Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

1225 lines
44 KiB

#include "stdafx.h"
#include <objbase.h>
#include <delayimp.h>
#include "depends.h"
#include "other.h"
//******************************************************************************
// CDepends :: Constructor/Destructor
//******************************************************************************
CDepends::CDepends() :
m_hFile(NULL),
m_lpvFile(NULL),
m_pIFH(NULL),
m_pIOH(NULL),
m_pISH(NULL),
m_fOutOfMemory(FALSE),
m_fCircularError(FALSE),
m_fMixedMachineError(FALSE),
m_dwMachineType((DWORD)-1),
m_pModuleRoot(NULL),
m_cxOrdinal(0),
m_cxHint(0),
m_cImports(0),
m_cExports(0)
{
m_cstrlstListOfBrokenLinks.RemoveAll();
m_iNumberOfBrokenLinks = 0;
}
//******************************************************************************
CDepends::~CDepends() {
}
//******************************************************************************
BOOL CDepends::SetInitialFilename(LPCSTR szPath) {
// Set our current directory to the directory that the file is in. We need to
// do this so our file search can find dependents that happen to be in the
// same directory that our target file is in.
CString strDir(szPath);
strDir = strDir.Left(strDir.ReverseFind('\\') + 1);
SetCurrentDirectory(strDir);
// Create our root module node.
if (m_pModuleRoot = CreateModule(szPath, 0))
{
// Start the recursion on the head module to process all modules.
ProcessModule(m_pModuleRoot);
}
else
{
m_fOutOfMemory = TRUE;
}
// If we ran out of memory while processing the module, then free our
// document data, display an error, and fail the document from loading.
// Out of memory is a fairly major error. If this should occur, MFC will
// most likely notice and report the problem before we do.
if (m_fOutOfMemory)
{
DeleteContents();
//CString strError("Not enough memory to process \"");
//strError += m_pModuleRoot->m_pData->m_szPath;
//strError += "\"!";
//MessageBox(strError, "Dependency Walker Error", MB_ICONERROR | MB_OK);
return FALSE;
}
// Display a message if the module contains a circular dependency error.
if (m_fCircularError)
{
//CString strError("\"");
//strError += m_pModuleRoot->m_pData->m_szPath;
//strError += "\" will fail to load due to circular dependencies.";
//g_pMainFrame->MessageBox(strError, "Dependency Walker Module Error",MB_ICONERROR | MB_OK);
}
// Display a message if the module contains a mixed machine error.
if (m_fMixedMachineError) {
//CString strError("\"");
//strError += m_pModuleRoot->m_pData->m_szPath;
//strError += "\" will fail to load due to a mismatched machine type with "
// "one or more of the dependent modules.";
//g_pMainFrame->MessageBox(strError, "Dependency Walker Module Error", MB_ICONERROR | MB_OK);
}
return TRUE;
}
CModule* CDepends::LoopThruAndPrintLosers(CModule *pModuleCur)
{
TCHAR szBigString[_MAX_PATH + _MAX_PATH];
LPWSTR pwszModuleName = NULL;
//
// loop thru the linked list and look for
// items marked with m_fExportError
//
if (!pModuleCur) {
return NULL;
}
// check to see if our current module is marked with m_fExportError
// Check to see if our current module matches our search module.
if (pModuleCur->m_fExportError == TRUE)
{
// Convert the filename to unicode.
pwszModuleName = MakeWideStrFromAnsi( (LPSTR)(pModuleCur->m_pData->m_szPath) );
_stprintf(szBigString, _T("Import\\Export Dependency MisMatch with:%s"), pwszModuleName);
iisDebugOut((LOG_TYPE_TRACE_WIN32_API, szBigString));
m_cstrlstListOfBrokenLinks.AddTail(szBigString);
m_iNumberOfBrokenLinks++;
if (pwszModuleName){CoTaskMemFree(pwszModuleName);}
}
if (pModuleCur->m_pData->m_fFileNotFound == TRUE)
{
// Convert the filename to unicode.
pwszModuleName = MakeWideStrFromAnsi( (LPSTR)(pModuleCur->m_pData->m_szPath) );
_stprintf(szBigString, _T("Link Dependency MissingFile:%s"), pwszModuleName);
iisDebugOut((LOG_TYPE_TRACE_WIN32_API, szBigString));
m_cstrlstListOfBrokenLinks.AddTail(szBigString);
m_iNumberOfBrokenLinks++;
if (pwszModuleName){CoTaskMemFree(pwszModuleName);}
}
// Recurse into LoopThruAndPrintLosers() for each dependent module.
pModuleCur = pModuleCur->m_pDependents;
while (pModuleCur)
{
CModule *pModuleFound = LoopThruAndPrintLosers(pModuleCur);
if (pModuleFound) {
return pModuleFound;
}
pModuleCur = pModuleCur->m_pNext;
}
return NULL;
}
void CDepends::DeleteContents() {
// Delete all modules by recursing into DeleteModule() with our root module.
if (m_pModuleRoot) {
DeleteModule(m_pModuleRoot);
m_pModuleRoot = NULL;
}
// Clear our memory error flag.
m_fOutOfMemory = FALSE;
// Clear our circular dependency error flag.
m_fCircularError = FALSE;
// Clear our mixed machine error flag.
m_fMixedMachineError = FALSE;
m_dwMachineType = (DWORD)-1;
}
//******************************************************************************
// CDepends :: Internal functions
//******************************************************************************
CModule* CDepends::CreateModule(LPCSTR szFile, int depth) {
CHAR szPath[16384] = "", *pszFile = NULL;
// Attempt to find the file in our search path. This will mimic what the OS
// loader does when looking for a module. Our OnOpenDocument() function sets
// the current directory to the module directory, so SearchPath() will first
// look in the module directory.
//SearchPath(NULL, szFile, NULL, sizeof(szPath), szPath, &pszFile);
SearchPathA(NULL, szFile, NULL, sizeof(szPath), szPath, &pszFile);
// If we don't have a path, then just copy the file name into our path string
// and set the file pointer to the character following the last wack "\".
if (!*szPath) {
strcpy(szPath, szFile);
LPSTR pszWack = strrchr(szPath, '\\');
pszFile = (pszWack && *(pszWack + 1)) ? (pszWack + 1) : szPath;
}
// If our file name pointer is invalid, then just point it to our path.
if (pszFile < szPath) {
pszFile = szPath;
}
// Create a new CModule object
CModule *pModule = new CModule();
if (!pModule) {
return NULL;
}
ZeroMemory(pModule, sizeof(CModule));
// Store our module's depth for later recursion overflow checks.
pModule->m_depth = depth;
// Recurse our module tree to see if this module is a duplicate of another.
pModule->m_pModuleOriginal = FindModule(m_pModuleRoot, szPath);
// Check to see if a duplicate was found.
if (pModule->m_pModuleOriginal) {
// If the module is a duplicate, then just point our data field to the
// original module's data field.
pModule->m_pData = pModule->m_pModuleOriginal->m_pData;
} else {
// If this module is not a duplicate, then create a new CModuleData object.
pModule->m_pData = (CModuleData*)new BYTE[sizeof(CModuleData) + strlen(szPath)];
if (!pModule->m_pData) {
delete pModule;
return NULL;
}
// Clear the object, copy the path string to it, and set the file pointer.
ZeroMemory(pModule->m_pData, sizeof(CModuleData));
strcpy(pModule->m_pData->m_szPath, szPath);
pModule->m_pData->m_szFile = pModule->m_pData->m_szPath + (pszFile - szPath);
// For readability, make path lowercase and file uppercase.
_strlwr(pModule->m_pData->m_szPath);
_strupr(pModule->m_pData->m_szFile);
}
// Return our new module object.
return pModule;
}
//******************************************************************************
CFunction* CDepends::CreateFunction(int ordinal, int hint, LPCSTR szName,
DWORD_PTR dwAddress, LPCSTR szForward)
{
// Create a CFunction object.
CFunction *pFunction = (CFunction*)new BYTE[sizeof(CFunction) + strlen(szName)];
if (!pFunction) {
return NULL;
}
// Clear the function object and fill in its members.
ZeroMemory(pFunction, sizeof(CFunction));
strcpy(pFunction->m_szName, szName);
pFunction->m_ordinal = ordinal;
pFunction->m_hint = hint;
pFunction->m_dwAddress = dwAddress;
// If a forward string exists, then allocate a buffer and store a pointer to
// it in our CFunction's m_dwExtra member. See the CFunction class for more
// info on m_dwExtra.
if (szForward) {
if (pFunction->m_dwExtra = (DWORD_PTR)new CHAR[strlen(szForward) + 1]) {
strcpy((LPSTR)pFunction->m_dwExtra, szForward);
} else {
delete[] (BYTE*)pFunction;
return NULL;
}
}
// Return our new function object.
return pFunction;
}
//******************************************************************************
void CDepends::DeleteModule(CModule *pModule) {
// Recurse into DeleteModule() to delete all our dependent modules first.
CModule *pModuleCur = pModule->m_pDependents;
while (pModuleCur) {
CModule *pModuleNext = pModuleCur->m_pNext;
DeleteModule(pModuleCur);
pModuleCur = pModuleNext;
}
// Delete all of our current module's parent import functions.
CFunction *pFunctionCur = pModule->m_pParentImports;
while (pFunctionCur) {
CFunction *pFunctionNext = pFunctionCur->m_pNext;
delete[] (BYTE*)pFunctionCur;
pFunctionCur = pFunctionNext;
}
// If we are not marked as a duplicate, then free our CModuleData.
if (!pModule->m_pModuleOriginal) {
// Delete all of our current module's export functions.
CFunction *pFunctionCur = pModule->m_pData->m_pExports;
while (pFunctionCur) {
// Delete our forward string if we allocated one.
if (pFunctionCur->GetForwardString()) {
delete[] (CHAR*)pFunctionCur->GetForwardString();
}
// Delete the export node itself.
CFunction *pFunctionNext = pFunctionCur->m_pNext;
delete[] (BYTE*)pFunctionCur;
pFunctionCur = pFunctionNext;
}
// Delete any error string that may have been allocated.
if (pModule->m_pData->m_pszError) {
delete[] (CHAR*)pModule->m_pData->m_pszError;
}
// Delete our current module's CModuleData object.
delete[] (BYTE*)pModule->m_pData;
}
// Delete our current module object itself.
delete pModule;
}
//******************************************************************************
CModule* CDepends::FindModule(CModule *pModuleCur, LPCSTR szPath) {
if (!pModuleCur) {
return NULL;
}
// Check to see if our current module matches our search module.
if (!_stricmp(pModuleCur->m_pData->m_szPath, szPath)) {
return (pModuleCur->m_pModuleOriginal ? pModuleCur->m_pModuleOriginal : pModuleCur);
}
// Recurse into FindModule() for each dependent module.
pModuleCur = pModuleCur->m_pDependents;
while (pModuleCur) {
CModule *pModuleFound = FindModule(pModuleCur, szPath);
if (pModuleFound) {
return pModuleFound;
}
pModuleCur = pModuleCur->m_pNext;
}
return NULL;
}
//******************************************************************************
BOOL CDepends::VerifyModule(CModule *pModule) {
// Map an IMAGE_DOS_HEADER structure onto our module file mapping.
PIMAGE_DOS_HEADER pIDH = (PIMAGE_DOS_HEADER)m_lpvFile;
// Check for the DOS signature ("MZ").
if (pIDH->e_magic != IMAGE_DOS_SIGNATURE) {
//SetModuleError(pModule, "No DOS signature found. This file is not a valid Win32 module.");
return FALSE;
}
// Map an IMAGE_NT_HEADERS structure onto our module file mapping.
PIMAGE_NT_HEADERS pINTH = (PIMAGE_NT_HEADERS)((DWORD_PTR)m_lpvFile + pIDH->e_lfanew);
// Check for NT/PE signature ("PE\0\0").
if (pINTH->Signature != IMAGE_NT_SIGNATURE) {
//SetModuleError(pModule, "No PE signature found. This file is not a valid Win32 module.");
return FALSE;
}
// Map our IMAGE_FILE_HEADER structure onto our module file mapping.
m_pIFH = &pINTH->FileHeader;
// Map our IMAGE_OPTIONAL_HEADER structure onto our module file mapping.
m_pIOH = &pINTH->OptionalHeader;
// Map our IMAGE_SECTION_HEADER structure array onto our module file mapping
m_pISH = IMAGE_FIRST_SECTION(pINTH);
return TRUE;
}
//******************************************************************************
BOOL CDepends::GetModuleInfo(CModule *pModule) {
// Store the machine type.
pModule->m_pData->m_dwMachine = m_pIFH->Machine;
// Check for a mismatched machine error.
if (m_dwMachineType == (DWORD)-1) {
m_dwMachineType = pModule->m_pData->m_dwMachine;
} else if (m_dwMachineType != pModule->m_pData->m_dwMachine)
{
m_fMixedMachineError = TRUE;
// Convert the filename to unicode.
LPWSTR pwszModuleName = NULL;
TCHAR szBigString[_MAX_PATH + _MAX_PATH];
pwszModuleName = MakeWideStrFromAnsi( (LPSTR)(pModule->m_pData->m_szPath) );
_stprintf(szBigString, _T("Wrong Machine Type:(%s) %s"), MachineToString(pModule->m_pData->m_dwMachine), pwszModuleName);
iisDebugOut((LOG_TYPE_TRACE_WIN32_API, szBigString));
m_cstrlstListOfBrokenLinks.AddTail(szBigString);
m_iNumberOfBrokenLinks++;
if (pwszModuleName){CoTaskMemFree(pwszModuleName);}
}
// Store the subsystem type
pModule->m_pData->m_dwSubsystem = m_pIOH->Subsystem;
// Store the preferred base address
pModule->m_pData->m_dwBaseAddress = m_pIOH->ImageBase;
// Store the image version
pModule->m_pData->m_dwImageVersion =
MAKELONG(m_pIOH->MinorImageVersion, m_pIOH->MajorImageVersion);
// Store the linker version
pModule->m_pData->m_dwLinkerVersion =
MAKELONG(m_pIOH->MinorLinkerVersion, m_pIOH->MajorLinkerVersion);
// Store the OS version
pModule->m_pData->m_dwOSVersion =
MAKELONG(m_pIOH->MinorOperatingSystemVersion, m_pIOH->MajorOperatingSystemVersion);
// Store the subsystem version
pModule->m_pData->m_dwSubsystemVersion = MAKELONG(m_pIOH->MinorSubsystemVersion, m_pIOH->MajorSubsystemVersion);
return TRUE;
}
BOOL
CDepends::WalkIAT(
PIMAGE_THUNK_DATA pITDF,
PIMAGE_THUNK_DATA pITDA,
CModule *pModule,
DWORD_PTR dwBase
)
{
CFunction *pFunctionLast = NULL, *pFunctionNew;
// Loop through all the Image Thunk Data structures in the function array.
while (pITDF->u1.Ordinal) {
LPCSTR szFunction = "";
int ordinal = -1, hint = -1;
// Check to see if this function is by ordinal or by name. If the
// function is by ordinal, the ordinal's high bit will be set. If the
// the high bit is not set, then the ordinal value is really a virtual
// address of an IMAGE_IMPORT_BY_NAME structure.
if (IMAGE_SNAP_BY_ORDINAL(pITDF->u1.Ordinal)) {
ordinal = (int)IMAGE_ORDINAL(pITDF->u1.Ordinal);
} else {
PIMAGE_IMPORT_BY_NAME pIIBN =
(PIMAGE_IMPORT_BY_NAME)(dwBase + (DWORD_PTR)pITDF->u1.AddressOfData);
szFunction = (LPCSTR)pIIBN->Name;
hint = (int)pIIBN->Hint;
}
// If this import module has been pre-bound, then get this function's
// entrypoint memory address.
DWORD_PTR dwAddress = (DWORD_PTR)(pITDA ? pITDA->u1.Function : (DWORD_PTR)INVALID_HANDLE_VALUE);
// Create a new CFunction object for this function.
if (!(pFunctionNew = CreateFunction(ordinal, hint, szFunction, dwAddress))) {
m_fOutOfMemory = TRUE;
return FALSE;
}
// Add the function to the end of our module's function linked list
if (pFunctionLast) {
pFunctionLast->m_pNext = pFunctionNew;
} else {
pModule->m_pParentImports = pFunctionNew;
}
pFunctionLast = pFunctionNew;
// Increment to the next function and address.
pITDF++;
if (pITDA) {
pITDA++;
}
}
return TRUE;
}
//******************************************************************************
BOOL CDepends::BuildImports(CModule *pModule) {
// If this module has no imports (like NTDLL.DLL), then just return success.
if (m_pIOH->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size == 0) {
return TRUE;
}
// Locate our Import Image Directory's relative virtual address
DWORD VAImageDir = m_pIOH->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
PIMAGE_SECTION_HEADER pISH = NULL;
// Locate the section that contains this Image Directory. We do this by
// walking through all of our sections until we find the one that specifies
// an address range that our Image Directory fits in.
for (int i = 0; i < m_pIFH->NumberOfSections; i++) {
if ((VAImageDir >= m_pISH[i].VirtualAddress) &&
(VAImageDir < (m_pISH[i].VirtualAddress + m_pISH[i].SizeOfRawData)))
{
pISH = &m_pISH[i];
break;
}
}
// Bail out if we could not find a section that owns our Image Directory.
if (!pISH) {
//SetModuleError(pModule, "Could not find the section that owns the Import Directory.");
return FALSE;
}
// Compute our base that everything else is an offset from. We do this by
// taking our base file pointer and adding our section's PointerToRawData,
// which is an absolute offset value into our file. We then subtract off our
// Virtual Address since the offsets we are going to be adding later will be
// relative to the this Virtual Address
DWORD_PTR dwBase = (DWORD_PTR)m_lpvFile + pISH->PointerToRawData - pISH->VirtualAddress;
// To locate the beginning of our Image Import Descriptor array, we add our
// Image Directory offset to our base.
PIMAGE_IMPORT_DESCRIPTOR pIID = (PIMAGE_IMPORT_DESCRIPTOR)(dwBase + VAImageDir);
CModule *pModuleLast = NULL, *pModuleNew;
CFunction *pFunctionLast = NULL, *pFunctionNew;
// Loop through all the Image Import Descriptors in the array.
while (pIID->OriginalFirstThunk || pIID->FirstThunk) {
// Locate our module name string and create the module object.
if (!(pModuleNew = CreateModule((LPCSTR)(dwBase + pIID->Name),
pModule->m_depth + 1)))
{
m_fOutOfMemory = TRUE;
return FALSE;
}
// Add the module to the end of our module linked list.
if (pModuleLast) {
pModuleLast->m_pNext = pModuleNew;
} else {
pModule->m_pDependents = pModuleNew;
}
pModuleLast = pModuleNew;
// Locate the beginning of our function array and address array. The
// function array (pITDF) is an array of IMAGE_THUNK_DATA structures that
// contains all the exported functions, both by name and by ordinal. The
// address array (pITDA) is an parallel array of IMAGE_THUNK_DATA
// structures that is used to store the all the function's entrypoint
// addresses. Usually the address array contains the exact same values
// the function array contains until the OS loader actually loads all the
// modules. At that time, the loader will set (bind) these addresses to
// the actual addresses that the given functions reside at in memory. Some
// modules have their exports pre-bound which can provide a speed increase
// when loading the module. If a module is pre-bound (often seen with
// system modules), the TimeDateStamp field of our IMAGE_IMPORT_DESCRIPTOR
// structure will be set and the address array will contain the actual
// memory addresses that the functions will reside at, assuming that the
// imported module loads at its preferred base address.
PIMAGE_THUNK_DATA pITDF = NULL, pITDA = NULL;
// Check to see if module is Microsoft format or Borland format.
if (pIID->OriginalFirstThunk) {
// Microsoft uses the OriginalFirstThunk field for the function array.
pITDF = (PIMAGE_THUNK_DATA)(dwBase + (DWORD)pIID->OriginalFirstThunk);
// Microsoft optionally uses the FirstThunk as a bound address array.
// If the TimeDateStamp field is set, then the module has been bound.
if (pIID->TimeDateStamp) {
pITDA = (PIMAGE_THUNK_DATA)(dwBase + (DWORD)pIID->FirstThunk);
}
} else {
// Borland uses the FirstThunk field for the function array.
pITDF = (PIMAGE_THUNK_DATA)(dwBase + (DWORD)pIID->FirstThunk);;
}
// Find imports
if (!WalkIAT(pITDF, pITDA, pModuleLast, dwBase)) {
return FALSE;
}
// Increment to the next import module
pIID++;
}
return TRUE;
}
BOOL CDepends::BuildDelayImports(CModule *pModule) {
// If this module has no delay imports just return success.
if (m_pIOH->DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].Size == 0) {
return TRUE;
}
// Locate our Import Image Directory's relative virtual address
DWORD VAImageDir = m_pIOH->DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].VirtualAddress;
PIMAGE_SECTION_HEADER pISH = NULL;
// Locate the section that contains this Image Directory. We do this by
// walking through all of our sections until we find the one that specifies
// an address range that our Image Directory fits in.
for (int i = 0; i < m_pIFH->NumberOfSections; i++) {
if ((VAImageDir >= m_pISH[i].VirtualAddress) &&
(VAImageDir < (m_pISH[i].VirtualAddress + m_pISH[i].SizeOfRawData)))
{
pISH = &m_pISH[i];
break;
}
}
// Bail out if we could not find a section that owns our Image Directory.
if (!pISH) {
//SetModuleError(pModule, "Could not find the section that owns the Import Directory.");
return FALSE;
}
// Compute our base that everything else is an offset from. We do this by
// taking our base file pointer and adding our section's PointerToRawData,
// which is an absolute offset value into our file. We then subtract off our
// Virtual Address since the offsets we are going to be adding later will be
// relative to the this Virtual Address
DWORD_PTR dwBase = (DWORD_PTR)m_lpvFile + pISH->PointerToRawData - pISH->VirtualAddress;
// To locate the beginning of our Image Import Descriptor array, we add our
// Image Directory offset to our base.
PImgDelayDescr pIDD = (PImgDelayDescr)(dwBase + VAImageDir);
CModule *pModuleLast = NULL, *pModuleNew;
CFunction *pFunctionLast = NULL, *pFunctionNew;
if (pIDD->grAttrs & dlattrRva) {
PImgDelayDescrV2 pIDDv2 = (PImgDelayDescrV2)pIDD;
// Loop through all the Image Import Descriptors in the array.
while (pIDDv2->rvaINT && pIDDv2->rvaIAT && pIDDv2->rvaHmod) {
DWORD_PTR dwNameBase = 0, dwINTBase = 0;
// Locate the section that contains this Image Directory. We do this by
// walking through all of our sections until we find the one that specifies
// an address range that our Image Directory fits in.
for (int i = 0; i < m_pIFH->NumberOfSections; i++) {
if (((DWORD_PTR)pIDDv2->rvaDLLName >= m_pISH[i].VirtualAddress) &&
((DWORD_PTR)pIDDv2->rvaDLLName < (m_pISH[i].VirtualAddress + m_pISH[i].SizeOfRawData)))
{
dwNameBase = ((DWORD_PTR)m_lpvFile + m_pISH[i].PointerToRawData - m_pISH[i].VirtualAddress);
}
if (((DWORD_PTR)pIDDv2->rvaINT >= (m_pISH[i].VirtualAddress)) &&
((DWORD_PTR)pIDDv2->rvaINT < (m_pISH[i].VirtualAddress + m_pISH[i].SizeOfRawData)))
{
dwINTBase = ((DWORD_PTR)m_lpvFile + m_pISH[i].PointerToRawData - m_pISH[i].VirtualAddress);
}
}
if (!dwINTBase) {
//SetModuleError(pModule, "Could not find the section that owns the Delay Import INT.");
return FALSE;
}
if (!dwNameBase) {
//SetModuleError(pModule, "Could not find the section that owns the Delay Import DllName.");
return FALSE;
}
// Locate our module name string and create the module object.
if (!(pModuleNew = CreateModule((LPCSTR)(dwNameBase + pIDDv2->rvaDLLName),
pModule->m_depth + 1)))
{
m_fOutOfMemory = TRUE;
return FALSE;
}
// Add the module to the end of our module linked list.
if (pModuleLast) {
pModuleLast->m_pNext = pModuleNew;
} else {
if (pModule->m_pDependents) {
pModuleLast = pModule->m_pDependents;
while (pModuleLast->m_pNext) {
pModuleLast = pModuleLast->m_pNext;
}
pModuleLast->m_pNext = pModuleNew;
} else {
pModule->m_pDependents = pModuleNew;
}
}
pModuleLast = pModuleNew;
pModuleLast->m_fDelayLoad = TRUE;
// For now, don't worry about bound imports.
PIMAGE_THUNK_DATA pITDF = NULL;
pITDF = (PIMAGE_THUNK_DATA)(dwINTBase + (DWORD_PTR)pIDDv2->rvaINT);
// Find imports
if (!WalkIAT(pITDF, NULL, pModuleLast, dwNameBase)) {
return FALSE;
}
// Increment to the next import module
pIDDv2++;
}
} else {
PImgDelayDescrV1 pIDDv1 = (PImgDelayDescrV1)pIDD;
// Loop through all the Image Import Descriptors in the array.
while (pIDDv1->pINT && pIDDv1->pIAT && pIDDv1->phmod) {
DWORD_PTR dwNameBase = 0, dwINTBase = 0;
// Locate the section that contains this Image Directory. We do this by
// walking through all of our sections until we find the one that specifies
// an address range that our Image Directory fits in.
for (int i = 0; i < m_pIFH->NumberOfSections; i++) {
if (((DWORD_PTR)pIDDv1->szName >= (m_pIOH->ImageBase + m_pISH[i].VirtualAddress)) &&
((DWORD_PTR)pIDDv1->szName < (m_pIOH->ImageBase + m_pISH[i].VirtualAddress + m_pISH[i].SizeOfRawData)))
{
dwNameBase = ((DWORD_PTR)m_lpvFile + m_pISH[i].PointerToRawData - m_pISH[i].VirtualAddress - m_pIOH->ImageBase);
}
if (((DWORD_PTR)pIDDv1->pINT >= (m_pIOH->ImageBase + m_pISH[i].VirtualAddress)) &&
((DWORD_PTR)pIDDv1->pINT < (m_pIOH->ImageBase + m_pISH[i].VirtualAddress + m_pISH[i].SizeOfRawData)))
{
dwINTBase = ((DWORD_PTR)m_lpvFile + m_pISH[i].PointerToRawData - m_pISH[i].VirtualAddress - m_pIOH->ImageBase);
}
}
if (!dwINTBase) {
//SetModuleError(pModule, "Could not find the section that owns the Delay Import INT.");
return FALSE;
}
if (!dwNameBase) {
//SetModuleError(pModule, "Could not find the section that owns the Delay Import DllName.");
return FALSE;
}
// Locate our module name string and create the module object.
if (!(pModuleNew = CreateModule((LPCSTR)(dwNameBase + pIDDv1->szName),
pModule->m_depth + 1)))
{
m_fOutOfMemory = TRUE;
return FALSE;
}
// Add the module to the end of our module linked list.
if (pModuleLast) {
pModuleLast->m_pNext = pModuleNew;
} else {
if (pModule->m_pDependents) {
pModuleLast = pModule->m_pDependents;
while (pModuleLast->m_pNext) {
pModuleLast = pModuleLast->m_pNext;
}
pModuleLast->m_pNext = pModuleNew;
} else {
pModule->m_pDependents = pModuleNew;
}
}
pModuleLast = pModuleNew;
pModuleLast->m_fDelayLoad = TRUE;
// For now, don't worry about bound imports.
PIMAGE_THUNK_DATA pITDF = NULL;
pITDF = (PIMAGE_THUNK_DATA)(dwINTBase + (DWORD_PTR)pIDDv1->pINT);
// Find imports
if (!WalkIAT(pITDF, NULL, pModuleLast, dwNameBase)) {
return FALSE;
}
// Increment to the next import module
pIDDv1++;
}
}
return TRUE;
}
//******************************************************************************
BOOL CDepends::BuildExports(CModule *pModule) {
// If this module has no exports, then just return success.
if (m_pIOH->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size == 0) {
return TRUE;
}
// Locate our Export Image Directory's relative virtual address
DWORD VAImageDir = m_pIOH->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
PIMAGE_SECTION_HEADER pISH = NULL;
// Locate the section that contains this Image Directory. We do this by
// walking through all of our sections until we find the one that specifies
// an address range that our Image Directory fits in.
for (int i = 0; i < m_pIFH->NumberOfSections; i++) {
if ((VAImageDir >= m_pISH[i].VirtualAddress) &&
(VAImageDir < (m_pISH[i].VirtualAddress + m_pISH[i].SizeOfRawData)))
{
pISH = &m_pISH[i];
break;
}
}
// Bail out if we could not find a section that owns our Image Directory.
if (!pISH) {
//SetModuleError(pModule, "Could not find the section that owns the Export Directory.");
return FALSE;
}
// Compute our base that everything else is an offset from. We do this by
// taking our base file pointer and adding our section's PointerToRawData,
// which is an absolute offset value into our file. We then subtract off our
// Virtual Address since the offsets we are going to be adding later will be
// relative to the this Virtual Address
DWORD_PTR dwBase = (DWORD_PTR)m_lpvFile + pISH->PointerToRawData - pISH->VirtualAddress;
// To locate the beginning of our Image Export Directory, we add our
// Image Directory offset to our base.
PIMAGE_EXPORT_DIRECTORY pIED = (PIMAGE_EXPORT_DIRECTORY)(dwBase + VAImageDir);
// pdwNames is a DWORD array of size pIED->NumberOfNames, which contains VA
// pointers to all the function name strings. pwOrdinals is a WORD array of
// size pIED->NumberOfNames, which contains all the ordinal values for each
// function exported by name. pdwNames and pwOrdinals are parallel arrays,
// meaning that the ordinal in pwOrdinals[x] goes with the function name
// pointed to by pdwNames[x]. The value used to index these arrays is
// referred to as the "hint".
// pdwAddresses is a DWORD array of size pIED->NumberOfFunctions, which
// contains the entrypoint addresses for all functions exported by the
// module. Contrary to several PE format documents, this array is *not*
// parallel with pdwNames and pwOrdinals. The index used for this array is
// the ordinal value of the function you are interested in, minus the base
// ordinal specified in pIED->Base. Another common mistake is to assume that
// pIED->NumberOfFunctions is always equal to pIED->AddressOfNames. If the
// module exports function by ordinal only, then pIED->NumberOfFunctions
// will be greater than pIED->NumberOfNames.
DWORD *pdwNames = (DWORD*)(dwBase + (DWORD)pIED->AddressOfNames);
WORD *pwOrdinals = (WORD* )(dwBase + (DWORD)pIED->AddressOfNameOrdinals);
DWORD *pdwAddresses = (DWORD*)(dwBase + (DWORD)pIED->AddressOfFunctions);
CFunction *pFunctionLast = NULL, *pFunctionNew;
// Loop through all the "exported by name" functions.
for (int hint = 0; hint < (int)pIED->NumberOfNames; hint++) {
// Get our ordinal value, function name, and entrypoint address
int ordinal = pIED->Base + (DWORD)pwOrdinals[hint];
LPCSTR szFunction = (LPCSTR)(dwBase + pdwNames[hint]);
DWORD dwAddress = pdwAddresses[ordinal - pIED->Base];
LPCSTR szForward = NULL;
// Certain modules, such as NTDLL.DLL and MSVCRT40.DLL, have what are
// known as forwarded functions. Forwarded functions are functions that
// are exported from one module, but the code actually lives in another
// module. We can check to see if a function is forwarded by looking at
// its address pointer. If the address pointer points to the character
// immediately following the NULL character in its function name string,
// then this address pointer is really a pointer to a forward string in
// the string table. Some documents state that if the address points to
// a RVA in our current section, then the address must point to a forward
// string. This is not true since the function code can (and sometimes
// does) live in the same section that we are currently in.
if (((DWORD_PTR)szFunction + strlen(szFunction) + 1) == (dwBase + dwAddress)) {
szForward = (LPCSTR)(dwBase + dwAddress);
}
// Create a new CFunction object for this function.
if (!(pFunctionNew = CreateFunction(ordinal, hint, szFunction, dwAddress, szForward))) {
m_fOutOfMemory = TRUE;
return FALSE;
}
// Add the function to the end of our module's export function linked list
if (pFunctionLast) {
pFunctionLast->m_pNext = pFunctionNew;
} else {
pModule->m_pData->m_pExports = pFunctionNew;
}
pFunctionLast = pFunctionNew;
}
// Loop through all the "exported by ordinal" functions. This module has
// pIED->NumberOfFunctions functions with consecutive ordinals starting
// with the ordinal specified by pIED->Base. We need to loop through all
// these ordinal values and add any to our list that have not already been
// added by name.
for (int ordinal = pIED->Base;
ordinal < (int)(pIED->NumberOfFunctions + pIED->Base); ordinal++) {
// Loop through our current list to make sure we haven't already added
// this function during our "exported by name" search above.
CFunction *pFunctionCur = pModule->m_pData->m_pExports;
while (pFunctionCur) {
if (pFunctionCur->m_ordinal == ordinal) {
break;
}
pFunctionCur = pFunctionCur->m_pNext;
}
// If this ordinal is not currently in our list, then add it to our list.
if (!pFunctionCur) {
// Get this function's entrypoint address.
DWORD dwAddress = pdwAddresses[ordinal - pIED->Base];
// Create a new CFunction object for this function.
if (!(pFunctionNew = CreateFunction(ordinal, -1, "", dwAddress))) {
m_fOutOfMemory = TRUE;
return FALSE;
}
// Add the function to the end of our module's export function linked list
if (pFunctionLast) {
pFunctionLast->m_pNext = pFunctionNew;
} else {
pModule->m_pData->m_pExports = pFunctionNew;
}
pFunctionLast = pFunctionNew;
}
}
return TRUE;
}
//******************************************************************************
BOOL CDepends::VerifyParentImports(CModule *pModule) {
CModule *pModuleHead = NULL, *pModuleLast, *pModuleCur;
// Loop through each of our parent import functions.
CFunction *pImport = pModule->m_pParentImports;
while (pImport) {
// Mark this parent import function as not resolved before starting search.
pImport->m_dwExtra = 0;
// Loop through all our exports, looking for a match with our current import.
CFunction *pExport = pModule->m_pData->m_pExports;
while (pExport) {
// If we have a name, then check for the match by name.
if (*pImport->m_szName) {
if (!strcmp(pImport->m_szName, pExport->m_szName)) {
// We found a match. Link this parent import to its associated
// export, break out of loop, and move on to handling our next
// parent import.
pImport->m_dwExtra = (DWORD_PTR)pExport;
break;
}
// If we don't have a name, then check for the match by name.
} else if (pImport->m_ordinal == pExport->m_ordinal) {
// We found a match. Link this parent import to its associated
// export, break out of loop, and move on to handling our next
// parent import.
pImport->m_dwExtra = (DWORD_PTR)pExport;
break;
}
// Move to the next export
pExport = pExport->m_pNext;
}
// Check to see if an export match was found.
if (pImport->GetAssociatedExport()) {
CHAR szFile[1024];
LPCSTR szFunction;
// If an export was found, check to see if it is a forwarded function.
// If it is forwarded, then we need to make sure we consider the
// forwarded module as a new dependent of the current module.
LPCSTR szForward = pImport->GetAssociatedExport()->GetForwardString();
if (szForward) {
// Extract and build the DLL name from the forward string.
LPCSTR pszDot = strchr(szForward, '.');
if (pszDot) {
strncpy(szFile, szForward, (size_t)(pszDot - szForward));
strcpy(szFile + (pszDot - szForward), ".DLL");
szFunction = pszDot + 1;
} else {
strcpy(szFile, "Invalid");
szFunction = szForward;
}
// Search our local forward module list to see if we have already
// created a forward CModoule for this DLL file.
for (pModuleLast = NULL, pModuleCur = pModuleHead; pModuleCur;
pModuleLast = pModuleCur, pModuleCur = pModuleCur->m_pNext)
{
if (!_stricmp(pModuleCur->m_pData->m_szFile, szFile)) {
break;
}
}
// If we have not created a forward module for this file yet, then
// create it now and add it to the end of our list.
if (!pModuleCur) {
if (!(pModuleCur = CreateModule(szFile, pModule->m_depth + 1))) {
m_fOutOfMemory = TRUE;
return FALSE;
}
pModuleCur->m_fForward = TRUE;
// Add the new module to our local forward module list.
if (pModuleLast) {
pModuleLast->m_pNext = pModuleCur;
} else {
pModuleHead = pModuleCur;
}
}
// Create a new CFunction object for this function.
CFunction *pFunction = CreateFunction(-1, -1, szFunction, (DWORD)-1);
if (!pFunction) {
m_fOutOfMemory = TRUE;
return FALSE;
}
// Insert this function object into our forward module's import list.
pFunction->m_pNext = pModuleCur->m_pParentImports;
pModuleCur->m_pParentImports = pFunction;
}
} else {
// If we could not find an import/export match, then flag the module
// as having an export error.
pModule->m_fExportError = TRUE;
}
// Move to the next parent import function.
pImport = pImport->m_pNext;
}
// If we created any forward modules during our entire import verify, then
// add them to the end of our module's dependent module list.
if (pModuleHead) {
// Walk to end of our module's dependent module list.
for (pModuleLast = pModule->m_pDependents;
pModuleLast && pModuleLast->m_pNext;
pModuleLast = pModuleLast->m_pNext)
{}
// Add our local list to the end of our module's dependent module list.
if (pModuleLast) {
pModuleLast->m_pNext = pModuleHead;
} else {
pModule->m_pDependents = pModuleHead;
}
}
return TRUE;
}
//******************************************************************************
BOOL CDepends::ProcessModule(CModule *pModule) {
BOOL fResult = FALSE;
// First check to see if this module is a duplicate. If it is, make sure the
// original instance of this module has been processed and then just perform
// the Parent Import Verify. If the module being passed in is an original,
// then just ensure that we haven't already processed this module.
if (pModule->m_pModuleOriginal) {
// Process the original module and its subtree.
fResult = ProcessModule(pModule->m_pModuleOriginal);
if (!fResult && m_fOutOfMemory) {
return FALSE;
}
// Exit now if we have already processed this original module in the past.
} else if (pModule->m_pData->m_fProcessed) {
return TRUE;
} else {
// Mark this module as processed.
pModule->m_pData->m_fProcessed = TRUE;
// Open the file for read.
//m_hFile = CreateFile(pModule->m_pData->m_szPath, GENERIC_READ,
m_hFile = CreateFileA(pModule->m_pData->m_szPath, GENERIC_READ,
FILE_SHARE_READ, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);
// Exit now if the file failed to open.
if (m_hFile == INVALID_HANDLE_VALUE) {
DWORD dwGLE = GetLastError();
if (dwGLE == ERROR_FILE_NOT_FOUND) {
//SetModuleError(pModule, "File not found in local directory or search path.");
pModule->m_pData->m_fFileNotFound = TRUE;
} else if (dwGLE == ERROR_PATH_NOT_FOUND) {
//SetModuleError(pModule, "Invalid path or file name.");
pModule->m_pData->m_fFileNotFound = TRUE;
} else {
//SetModuleError(pModule, "CreateFile() failed (%u).", dwGLE);
}
return FALSE;
}
// Create a file mapping object for the open module.
HANDLE hMap = CreateFileMapping(m_hFile, NULL, PAGE_READONLY, 0, 0, NULL);
// Exit now if the file failed to map.
if (hMap == NULL) {
//SetModuleError(pModule, "CreateFileMapping() failed (%u).", GetLastError());
CloseHandle(m_hFile);
m_hFile = NULL;
return FALSE;
}
// Create a file mapping view for the open module.
m_lpvFile = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);
// Exit now if the mapped view failed to create.
if (m_lpvFile == NULL) {
//SetModuleError(pModule, "MapViewOfFile() failed (%u).", GetLastError());
CloseHandle(hMap);
CloseHandle(m_hFile);
m_hFile = NULL;
return FALSE;
}
__try {
// Everything from here on is pretty much relying on the file being a
// valid binary with valid pointers and offsets. It is fairly safe to
// just wrap everything in exception handling and then blindly access
// the file. Anything that causes us to move outside our file mapping
// will generate an exception and bring us back here to fail the file.
fResult = (VerifyModule(pModule) &&
GetModuleInfo(pModule) &&
BuildImports(pModule) &&
BuildDelayImports(pModule) &&
BuildExports(pModule));
} __except(EXCEPTION_EXECUTE_HANDLER) {
//SetModuleError(pModule, "Module does not appear to be a valid Win32 module.");
}
// Close our map view pointer, our map handle, and our file handle.
UnmapViewOfFile(m_lpvFile);
CloseHandle(hMap);
CloseHandle(m_hFile);
// Clear our file handles and pointers.
m_hFile = NULL;
m_lpvFile = NULL;
m_pIFH = NULL;
m_pIOH = NULL;
m_pISH = NULL;
}
// Compare our parent imports with our exports to make sure they all match up.
if (!VerifyParentImports(pModule)) {
return FALSE;
}
// Safeguard to ensure that we don't get stuck in some recursize loop. This
// can occur if there is a circular dependency with forwarded functions. This
// is extremely rare and would require someone to design it, but we need
// to handle this case to prevent us from crashing on it. When NT encounters
// a module like this, it fails the load with exception 0xC00000FD which is
// defined as STATUS_STACK_OVERFLOW in WINNT.H. We use 255 as our max depth
// because the several versions of the tree control crash if more than 256
// depths are displayed.
if (pModule->m_depth >= 255) {
// If this module has dependents, then delete them.
if (pModule->m_pDependents) {
DeleteModule(pModule->m_pDependents);
pModule->m_pDependents = NULL;
}
// Flag this document as having a circular dependency error.
m_fCircularError = TRUE;
return FALSE;
}
// Recurse into ProcessModule() to handle all our dependent modules.
pModule = pModule->m_pDependents;
while (pModule) {
if (!ProcessModule(pModule) && m_fOutOfMemory) {
return FALSE;
}
pModule = pModule->m_pNext;
}
return fResult;
}