Package ghidra.app.util.bin.format.pe

Class ImportDescriptor

java.lang.Object
ghidra.app.util.bin.format.pe.ImportDescriptor
All Implemented Interfaces:
ByteArrayConverter, StructConverter
public class ImportDescriptor extends Object implements StructConverter, ByteArrayConverter
 typedef struct _IMAGE_IMPORT_DESCRIPTOR {
     union {
         DWORD   Characteristics;            // 0 for terminating null import descriptor
         DWORD   OriginalFirstThunk;         // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
     };
     DWORD   TimeDateStamp;
     DWORD   ForwarderChain;                 // -1 if no forwarders
     DWORD   Name;
     DWORD   FirstThunk;                     // RVA to IAT (if bound this IAT has actual addresses)
 }

  • Field Details

  • Constructor Details

    • ImportDescriptor

      public ImportDescriptor()
      Constructs a new import descriptor initialized to zero.

  • Method Details

    • getDLL

      public String getDLL()

    • getImportNameTableThunkData

      public ThunkData[] getImportNameTableThunkData()
      Returns the array of thunks from the import name table.
      Returns:
      the array of thunks from the import name table

    • getImportAddressTableThunkData

      public ThunkData[] getImportAddressTableThunkData()
      Returns the array of thunks from the import address table.
      Returns:
      the array of thunks from the import address table

    • getCharacteristics

      public int getCharacteristics()
      At one time, this may have been a set of flags. However, Microsoft changed its meaning and never bothered to update WINNT.H. This field is really an offset (an RVA) to an array of pointers. Each of these pointers points to an IMAGE_IMPORT_BY_NAME structure.
      Returns:
      an offset (an RVA) to an array of pointers

    • getOriginalFirstThunk

      public int getOriginalFirstThunk()
      At one time, this may have been a set of flags. However, Microsoft changed its meaning and never bothered to update WINNT.H. This field is really an offset (an RVA) to an array of pointers. Each of these pointers points to an IMAGE_IMPORT_BY_NAME structure.
      Returns:
      an offset (an RVA) to an array of pointers

    • getFirstThunk

      public int getFirstThunk()
      This field is an offset (an RVA) to an IMAGE_THUNK_DATA union. In almost every case, the union is interpreted as a pointer to an IMAGE_IMPORT_BY_NAME structure. If the field isn't one of these pointers, then it's supposedly treated as an export ordinal value for the DLL that's being imported. It's not clear from the documentation if you really can import a function by ordinal rather than by name.
      Returns:
      an offset (an RVA) to an IMAGE_THUNK_DATA union

    • getForwarderChain

      public int getForwarderChain()
      This field relates to forwarding. Forwarding involves one DLL sending on references to one of its functions to another DLL. For example, in Windows NT, NTDLL.DLL appears to forward some of its exported functions to KERNEL32.DLL. An application may think it's calling a function in NTDLL.DLL, but it actually ends up calling into KERNEL32.DLL. This field contains an index into FirstThunk array (described momentarily). The function indexed by this field will be forwarded to another DLL. Unfortunately, the format of how a function is forwarded isn't documented, and examples of forwarded functions are hard to find.
      Returns:
      the forwarder chain

    • getName

      public int getName()
      Returns an RVA to a NULL-terminated ASCII string containing the imported DLL's name. Common examples are "KERNEL32.DLL" and "USER32.DLL".
      Returns:
      an RVA to a NULL-terminated ASCII string

    • getTimeDateStamp

      public int getTimeDateStamp()
      Returns the time/date stamp indicating when the file was built.
      Returns:
      the time/date stamp indicating when the file was built

    • isBound

      public boolean isBound()
      Returns true if the import descriptor is bound to an imported library. Being bound implies that the import has the function's preferred address
      Returns:
      true if the import descriptor is bound

    • toDataType

      public DataType toDataType() throws DuplicateNameException
      Description copied from interface: StructConverter
      Returns a structure datatype representing the contents of the implementor of this interface.

      For example, given: 

       class A {
     int foo;
     double bar;
 }

      The return value should be a structure data type with two data type components; an INT and a DOUBLE. The structure should contain field names and, if possible, field comments.

      Specified by:
      toDataType in interface StructConverter
      Returns:
      returns a structure datatype representing the implementor of this interface
      Throws:
      DuplicateNameException - when a datatype of the same name already exists
      See Also:

    • toBytes

      public byte[] toBytes(DataConverter dc)
      Description copied from interface: ByteArrayConverter
      Returns a byte array representing this implementor of this interface.
      Specified by:
      toBytes in interface ByteArrayConverter
      Parameters:
      dc - the data converter to use
      Returns:
      a byte array representing this object
      See Also:

    • setOriginalFirstThunk

      public void setOriginalFirstThunk(int i)
      Sets the original first thunk to the specified value.
      Parameters:
      i - the new original first thunk value.
      See Also:

    • setTimeDateStamp

      public void setTimeDateStamp(int i)
      Sets the time/date stamp to the specified value.
      Parameters:
      i - the new time/date stamp value.
      See Also:

    • setForwarderChain

      public void setForwarderChain(int i)
      Sets the forwarder to the specified value.
      Parameters:
      i - the new forwarder value.
      See Also:

    • setName

      public void setName(int i)
      Sets the name to the specified value.
      Parameters:
      i - the new name value.
      See Also:

    • setFirstThunk

      public void setFirstThunk(int i)
      Sets the first thunk to the specified value.
      Parameters:
      i - the new first thunk value.
      See Also:

    • isNullEntry

      public boolean isNullEntry()
      Checks to see if this descriptor is a null entry. A null entry indicates that no more descriptors follow in the import table.
      Returns:
      True if this descriptor is a null entry; otherwise, false.