Want to collect n structs without knowing n in advance -> realloc?

qknight · May 23, 2024, 5:51pm

According to the manual I can create 5 record(s) this way:

    typedef struct {
        int   id;
        int   length;
        uchar data[ length ];
    } RECORD;

    RECORD record[5] <optimize=false>;

But what if I don’t know that it is 5 exactly but say 7?

I’d basically like to know if there is a realloc() of some sort. Or even better, a structure which does garbage collecting automatically.

My motivation is:

In the PE header I have the .idata entry and there is a list of DLLs. This is already in the template coming with 010 editor. However, later I want to parse the symbol names and entry point names of each DLL. But then I don’t have the DLL name in question anymore due to

IMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor

being collected by 010 editor out of the environment magically.

The source code is this:

// this should be my abstract data collection
typedef struct 
{
        string name;
        int nameTable; // abs position of name table start (foo.dll)
        int firstThunk; // abs position of symbol table start
} ABSTRACT_IMPORT;

// IMAGE_DIRECTORY_ENTRY_IMPORT 1
void ParseIAT() // qknight
{
    if ( (NtHeader.OptionalHeader.DataDirArray.Import.VirtualAddress != 0) && (NtHeader.OptionalHeader.DataDirArray.Import.Size != 0) )
    {
        local ULONG ulImportFOA <hidden=true> = RVA2FOA(NtHeader.OptionalHeader.DataDirArray.Import.VirtualAddress);
        local ULONG ulOriginalFirstThunk <hidden=true> = 0;
        local ULONG ulOriginalFirstThunkFOA <hidden=true> = 0;
        local int   nImportIndex <hidden=true> = 0;

        FSeek(ulImportFOA);
        // CREATE Import Directory Table
        while (1)
        {
            ulOriginalFirstThunk = ReadUInt(ulImportFOA + 0x14*nImportIndex );
            if (0 == ulOriginalFirstThunk)
            {
                local int n  = FTell() % 16;
                char IAT_Terminator[16 + n] <bgcolor=cDkYellow,comment="Import Directory Table END">;
                break;
            }
            FSeek(ulImportFOA + 0x14*nImportIndex);
            IMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor <bgcolor=cDkGreen,comment="Import Directory Table Entry">;
            
            // FIXME 
            
            nImportIndex++;
        }
        // CREATE Import Lookup Table
       
        // CREATE Hint/Name Table
		
        
        // CREATE Import Address Table 
        
     
    }
}

This leaves me with the issue that I need a wrapper struct (ABSTRACT_IMPORT) which is filled in the background and then when I got the information of the DLL name, locations for followup fields, only then I want to read binary data and fill the structs to get hex bytes from the editor associated with structs.

sweetscape · May 27, 2024, 11:00pm

Hello qknight. There is no way currently to resize a struct that has been created. When you need to create a struct that relies on data elsewhere in the file, there are two main options. The first option is to use the ReadInt/ReadUint/etc functions to read data from the file in other places but this only works for very simple structs and is probably not useful for this case. The second option is to create a second struct later on after you have all the data you need. Structs do not have to be declared consecutively in the file and you can jump around the file using the FSeek/FTell functions. You should be able to access all the previous structs that were declared. You mentioned that you had trouble accessing ImageImportDescriptor, but you should be able to access all the data in those structs using a loop. Let us know if you can’t get it to work.

Graeme
SweetScape Software