private IntPtr GetDependencyProcAddressA(IntPtr moduleBase, PCHAR procName)
{
IntPtr pFunc = IntPtr.Zero;
IMAGE_DOS_HEADER hdrDos;
IMAGE_NT_HEADERS32 hdrNt32;
UIntPtr dwRead;
Imports.ReadProcessMemory(_hProcess, moduleBase, out hdrDos, out dwRead);
if (!hdrDos.isValid)
{
return(IntPtr.Zero);
}
Imports.ReadProcessMemory(_hProcess, moduleBase + hdrDos.e_lfanew, out hdrNt32, out dwRead);
if (!hdrNt32.isValid)
{
return(IntPtr.Zero);
}
var expBase = hdrNt32.OptionalHeader.ExportTable.VirtualAddress;
if (expBase > 0)
{
var expSize = hdrNt32.OptionalHeader.ExportTable.Size;
var expData = (PIMAGE_EXPORT_DIRECTORY)AllocateMemory(expSize);
Imports.ReadProcessMemory(_hProcess, moduleBase + (int)expBase, expData.Address, (int)expSize, out dwRead);
var pAddressOfOrds = (PWORD)(expData.Address + (int)expData.Value.AddressOfNameOrdinals - (int)expBase);
var pAddressOfNames = (PDWORD)(expData.Address + (int)expData.Value.AddressOfNames - (int)expBase);
var pAddressOfFuncs = (PDWORD)(expData.Address + (int)expData.Value.AddressOfFunctions - (int)expBase);
for (uint i = 0; i < expData.Value.NumberOfFunctions; i++)
{
ushort ordIndex;
PCHAR pName = null;
if (new PDWORD(procName.Address).Value <= 0xFFFF)
{
ordIndex = unchecked ((ushort)i);
}
else if (new PDWORD(procName.Address).Value > 0xFFFF && i < expData.Value.NumberOfNames)
{
pName = (PCHAR) new IntPtr(pAddressOfNames[i] + expData.Address.ToInt32() - expBase);
ordIndex = pAddressOfOrds[i];
}
else
{
return(IntPtr.Zero);
}
if ((new PDWORD(procName.Address).Value <= 0xFFFF && new PDWORD(procName.Address).Value == ordIndex + expData.Value.Base) || (new PDWORD(procName.Address).Value > 0xFFFF && pName.ToString() == procName.ToString()))
{
pFunc = moduleBase + (int)pAddressOfFuncs[ordIndex];
if (pFunc.ToInt64() >= (moduleBase + (int)expBase).ToInt64() && pFunc.ToInt64() <= (moduleBase + (int)expBase + (int)expSize).ToInt64())
{
var forwardStr = new byte[255];
Imports.ReadProcessMemory(_hProcess, pFunc, forwardStr, out dwRead);
var chainExp = Helpers.ToStringAnsi(forwardStr);
var strDll = chainExp.Substring(0, chainExp.IndexOf(".")) + ".dll";
var strName = chainExp.Substring(chainExp.IndexOf(".") + 1);
var hChainMod = GetRemoteModuleHandleA(strDll);
if (hChainMod == IntPtr.Zero)
{
// todo
//hChainMod = LoadDependencyA(strDll.c_str());
InjectDependency(strDll);
}
if (strName.StartsWith("#"))
{
pFunc = GetDependencyProcAddressA(hChainMod, new PCHAR(strName) + 1);
}
else
{
pFunc = GetDependencyProcAddressA(hChainMod, new PCHAR(strName));
}
}
break;
}
}
Imports.VirtualFree(expData.Address, 0, Imports.FreeType.Release);
}
return(pFunc);
}
private bool ProcessImportTable(IntPtr baseAddress)
{
var imageNtHeaders = GetNtHeader(baseAddress);
if (imageNtHeaders == null)
{
return(false);
}
if (imageNtHeaders.Value.OptionalHeader.ImportTable.Size > 0)
{
var imageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)RvaToPointer(imageNtHeaders.Value.OptionalHeader.ImportTable.VirtualAddress, baseAddress);
if (imageImportDescriptor != null)
{
for (; imageImportDescriptor.Value.Name > 0; imageImportDescriptor++)
{
var moduleName = (PCHAR)RvaToPointer(imageImportDescriptor.Value.Name, baseAddress);
if (moduleName == null)
{
continue;
}
if (moduleName.ToString().Contains("-ms-win-crt-"))
{
moduleName = new PCHAR("ucrtbase.dll");
}
var moduleBase = GetRemoteModuleHandleA(moduleName.ToString());
if (moduleBase == IntPtr.Zero)
{
// todo manual map injection for dependency
InjectDependency(moduleName.ToString());
moduleBase = GetRemoteModuleHandleA(moduleName.ToString());
if (moduleBase == IntPtr.Zero)
{
#if DEBUG
Debug.WriteLine("[ProcessImportTable] failed to obtain module handle");
#endif
// failed to obtain module handle
continue;
}
}
PIMAGE_THUNK_DATA imageThunkData;
PIMAGE_THUNK_DATA imageFuncData;
if (imageImportDescriptor.Value.OriginalFirstThunk > 0)
{
imageThunkData = (PIMAGE_THUNK_DATA)RvaToPointer(imageImportDescriptor.Value.OriginalFirstThunk, baseAddress);
imageFuncData = (PIMAGE_THUNK_DATA)RvaToPointer(imageImportDescriptor.Value.FirstThunk, baseAddress);
}
else
{
imageThunkData = (PIMAGE_THUNK_DATA)RvaToPointer(imageImportDescriptor.Value.FirstThunk, baseAddress);
imageFuncData = (PIMAGE_THUNK_DATA)RvaToPointer(imageImportDescriptor.Value.FirstThunk, baseAddress);
}
for (; imageThunkData.Value.AddressOfData > 0; imageThunkData++, imageFuncData++)
{
IntPtr functionAddress;
var bSnapByOrdinal = (imageThunkData.Value.Ordinal & /*IMAGE_ORDINAL_FLAG32*/ 0x80000000) != 0;
if (bSnapByOrdinal)
{
var ordinal = (short)(imageThunkData.Value.Ordinal & 0xffff);
functionAddress = GetDependencyProcAddressA(moduleBase, new PCHAR(ordinal));
if (functionAddress == IntPtr.Zero)
{
return(false);
}
}
else
{
var imageImportByName = (PIMAGE_IMPORT_BY_NAME)RvaToPointer(imageFuncData.Value.Ordinal, baseAddress);
var mameOfImport = (PCHAR)imageImportByName.Address + /*imageImportByName->Name*/ 2;
functionAddress = GetDependencyProcAddressA(moduleBase, mameOfImport);
}
//ImageFuncData->u1.Function = (size_t)FunctionAddress;
Marshal.WriteInt32(imageFuncData.Address, functionAddress.ToInt32());
}
}
return(true);
}
else
{
#if DEBUG
Debug.WriteLine("[ProcessImportTable] Size of table confirmed but pointer to data invalid");
#endif
// Size of table confirmed but pointer to data invalid
return(false);
}
}
else
{
#if DEBUG
Debug.WriteLine("[ProcessImportTable] no imports");
#endif
// no imports
return(true);
}
}
// Token: 0x06000011 RID: 17 RVA: 0x00002A08 File Offset: 0x00000C08
private bool ProcessDelayedImportTable(IntPtr baseAddress, IntPtr remoteAddress)
{
PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress);
if (ntHeader == null)
{
return(false);
}
if (ntHeader.Value.OptionalHeader.DelayImportDescriptor.Size <= 0U)
{
return(true);
}
PIMAGE_IMPORT_DESCRIPTOR pimage_IMPORT_DESCRIPTOR = (PIMAGE_IMPORT_DESCRIPTOR)this.RvaToPointer(ntHeader.Value.OptionalHeader.DelayImportDescriptor.VirtualAddress, baseAddress);
if (pimage_IMPORT_DESCRIPTOR != null)
{
while (pimage_IMPORT_DESCRIPTOR.Value.Name > 0U)
{
PCHAR pchar = (PCHAR)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.Name, baseAddress);
if (pchar != null)
{
IntPtr remoteModuleHandleA = this.GetRemoteModuleHandleA(pchar.ToString());
if (remoteModuleHandleA == IntPtr.Zero)
{
this.InjectDependency(pchar.ToString());
remoteModuleHandleA = this.GetRemoteModuleHandleA(pchar.ToString());
if (remoteModuleHandleA == IntPtr.Zero)
{
goto IL_1F6;
}
}
PIMAGE_THUNK_DATA pimage_THUNK_DATA;
PIMAGE_THUNK_DATA pimage_THUNK_DATA2;
if (pimage_IMPORT_DESCRIPTOR.Value.OriginalFirstThunk > 0U)
{
pimage_THUNK_DATA = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.OriginalFirstThunk, baseAddress);
pimage_THUNK_DATA2 = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.FirstThunk, baseAddress);
}
else
{
pimage_THUNK_DATA = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.FirstThunk, baseAddress);
pimage_THUNK_DATA2 = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.FirstThunk, baseAddress);
}
while (pimage_THUNK_DATA.Value.AddressOfData > 0U)
{
IntPtr dependencyProcAddressA;
if ((pimage_THUNK_DATA.Value.Ordinal & 2147483648U) > 0U)
{
short num = (short)(pimage_THUNK_DATA.Value.Ordinal & 65535U);
dependencyProcAddressA = this.GetDependencyProcAddressA(remoteModuleHandleA, new PCHAR(num));
if (dependencyProcAddressA == IntPtr.Zero)
{
return(false);
}
}
else
{
PCHAR procName = (PCHAR)((PIMAGE_IMPORT_BY_NAME)this.RvaToPointer(pimage_THUNK_DATA2.Value.Ordinal, baseAddress)).Address + 2;
dependencyProcAddressA = this.GetDependencyProcAddressA(remoteModuleHandleA, procName);
}
Marshal.WriteInt32(pimage_THUNK_DATA2.Address, dependencyProcAddressA.ToInt32());
pimage_THUNK_DATA = ++pimage_THUNK_DATA;
pimage_THUNK_DATA2 = ++pimage_THUNK_DATA2;
}
}
IL_1F6:
pimage_IMPORT_DESCRIPTOR = ++pimage_IMPORT_DESCRIPTOR;
}
return(true);
}
return(false);
}
// Token: 0x0600000F RID: 15 RVA: 0x00002478 File Offset: 0x00000678
private IntPtr GetDependencyProcAddressA(IntPtr moduleBase, PCHAR procName)
{
IntPtr intPtr = IntPtr.Zero;
IMAGE_DOS_HEADER image_DOS_HEADER;
UIntPtr uintPtr;
Imports.ReadProcessMemory <IMAGE_DOS_HEADER>(this._hProcess, moduleBase, out image_DOS_HEADER, out uintPtr);
if (!image_DOS_HEADER.isValid)
{
return(IntPtr.Zero);
}
IMAGE_NT_HEADERS32 image_NT_HEADERS;
Imports.ReadProcessMemory <IMAGE_NT_HEADERS32>(this._hProcess, moduleBase + image_DOS_HEADER.e_lfanew, out image_NT_HEADERS, out uintPtr);
if (!image_NT_HEADERS.isValid)
{
return(IntPtr.Zero);
}
uint virtualAddress = image_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress;
if (virtualAddress > 0U)
{
uint size = image_NT_HEADERS.OptionalHeader.ExportTable.Size;
PIMAGE_EXPORT_DIRECTORY pimage_EXPORT_DIRECTORY = (PIMAGE_EXPORT_DIRECTORY)this.AllocateMemory(size);
Imports.ReadProcessMemory(this._hProcess, moduleBase + (int)virtualAddress, pimage_EXPORT_DIRECTORY.Address, (int)size, out uintPtr);
PWORD pword = (PWORD)(pimage_EXPORT_DIRECTORY.Address + (int)pimage_EXPORT_DIRECTORY.Value.AddressOfNameOrdinals - (int)virtualAddress);
PDWORD pdword = (PDWORD)(pimage_EXPORT_DIRECTORY.Address + (int)pimage_EXPORT_DIRECTORY.Value.AddressOfNames - (int)virtualAddress);
PDWORD pdword2 = (PDWORD)(pimage_EXPORT_DIRECTORY.Address + (int)pimage_EXPORT_DIRECTORY.Value.AddressOfFunctions - (int)virtualAddress);
uint num = 0U;
while (num < pimage_EXPORT_DIRECTORY.Value.NumberOfFunctions)
{
PCHAR pchar = null;
ushort num2;
if (new PDWORD(procName.Address).Value <= 65535U)
{
num2 = (ushort)num;
}
else
{
if (new PDWORD(procName.Address).Value <= 65535U || num >= pimage_EXPORT_DIRECTORY.Value.NumberOfNames)
{
return(IntPtr.Zero);
}
pchar = (PCHAR) new IntPtr((long)((ulong)pdword[num] + (ulong)((long)pimage_EXPORT_DIRECTORY.Address.ToInt32()) - (ulong)virtualAddress));
num2 = pword[num];
}
if ((new PDWORD(procName.Address).Value <= 65535U && new PDWORD(procName.Address).Value == (uint)num2 + pimage_EXPORT_DIRECTORY.Value.Base) || (new PDWORD(procName.Address).Value > 65535U && pchar.ToString() == procName.ToString()))
{
intPtr = moduleBase + (int)pdword2[(uint)num2];
if (intPtr.ToInt64() < (moduleBase + (int)virtualAddress).ToInt64() || intPtr.ToInt64() > (moduleBase + (int)virtualAddress + (int)size).ToInt64())
{
break;
}
byte[] array = new byte[255];
Imports.ReadProcessMemory(this._hProcess, intPtr, array, out uintPtr);
string text = Helpers.ToStringAnsi(array);
string text2 = text.Substring(0, text.IndexOf(".")) + ".dll";
string text3 = text.Substring(text.IndexOf(".") + 1);
IntPtr remoteModuleHandleA = this.GetRemoteModuleHandleA(text2);
if (remoteModuleHandleA == IntPtr.Zero)
{
this.InjectDependency(text2);
}
if (text3.StartsWith("#"))
{
intPtr = this.GetDependencyProcAddressA(remoteModuleHandleA, new PCHAR(text3) + 1);
break;
}
intPtr = this.GetDependencyProcAddressA(remoteModuleHandleA, new PCHAR(text3));
break;
}
else
{
num += 1U;
}
}
Imports.VirtualFree(pimage_EXPORT_DIRECTORY.Address, 0, Imports.FreeType.Release);
}
return(intPtr);
}
public RIO_BUFFERID RegisterBuffer([In] PCHAR DataBuffer, [In] DWORD DataLength) => registerBuffer(DataBuffer, DataLength);
private bool process_import_table(IntPtr base_address)
{
var image_nt_headers = get_nt_header(base_address);
if (image_nt_headers == null)
{
return(false);
}
if (image_nt_headers.Value.OptionalHeader.ImportTable.Size > 0)
{
var image_import_descriptor = (PIMAGE_IMPORT_DESCRIPTOR)rva_to_pointer(image_nt_headers.Value.OptionalHeader.ImportTable.VirtualAddress, base_address);
if (image_import_descriptor != null)
{
for (; image_import_descriptor.Value.Name > 0; image_import_descriptor++)
{
var module_name = (PCHAR)rva_to_pointer(image_import_descriptor.Value.Name, base_address);
if (module_name == null)
{
continue;
}
if (module_name.ToString().Contains("-ms-win-crt-"))
{
module_name = new PCHAR("ucrtbase.dll");
}
var module_base = get_remote_module_handle_a(module_name.ToString());
if (module_base == IntPtr.Zero)
{
// todo manual map injection for dependency
inject_dependency(module_name.ToString());
module_base = get_remote_module_handle_a(module_name.ToString());
if (module_base == IntPtr.Zero)
{
#if DEBUG
Debug.WriteLine("[process_import_table] failed to obtain module handle");
#endif
// failed to obtain module handle
continue;
}
}
PIMAGE_THUNK_DATA image_thunk_data;
PIMAGE_THUNK_DATA image_func_data;
if (image_import_descriptor.Value.OriginalFirstThunk > 0)
{
image_thunk_data = (PIMAGE_THUNK_DATA)rva_to_pointer(image_import_descriptor.Value.OriginalFirstThunk, base_address);
image_func_data = (PIMAGE_THUNK_DATA)rva_to_pointer(image_import_descriptor.Value.FirstThunk, base_address);
}
else
{
image_thunk_data = (PIMAGE_THUNK_DATA)rva_to_pointer(image_import_descriptor.Value.FirstThunk, base_address);
image_func_data = (PIMAGE_THUNK_DATA)rva_to_pointer(image_import_descriptor.Value.FirstThunk, base_address);
}
for (; image_thunk_data.Value.AddressOfData > 0; image_thunk_data++, image_func_data++)
{
IntPtr function_address;
var snap_by_ordinal = (image_thunk_data.Value.Ordinal & /*IMAGE_ORDINAL_FLAG32*/ 0x80000000) != 0;
if (snap_by_ordinal)
{
var ordinal = (short)(image_thunk_data.Value.Ordinal & 0xffff);
function_address = get_dep_proc_address_a(module_base, new PCHAR(ordinal));
if (function_address == IntPtr.Zero)
{
return(false);
}
}
else
{
var image_import_by_name = (PIMAGE_IMPORT_BY_NAME)rva_to_pointer(image_func_data.Value.Ordinal, base_address);
var name_of_import = (PCHAR)image_import_by_name.Address + /*image_import_by_name->Name*/ 2;
function_address = get_dep_proc_address_a(module_base, name_of_import);
}
//ImageFuncData->u1.Function = (size_t)FunctionAddress;
Marshal.WriteInt32(image_func_data.Address, function_address.ToInt32());
}
}
return(true);
}
else
{
#if DEBUG
Debug.WriteLine("[process_import_table] Size of table confirmed but pointer to data invalid");
#endif
// Size of table confirmed but pointer to data invalid
return(false);
}
}
else
{
#if DEBUG
Debug.WriteLine("[process_import_table] no imports");
#endif
// no imports
return(true);
}
}
private IntPtr get_dep_proc_address_a(IntPtr module_base, PCHAR procName)
{
IntPtr func = IntPtr.Zero;
IMAGE_DOS_HEADER hdr_dos;
IMAGE_NT_HEADERS32 hdr_nt32;
UIntPtr read;
Imports.ReadProcessMemory(_hProcess, module_base, out hdr_dos, out read);
if (!hdr_dos.is_valid)
{
return(IntPtr.Zero);
}
Imports.ReadProcessMemory(_hProcess, module_base + hdr_dos.e_lfanew, out hdr_nt32, out read);
if (!hdr_nt32.is_valid)
{
return(IntPtr.Zero);
}
var exp_base = hdr_nt32.OptionalHeader.ExportTable.VirtualAddress;
if (exp_base > 0)
{
var exp_size = hdr_nt32.OptionalHeader.ExportTable.Size;
var exp_data = (PIMAGE_EXPORT_DIRECTORY)allocate_memory(exp_size);
Imports.ReadProcessMemory(_hProcess, module_base + (int)exp_base, exp_data.Address, (int)exp_size, out read);
var address_of_ords = (PWORD)(exp_data.Address + (int)exp_data.Value.AddressOfNameOrdinals - (int)exp_base);
var address_of_names = (PDWORD)(exp_data.Address + (int)exp_data.Value.AddressOfNames - (int)exp_base);
var address_of_funcs = (PDWORD)(exp_data.Address + (int)exp_data.Value.AddressOfFunctions - (int)exp_base);
for (uint i = 0; i < exp_data.Value.NumberOfFunctions; i++)
{
ushort ord_index;
PCHAR name = null;
if (new PDWORD(procName.Address).Value <= 0xFFFF)
{
ord_index = unchecked ((ushort)i);
}
else if (new PDWORD(procName.Address).Value > 0xFFFF && i < exp_data.Value.NumberOfNames)
{
name = (PCHAR) new IntPtr(address_of_names[i] + exp_data.Address.ToInt32() - exp_base);
ord_index = address_of_ords[i];
}
else
{
return(IntPtr.Zero);
}
if ((new PDWORD(procName.Address).Value <= 0xFFFF && new PDWORD(procName.Address).Value == ord_index + exp_data.Value.Base) || (new PDWORD(procName.Address).Value > 0xFFFF && name.ToString() == procName.ToString()))
{
func = module_base + (int)address_of_funcs[ord_index];
if (func.ToInt64() >= (module_base + (int)exp_base).ToInt64() && func.ToInt64() <= (module_base + (int)exp_base + (int)exp_size).ToInt64())
{
var forward_str = new byte[255];
Imports.ReadProcessMemory(_hProcess, func, forward_str, out read);
var chain_exp = Helpers.to_string_ansi(forward_str);
var str_dll = chain_exp.Substring(0, chain_exp.IndexOf(".")) + ".dll";
var str_name = chain_exp.Substring(chain_exp.IndexOf(".") + 1);
var chain_mod = get_remote_module_handle_a(str_dll);
if (chain_mod == IntPtr.Zero)
{
inject_dependency(str_dll);
}
if (str_name.StartsWith("#"))
{
func = get_dep_proc_address_a(chain_mod, new PCHAR(str_name) + 1);
}
else
{
func = get_dep_proc_address_a(chain_mod, new PCHAR(str_name));
}
}
break;
}
}
Imports.VirtualFree(exp_data.Address, 0, Imports.FreeType.Release);
}
return(func);
}
