/* returns the rva value for a windows PE export */ status_t windows_export_to_rva( vmi_instance_t vmi, const access_context_t *ctx, const char *symbol, addr_t *rva) { struct export_table et; addr_t et_rva; size_t et_size; int aon_index = -1; int aof_index = -1; // get export table structure if (peparse_get_export_table(vmi, ctx, &et, &et_rva, &et_size) != VMI_SUCCESS) { dbprint(VMI_DEBUG_PEPARSE, "--PEParse: failed to get export table\n"); return VMI_FAILURE; } // find AddressOfNames index for export symbol aon_index = get_aon_index(vmi, symbol, &et, ctx); if ( -1 == aon_index ) { dbprint(VMI_DEBUG_PEPARSE, "--PEParse: failed to get aon index\n"); return VMI_FAILURE; } // find AddressOfFunctions index for export symbol aof_index = get_aof_index(vmi, aon_index, &et, ctx); if ( -1 == aof_index ) { dbprint(VMI_DEBUG_PEPARSE, "--PEParse: failed to get aof index\n"); return VMI_FAILURE; } // find RVA value for export symbol if (VMI_SUCCESS==get_export_rva(vmi, rva, aof_index, &et, ctx)) { // handle forwarded functions // If the function's RVA is inside the exports section (as given by the // VirtualAddress and Size fields in the idd), the symbol is forwarded. if (*rva>=et_rva && *rva < et_rva+et_size) { dbprint(VMI_DEBUG_PEPARSE, "--PEParse: %s @ 0x%p is forwarded\n", symbol, ctx); return VMI_FAILURE; } else { return VMI_SUCCESS; } } else { return VMI_FAILURE; } }
/* returns the rva value for a windows PE export */ status_t windows_export_to_rva( vmi_instance_t vmi, addr_t base_vaddr, vmi_pid_t pid, const char *symbol, addr_t *rva) { struct export_table et; addr_t et_rva; size_t et_size; int aon_index = -1; int aof_index = -1; // get export table structure if (peparse_get_export_table(vmi, base_vaddr, pid, &et, &et_rva, &et_size) != VMI_SUCCESS) { dbprint(VMI_DEBUG_MISC, "--PEParse: failed to get export table\n"); return VMI_FAILURE; } // find AddressOfNames index for export symbol if ((aon_index = get_aon_index(vmi, symbol, &et, base_vaddr, pid)) == -1) { dbprint(VMI_DEBUG_MISC, "--PEParse: failed to get aon index\n"); return VMI_FAILURE; } // find AddressOfFunctions index for export symbol if ((aof_index = get_aof_index(vmi, aon_index, &et, base_vaddr, pid)) == -1) { dbprint(VMI_DEBUG_MISC, "--PEParse: failed to get aof index\n"); return VMI_FAILURE; } // find RVA value for export symbol if(VMI_SUCCESS==get_export_rva(vmi, rva, aof_index, &et, base_vaddr, pid)) { // handle forwarded functions // If the function's RVA is inside the exports section (as given by the // VirtualAddress and Size fields in the idd), the symbol is forwarded. if(*rva>=et_rva && *rva < et_rva+et_size) { dbprint(VMI_DEBUG_MISC, "--PEParse: %s @ %u:0x%"PRIx64" is forwarded\n", symbol, pid, base_vaddr); return VMI_FAILURE; } else { return VMI_SUCCESS; } } else { return VMI_FAILURE; } }