private IntPtr GetDependencyProcAddressA(IntPtr moduleBase, PCHAR procName) { IntPtr pFunc = IntPtr.Zero; IMAGE_DOS_HEADER hdrDos; IMAGE_NT_HEADERS32 hdrNt32; UIntPtr dwRead; Imports.ReadProcessMemory(_hProcess, moduleBase, out hdrDos, out dwRead); if (!hdrDos.isValid) { return(IntPtr.Zero); } Imports.ReadProcessMemory(_hProcess, moduleBase + hdrDos.e_lfanew, out hdrNt32, out dwRead); if (!hdrNt32.isValid) { return(IntPtr.Zero); } var expBase = hdrNt32.OptionalHeader.ExportTable.VirtualAddress; if (expBase > 0) { var expSize = hdrNt32.OptionalHeader.ExportTable.Size; var expData = (PIMAGE_EXPORT_DIRECTORY)AllocateMemory(expSize); Imports.ReadProcessMemory(_hProcess, moduleBase + (int)expBase, expData.Address, (int)expSize, out dwRead); var pAddressOfOrds = (PWORD)(expData.Address + (int)expData.Value.AddressOfNameOrdinals - (int)expBase); var pAddressOfNames = (PDWORD)(expData.Address + (int)expData.Value.AddressOfNames - (int)expBase); var pAddressOfFuncs = (PDWORD)(expData.Address + (int)expData.Value.AddressOfFunctions - (int)expBase); for (uint i = 0; i < expData.Value.NumberOfFunctions; i++) { ushort ordIndex; PCHAR pName = null; if (new PDWORD(procName.Address).Value <= 0xFFFF) { ordIndex = unchecked ((ushort)i); } else if (new PDWORD(procName.Address).Value > 0xFFFF && i < expData.Value.NumberOfNames) { pName = (PCHAR) new IntPtr(pAddressOfNames[i] + expData.Address.ToInt32() - expBase); ordIndex = pAddressOfOrds[i]; } else { return(IntPtr.Zero); } if ((new PDWORD(procName.Address).Value <= 0xFFFF && new PDWORD(procName.Address).Value == ordIndex + expData.Value.Base) || (new PDWORD(procName.Address).Value > 0xFFFF && pName.ToString() == procName.ToString())) { pFunc = moduleBase + (int)pAddressOfFuncs[ordIndex]; if (pFunc.ToInt64() >= (moduleBase + (int)expBase).ToInt64() && pFunc.ToInt64() <= (moduleBase + (int)expBase + (int)expSize).ToInt64()) { var forwardStr = new byte[255]; Imports.ReadProcessMemory(_hProcess, pFunc, forwardStr, out dwRead); var chainExp = Helpers.ToStringAnsi(forwardStr); var strDll = chainExp.Substring(0, chainExp.IndexOf(".")) + ".dll"; var strName = chainExp.Substring(chainExp.IndexOf(".") + 1); var hChainMod = GetRemoteModuleHandleA(strDll); if (hChainMod == IntPtr.Zero) { // todo //hChainMod = LoadDependencyA(strDll.c_str()); InjectDependency(strDll); } if (strName.StartsWith("#")) { pFunc = GetDependencyProcAddressA(hChainMod, new PCHAR(strName) + 1); } else { pFunc = GetDependencyProcAddressA(hChainMod, new PCHAR(strName)); } } break; } } Imports.VirtualFree(expData.Address, 0, Imports.FreeType.Release); } return(pFunc); }
private bool ProcessImportTable(IntPtr baseAddress) { var imageNtHeaders = GetNtHeader(baseAddress); if (imageNtHeaders == null) { return(false); } if (imageNtHeaders.Value.OptionalHeader.ImportTable.Size > 0) { var imageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)RvaToPointer(imageNtHeaders.Value.OptionalHeader.ImportTable.VirtualAddress, baseAddress); if (imageImportDescriptor != null) { for (; imageImportDescriptor.Value.Name > 0; imageImportDescriptor++) { var moduleName = (PCHAR)RvaToPointer(imageImportDescriptor.Value.Name, baseAddress); if (moduleName == null) { continue; } if (moduleName.ToString().Contains("-ms-win-crt-")) { moduleName = new PCHAR("ucrtbase.dll"); } var moduleBase = GetRemoteModuleHandleA(moduleName.ToString()); if (moduleBase == IntPtr.Zero) { // todo manual map injection for dependency InjectDependency(moduleName.ToString()); moduleBase = GetRemoteModuleHandleA(moduleName.ToString()); if (moduleBase == IntPtr.Zero) { #if DEBUG Debug.WriteLine("[ProcessImportTable] failed to obtain module handle"); #endif // failed to obtain module handle continue; } } PIMAGE_THUNK_DATA imageThunkData; PIMAGE_THUNK_DATA imageFuncData; if (imageImportDescriptor.Value.OriginalFirstThunk > 0) { imageThunkData = (PIMAGE_THUNK_DATA)RvaToPointer(imageImportDescriptor.Value.OriginalFirstThunk, baseAddress); imageFuncData = (PIMAGE_THUNK_DATA)RvaToPointer(imageImportDescriptor.Value.FirstThunk, baseAddress); } else { imageThunkData = (PIMAGE_THUNK_DATA)RvaToPointer(imageImportDescriptor.Value.FirstThunk, baseAddress); imageFuncData = (PIMAGE_THUNK_DATA)RvaToPointer(imageImportDescriptor.Value.FirstThunk, baseAddress); } for (; imageThunkData.Value.AddressOfData > 0; imageThunkData++, imageFuncData++) { IntPtr functionAddress; var bSnapByOrdinal = (imageThunkData.Value.Ordinal & /*IMAGE_ORDINAL_FLAG32*/ 0x80000000) != 0; if (bSnapByOrdinal) { var ordinal = (short)(imageThunkData.Value.Ordinal & 0xffff); functionAddress = GetDependencyProcAddressA(moduleBase, new PCHAR(ordinal)); if (functionAddress == IntPtr.Zero) { return(false); } } else { var imageImportByName = (PIMAGE_IMPORT_BY_NAME)RvaToPointer(imageFuncData.Value.Ordinal, baseAddress); var mameOfImport = (PCHAR)imageImportByName.Address + /*imageImportByName->Name*/ 2; functionAddress = GetDependencyProcAddressA(moduleBase, mameOfImport); } //ImageFuncData->u1.Function = (size_t)FunctionAddress; Marshal.WriteInt32(imageFuncData.Address, functionAddress.ToInt32()); } } return(true); } else { #if DEBUG Debug.WriteLine("[ProcessImportTable] Size of table confirmed but pointer to data invalid"); #endif // Size of table confirmed but pointer to data invalid return(false); } } else { #if DEBUG Debug.WriteLine("[ProcessImportTable] no imports"); #endif // no imports return(true); } }
// Token: 0x06000011 RID: 17 RVA: 0x00002A08 File Offset: 0x00000C08 private bool ProcessDelayedImportTable(IntPtr baseAddress, IntPtr remoteAddress) { PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress); if (ntHeader == null) { return(false); } if (ntHeader.Value.OptionalHeader.DelayImportDescriptor.Size <= 0U) { return(true); } PIMAGE_IMPORT_DESCRIPTOR pimage_IMPORT_DESCRIPTOR = (PIMAGE_IMPORT_DESCRIPTOR)this.RvaToPointer(ntHeader.Value.OptionalHeader.DelayImportDescriptor.VirtualAddress, baseAddress); if (pimage_IMPORT_DESCRIPTOR != null) { while (pimage_IMPORT_DESCRIPTOR.Value.Name > 0U) { PCHAR pchar = (PCHAR)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.Name, baseAddress); if (pchar != null) { IntPtr remoteModuleHandleA = this.GetRemoteModuleHandleA(pchar.ToString()); if (remoteModuleHandleA == IntPtr.Zero) { this.InjectDependency(pchar.ToString()); remoteModuleHandleA = this.GetRemoteModuleHandleA(pchar.ToString()); if (remoteModuleHandleA == IntPtr.Zero) { goto IL_1F6; } } PIMAGE_THUNK_DATA pimage_THUNK_DATA; PIMAGE_THUNK_DATA pimage_THUNK_DATA2; if (pimage_IMPORT_DESCRIPTOR.Value.OriginalFirstThunk > 0U) { pimage_THUNK_DATA = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.OriginalFirstThunk, baseAddress); pimage_THUNK_DATA2 = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.FirstThunk, baseAddress); } else { pimage_THUNK_DATA = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.FirstThunk, baseAddress); pimage_THUNK_DATA2 = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.FirstThunk, baseAddress); } while (pimage_THUNK_DATA.Value.AddressOfData > 0U) { IntPtr dependencyProcAddressA; if ((pimage_THUNK_DATA.Value.Ordinal & 2147483648U) > 0U) { short num = (short)(pimage_THUNK_DATA.Value.Ordinal & 65535U); dependencyProcAddressA = this.GetDependencyProcAddressA(remoteModuleHandleA, new PCHAR(num)); if (dependencyProcAddressA == IntPtr.Zero) { return(false); } } else { PCHAR procName = (PCHAR)((PIMAGE_IMPORT_BY_NAME)this.RvaToPointer(pimage_THUNK_DATA2.Value.Ordinal, baseAddress)).Address + 2; dependencyProcAddressA = this.GetDependencyProcAddressA(remoteModuleHandleA, procName); } Marshal.WriteInt32(pimage_THUNK_DATA2.Address, dependencyProcAddressA.ToInt32()); pimage_THUNK_DATA = ++pimage_THUNK_DATA; pimage_THUNK_DATA2 = ++pimage_THUNK_DATA2; } } IL_1F6: pimage_IMPORT_DESCRIPTOR = ++pimage_IMPORT_DESCRIPTOR; } return(true); } return(false); }
// Token: 0x0600000F RID: 15 RVA: 0x00002478 File Offset: 0x00000678 private IntPtr GetDependencyProcAddressA(IntPtr moduleBase, PCHAR procName) { IntPtr intPtr = IntPtr.Zero; IMAGE_DOS_HEADER image_DOS_HEADER; UIntPtr uintPtr; Imports.ReadProcessMemory <IMAGE_DOS_HEADER>(this._hProcess, moduleBase, out image_DOS_HEADER, out uintPtr); if (!image_DOS_HEADER.isValid) { return(IntPtr.Zero); } IMAGE_NT_HEADERS32 image_NT_HEADERS; Imports.ReadProcessMemory <IMAGE_NT_HEADERS32>(this._hProcess, moduleBase + image_DOS_HEADER.e_lfanew, out image_NT_HEADERS, out uintPtr); if (!image_NT_HEADERS.isValid) { return(IntPtr.Zero); } uint virtualAddress = image_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress; if (virtualAddress > 0U) { uint size = image_NT_HEADERS.OptionalHeader.ExportTable.Size; PIMAGE_EXPORT_DIRECTORY pimage_EXPORT_DIRECTORY = (PIMAGE_EXPORT_DIRECTORY)this.AllocateMemory(size); Imports.ReadProcessMemory(this._hProcess, moduleBase + (int)virtualAddress, pimage_EXPORT_DIRECTORY.Address, (int)size, out uintPtr); PWORD pword = (PWORD)(pimage_EXPORT_DIRECTORY.Address + (int)pimage_EXPORT_DIRECTORY.Value.AddressOfNameOrdinals - (int)virtualAddress); PDWORD pdword = (PDWORD)(pimage_EXPORT_DIRECTORY.Address + (int)pimage_EXPORT_DIRECTORY.Value.AddressOfNames - (int)virtualAddress); PDWORD pdword2 = (PDWORD)(pimage_EXPORT_DIRECTORY.Address + (int)pimage_EXPORT_DIRECTORY.Value.AddressOfFunctions - (int)virtualAddress); uint num = 0U; while (num < pimage_EXPORT_DIRECTORY.Value.NumberOfFunctions) { PCHAR pchar = null; ushort num2; if (new PDWORD(procName.Address).Value <= 65535U) { num2 = (ushort)num; } else { if (new PDWORD(procName.Address).Value <= 65535U || num >= pimage_EXPORT_DIRECTORY.Value.NumberOfNames) { return(IntPtr.Zero); } pchar = (PCHAR) new IntPtr((long)((ulong)pdword[num] + (ulong)((long)pimage_EXPORT_DIRECTORY.Address.ToInt32()) - (ulong)virtualAddress)); num2 = pword[num]; } if ((new PDWORD(procName.Address).Value <= 65535U && new PDWORD(procName.Address).Value == (uint)num2 + pimage_EXPORT_DIRECTORY.Value.Base) || (new PDWORD(procName.Address).Value > 65535U && pchar.ToString() == procName.ToString())) { intPtr = moduleBase + (int)pdword2[(uint)num2]; if (intPtr.ToInt64() < (moduleBase + (int)virtualAddress).ToInt64() || intPtr.ToInt64() > (moduleBase + (int)virtualAddress + (int)size).ToInt64()) { break; } byte[] array = new byte[255]; Imports.ReadProcessMemory(this._hProcess, intPtr, array, out uintPtr); string text = Helpers.ToStringAnsi(array); string text2 = text.Substring(0, text.IndexOf(".")) + ".dll"; string text3 = text.Substring(text.IndexOf(".") + 1); IntPtr remoteModuleHandleA = this.GetRemoteModuleHandleA(text2); if (remoteModuleHandleA == IntPtr.Zero) { this.InjectDependency(text2); } if (text3.StartsWith("#")) { intPtr = this.GetDependencyProcAddressA(remoteModuleHandleA, new PCHAR(text3) + 1); break; } intPtr = this.GetDependencyProcAddressA(remoteModuleHandleA, new PCHAR(text3)); break; } else { num += 1U; } } Imports.VirtualFree(pimage_EXPORT_DIRECTORY.Address, 0, Imports.FreeType.Release); } return(intPtr); }
public RIO_BUFFERID RegisterBuffer([In] PCHAR DataBuffer, [In] DWORD DataLength) => registerBuffer(DataBuffer, DataLength);
private bool process_import_table(IntPtr base_address) { var image_nt_headers = get_nt_header(base_address); if (image_nt_headers == null) { return(false); } if (image_nt_headers.Value.OptionalHeader.ImportTable.Size > 0) { var image_import_descriptor = (PIMAGE_IMPORT_DESCRIPTOR)rva_to_pointer(image_nt_headers.Value.OptionalHeader.ImportTable.VirtualAddress, base_address); if (image_import_descriptor != null) { for (; image_import_descriptor.Value.Name > 0; image_import_descriptor++) { var module_name = (PCHAR)rva_to_pointer(image_import_descriptor.Value.Name, base_address); if (module_name == null) { continue; } if (module_name.ToString().Contains("-ms-win-crt-")) { module_name = new PCHAR("ucrtbase.dll"); } var module_base = get_remote_module_handle_a(module_name.ToString()); if (module_base == IntPtr.Zero) { // todo manual map injection for dependency inject_dependency(module_name.ToString()); module_base = get_remote_module_handle_a(module_name.ToString()); if (module_base == IntPtr.Zero) { #if DEBUG Debug.WriteLine("[process_import_table] failed to obtain module handle"); #endif // failed to obtain module handle continue; } } PIMAGE_THUNK_DATA image_thunk_data; PIMAGE_THUNK_DATA image_func_data; if (image_import_descriptor.Value.OriginalFirstThunk > 0) { image_thunk_data = (PIMAGE_THUNK_DATA)rva_to_pointer(image_import_descriptor.Value.OriginalFirstThunk, base_address); image_func_data = (PIMAGE_THUNK_DATA)rva_to_pointer(image_import_descriptor.Value.FirstThunk, base_address); } else { image_thunk_data = (PIMAGE_THUNK_DATA)rva_to_pointer(image_import_descriptor.Value.FirstThunk, base_address); image_func_data = (PIMAGE_THUNK_DATA)rva_to_pointer(image_import_descriptor.Value.FirstThunk, base_address); } for (; image_thunk_data.Value.AddressOfData > 0; image_thunk_data++, image_func_data++) { IntPtr function_address; var snap_by_ordinal = (image_thunk_data.Value.Ordinal & /*IMAGE_ORDINAL_FLAG32*/ 0x80000000) != 0; if (snap_by_ordinal) { var ordinal = (short)(image_thunk_data.Value.Ordinal & 0xffff); function_address = get_dep_proc_address_a(module_base, new PCHAR(ordinal)); if (function_address == IntPtr.Zero) { return(false); } } else { var image_import_by_name = (PIMAGE_IMPORT_BY_NAME)rva_to_pointer(image_func_data.Value.Ordinal, base_address); var name_of_import = (PCHAR)image_import_by_name.Address + /*image_import_by_name->Name*/ 2; function_address = get_dep_proc_address_a(module_base, name_of_import); } //ImageFuncData->u1.Function = (size_t)FunctionAddress; Marshal.WriteInt32(image_func_data.Address, function_address.ToInt32()); } } return(true); } else { #if DEBUG Debug.WriteLine("[process_import_table] Size of table confirmed but pointer to data invalid"); #endif // Size of table confirmed but pointer to data invalid return(false); } } else { #if DEBUG Debug.WriteLine("[process_import_table] no imports"); #endif // no imports return(true); } }
private IntPtr get_dep_proc_address_a(IntPtr module_base, PCHAR procName) { IntPtr func = IntPtr.Zero; IMAGE_DOS_HEADER hdr_dos; IMAGE_NT_HEADERS32 hdr_nt32; UIntPtr read; Imports.ReadProcessMemory(_hProcess, module_base, out hdr_dos, out read); if (!hdr_dos.is_valid) { return(IntPtr.Zero); } Imports.ReadProcessMemory(_hProcess, module_base + hdr_dos.e_lfanew, out hdr_nt32, out read); if (!hdr_nt32.is_valid) { return(IntPtr.Zero); } var exp_base = hdr_nt32.OptionalHeader.ExportTable.VirtualAddress; if (exp_base > 0) { var exp_size = hdr_nt32.OptionalHeader.ExportTable.Size; var exp_data = (PIMAGE_EXPORT_DIRECTORY)allocate_memory(exp_size); Imports.ReadProcessMemory(_hProcess, module_base + (int)exp_base, exp_data.Address, (int)exp_size, out read); var address_of_ords = (PWORD)(exp_data.Address + (int)exp_data.Value.AddressOfNameOrdinals - (int)exp_base); var address_of_names = (PDWORD)(exp_data.Address + (int)exp_data.Value.AddressOfNames - (int)exp_base); var address_of_funcs = (PDWORD)(exp_data.Address + (int)exp_data.Value.AddressOfFunctions - (int)exp_base); for (uint i = 0; i < exp_data.Value.NumberOfFunctions; i++) { ushort ord_index; PCHAR name = null; if (new PDWORD(procName.Address).Value <= 0xFFFF) { ord_index = unchecked ((ushort)i); } else if (new PDWORD(procName.Address).Value > 0xFFFF && i < exp_data.Value.NumberOfNames) { name = (PCHAR) new IntPtr(address_of_names[i] + exp_data.Address.ToInt32() - exp_base); ord_index = address_of_ords[i]; } else { return(IntPtr.Zero); } if ((new PDWORD(procName.Address).Value <= 0xFFFF && new PDWORD(procName.Address).Value == ord_index + exp_data.Value.Base) || (new PDWORD(procName.Address).Value > 0xFFFF && name.ToString() == procName.ToString())) { func = module_base + (int)address_of_funcs[ord_index]; if (func.ToInt64() >= (module_base + (int)exp_base).ToInt64() && func.ToInt64() <= (module_base + (int)exp_base + (int)exp_size).ToInt64()) { var forward_str = new byte[255]; Imports.ReadProcessMemory(_hProcess, func, forward_str, out read); var chain_exp = Helpers.to_string_ansi(forward_str); var str_dll = chain_exp.Substring(0, chain_exp.IndexOf(".")) + ".dll"; var str_name = chain_exp.Substring(chain_exp.IndexOf(".") + 1); var chain_mod = get_remote_module_handle_a(str_dll); if (chain_mod == IntPtr.Zero) { inject_dependency(str_dll); } if (str_name.StartsWith("#")) { func = get_dep_proc_address_a(chain_mod, new PCHAR(str_name) + 1); } else { func = get_dep_proc_address_a(chain_mod, new PCHAR(str_name)); } } break; } } Imports.VirtualFree(exp_data.Address, 0, Imports.FreeType.Release); } return(func); }