Package ghidra.app.util.bin.format.pe

Class ImportDescriptor

  • All Implemented Interfaces:
    ByteArrayConverter, StructConverter
    public class ImportDescriptor
extends java.lang.Object
implements StructConverter, ByteArrayConverter
     typedef struct _IMAGE_IMPORT_DESCRIPTOR {
     union {
         DWORD   Characteristics;            // 0 for terminating null import descriptor
         DWORD   OriginalFirstThunk;         // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
     };
     DWORD   TimeDateStamp;
     DWORD   ForwarderChain;                 // -1 if no forwarders
     DWORD   Name;
     DWORD   FirstThunk;                     // RVA to IAT (if bound this IAT has actual addresses)
 }

    • Constructor Detail

      • ImportDescriptor

        public ImportDescriptor()
        Constructs a new import descriptor initialized to zero.

    • Method Detail

      • getDLL

        public java.lang.String getDLL()

      • getImportNameTableThunkData

        public ThunkData[] getImportNameTableThunkData()
        Returns the array of thunks from the import name table.
        Returns:
        the array of thunks from the import name table

      • getImportAddressTableThunkData

        public ThunkData[] getImportAddressTableThunkData()
        Returns the array of thunks from the import address table.
        Returns:
        the array of thunks from the import address table

      • getCharacteristics

        public int getCharacteristics()
        At one time, this may have been a set of flags. However, Microsoft changed its meaning and never bothered to update WINNT.H. This field is really an offset (an RVA) to an array of pointers. Each of these pointers points to an IMAGE_IMPORT_BY_NAME structure.
        Returns:
        an offset (an RVA) to an array of pointers

      • getOriginalFirstThunk

        public int getOriginalFirstThunk()
        At one time, this may have been a set of flags. However, Microsoft changed its meaning and never bothered to update WINNT.H. This field is really an offset (an RVA) to an array of pointers. Each of these pointers points to an IMAGE_IMPORT_BY_NAME structure.
        Returns:
        an offset (an RVA) to an array of pointers

      • getFirstThunk

        public int getFirstThunk()
        This field is an offset (an RVA) to an IMAGE_THUNK_DATA union. In almost every case, the union is interpreted as a pointer to an IMAGE_IMPORT_BY_NAME structure. If the field isn't one of these pointers, then it's supposedly treated as an export ordinal value for the DLL that's being imported. It's not clear from the documentation if you really can import a function by ordinal rather than by name.
        Returns:
        an offset (an RVA) to an IMAGE_THUNK_DATA union

      • getForwarderChain

        public int getForwarderChain()
        This field relates to forwarding. Forwarding involves one DLL sending on references to one of its functions to another DLL. For example, in Windows NT, NTDLL.DLL appears to forward some of its exported functions to KERNEL32.DLL. An application may think it's calling a function in NTDLL.DLL, but it actually ends up calling into KERNEL32.DLL. This field contains an index into FirstThunk array (described momentarily). The function indexed by this field will be forwarded to another DLL. Unfortunately, the format of how a function is forwarded isn't documented, and examples of forwarded functions are hard to find.
        Returns:
        the forwarder chain

      • getName

        public int getName()
        Returns an RVA to a NULL-terminated ASCII string containing the imported DLL's name. Common examples are "KERNEL32.DLL" and "USER32.DLL".
        Returns:
        an RVA to a NULL-terminated ASCII string

      • getTimeDateStamp

        public int getTimeDateStamp()
        Returns the time/date stamp indicating when the file was built.
        Returns:
        the time/date stamp indicating when the file was built

      • isBound

        public boolean isBound()
        Returns true if the import descriptor is bound to an imported library. Being bound implies that the import has the function's preferred address
        Returns:
        true if the import descriptor is bound

      • toDataType

        public DataType toDataType()
                    throws DuplicateNameException
        Description copied from interface: StructConverter
        Returns a structure datatype representing the contents of the implementor of this interface.

        For example, given: 

         class A {
     int foo;
     double bar;
 }

        The return value should be a structure data type with two data type components; an INT and a DOUBLE. The structure should contain field names and, if possible, field comments.

        Specified by:
        toDataType in interface StructConverter
        Returns:
        returns a structure datatype representing the implementor of this interface
        Throws:
        DuplicateNameException - when a datatype of the same name already exists
        See Also:
        StructConverter.toDataType()

      • setOriginalFirstThunk

        public void setOriginalFirstThunk​(int i)
        Sets the original first thunk to the specifed value.
        Parameters:
        i - the new original first thunk value.
        See Also:
        getOriginalFirstThunk()

      • setTimeDateStamp

        public void setTimeDateStamp​(int i)
        Sets the time/date stamp to the specifed value.
        Parameters:
        i - the new time/date stamp value.
        See Also:
        getTimeDateStamp()

      • setForwarderChain

        public void setForwarderChain​(int i)
        Sets the forwarder to the specifed value.
        Parameters:
        i - the new forwarder value.
        See Also:
        getForwarderChain()

      • setName

        public void setName​(int i)
        Sets the name to the specifed value.
        Parameters:
        i - the new name value.
        See Also:
        getName()

      • setFirstThunk

        public void setFirstThunk​(int i)
        Sets the first thunk to the specifed value.
        Parameters:
        i - the new first thunk value.
        See Also:
        getFirstThunk()

      • isNullEntry

        public boolean isNullEntry()
        Checks to see if this descriptor is a null entry. A null entry indicates that no more descriptors follow in the import table.
        Returns:
        True if this descriptor is a null entry; otherwise, false.