwERROR = errMISSING_DEPENDENCY; if (!bNoisy) goto CLEANUP; } else { //if the file is found, add it to the queue _wcslwr(pszBuf); if (!(pQueue->Find(pszBuf))) pQueue->Add(new StringNode(pszBuf)); } } } pImportDir++; } } CLEANUP: delete [] pszDllName; delete [] pszBuf; }