A reader for PE images mapped into another process. More...

#include "snapshot/win/pe_image_reader.h"

Public Member Functions
bool	Initialize (ProcessReaderWin *process_reader, WinVMAddress address, WinVMSize size, const std::string &module_name)
	Initializes the reader. More...

WinVMAddress	Address () const
	Returns the image's load address. More...

WinVMSize	Size () const
	Returns the image's size. More...

bool	GetCrashpadInfoSection (WinVMAddress address, WinVMSize size) const
	Obtains the module's CrashpadInfo structure address and size. More...

template<class Traits >
bool	GetCrashpadInfo (process_types::CrashpadInfo< Traits > *crashpad_info) const
	Obtains the module's CrashpadInfo structure. More...

bool	DebugDirectoryInformation (UUID uuid, DWORD age, std::string *pdbname) const
	Obtains information from the module's debug directory, if any. More...

bool	VSFixedFileInfo (VS_FIXEDFILEINFO *vs_fixed_file_info) const
	Obtains the module’s `VS_FIXEDFILEINFO`, containing its version and type information. More...

Detailed Description

A reader for PE images mapped into another process.

This class is capable of reading both 32-bit and 64-bit images based on the bitness of the remote process.

See also: PEImageAnnotationsReader; PEImageResourceReader

Member Function Documentation

◆ Address()

WinVMAddress crashpad::PEImageReader::Address ( ) const

inline

Returns the image's load address.

This is the value passed as address to Initialize().

◆ DebugDirectoryInformation()

bool crashpad::PEImageReader::DebugDirectoryInformation	(	UUID *	uuid,
		DWORD *	age,
		std::string *	pdbname
	)		const

Obtains information from the module's debug directory, if any.

Parameters

[out]	uuid	The unique identifier of the executable/PDB.
[out]	age	The age field for the pdb (the number of times it's been relinked).
[out]	pdbname	Name of the pdb file.

Returns: true on success, with the parameters set appropriately. false on failure. This method may return false without logging anything in the case of a module that does not contain relevant debugging information but is otherwise properly structured.

◆ GetCrashpadInfo()

template<class Traits >

bool crashpad::PEImageReader::GetCrashpadInfo ( process_types::CrashpadInfo< Traits > * crashpad_info ) const

Obtains the module's CrashpadInfo structure.

Returns: true on success, false on failure. If the module does not have a CPADinfo section, this will return false without logging any messages. Other failures will result in messages being logged.

◆ GetCrashpadInfoSection()

bool crashpad::PEImageReader::GetCrashpadInfoSection	(	WinVMAddress *	address,
		WinVMSize *	size
	)		const

Obtains the module's CrashpadInfo structure address and size.

Parameters

[out]	address	The CrashpadInfo structure address.
[out]	size	The CrashpadInfo structure size.

Returns: true on success, false on failure. If the module does not have a CPADinfo section, this will return false without logging any messages. Other failures will result in messages being logged.

◆ Initialize()

bool crashpad::PEImageReader::Initialize	(	ProcessReaderWin *	process_reader,
		WinVMAddress	address,
		WinVMSize	size,
		const std::string &	module_name
	)

Initializes the reader.

This method must be called only once on an object. This method must be called successfully before any other method in this class may be called.

Parameters

[in]	process_reader	The reader for the remote process.
[in]	address	The address, in the remote process' address space, where the `IMAGE_DOS_HEADER` is located.
[in]	size	The size of the image.
[in]	module_name	The module's name, a string to be used in logged messages. This string is for diagnostic purposes.

Returns: true if the image was read successfully, false otherwise, with an appropriate message logged.

◆ Size()

WinVMSize crashpad::PEImageReader::Size ( ) const

inline

Returns the image's size.

This is the value passed as size to Initialize().

◆ VSFixedFileInfo()

bool crashpad::PEImageReader::VSFixedFileInfo ( VS_FIXEDFILEINFO * vs_fixed_file_info ) const

Obtains the module’s VS_FIXEDFILEINFO, containing its version and type information.

The data obtained from this method should be equivalent to what could be obtained by calling GetModuleVersionAndType(). Avoiding that function ensures that the data in the module loaded into the remote process will be used as-is, without the risks associated with loading the module into the reading process.

Parameters

[out] vs_fixed_file_info The VS_FIXEDFILEINFO on success. VS_FIXEDFILEINFO::dwFileFlags will have been masked with VS_FIXEDFILEINFO::dwFileFlagsMask already.

Returns: true on success. false if the module does not contain this information, without logging any messages. false on failure, with a message logged.

The documentation for this class was generated from the following files:

snapshot/win/pe_image_reader.h
snapshot/win/pe_image_reader.cc

Public Member Functions

Detailed Description

Member Function Documentation

◆ Address()

◆ DebugDirectoryInformation()

◆ GetCrashpadInfo()

◆ GetCrashpadInfoSection()

◆ Initialize()

◆ Size()

◆ VSFixedFileInfo()