public PeHeader(MainType mainType, PeImage peImage)
{
uint headerOffset;
version = getHeaderOffsetAndVersion(peImage, out headerOffset);
headerData = peImage.offsetReadBytes(headerOffset, 0x1000);
}
internal NETHeaderReader(NTHeader header, NETHeader parent)
{
this.parent = parent;
header._assembly._netHeader = parent;
image = header._assembly._peImage;
this.ntHeader = header;
}
internal ResourcesReader(NTHeader header)
{
this.header = header;
image = header.assembly.peImage;
resourceDirectory = header.OptionalHeader.DataDirectories[(int)DataDirectoryName.Resource];
ReadRootDirectory();
}
private static async Task <string> DownloadPdb(PeImage peImage)
{
// Ensure a temporary directory exists on disk to store the PDB
var directoryInfo = Directory.CreateDirectory(Path.Combine(Path.GetTempPath(), "Lunar", "PDB", peImage.Headers.PEHeader.Magic == PEMagic.PE32 ? "WOW64" : "X64"));
// Clear the directory if the correct PDB hasn't been downloaded
var pdbFilePath = Path.Combine(directoryInfo.FullName, $"{peImage.DebugDirectoryData.Path.Replace(".pdb", "")}-{peImage.DebugDirectoryData.Guid.ToString().Replace("-", "")}.pdb");
foreach (var file in directoryInfo.EnumerateFiles())
{
if (file.FullName.Equals(pdbFilePath))
{
return(pdbFilePath);
}
try
{
file.Delete();
}
catch (IOException)
{
// The file is currently open and cannot be safely deleted
}
}
static EncryptionVersion getHeaderOffsetAndVersion(PeImage peImage, out uint headerOffset)
{
headerOffset = 0;
var version = getVersion(peImage, headerOffset);
if (version != EncryptionVersion.Unknown)
{
return(version);
}
var section = peImage.findSection(".rsrc");
if (section == null)
{
return(EncryptionVersion.Unknown);
}
headerOffset = section.pointerToRawData;
uint end = section.pointerToRawData + section.sizeOfRawData - 0x1000 + 1;
while (headerOffset < end)
{
version = getVersion(peImage, headerOffset);
if (version != EncryptionVersion.Unknown)
{
return(version);
}
headerOffset++;
}
return(EncryptionVersion.Unknown);
}
public ImportExportTableReader(NTHeader header)
{
this.header = header;
image = header.assembly.peImage;
LoadExports();
LoadImports();
}
// Old CS versions
byte[] unpackNativeFile1(PeImage peImage)
{
const int dataDirNum = 6; // debug dir
const int dotNetDirNum = 14;
if (peImage.OptionalHeader.dataDirectories[dataDirNum].virtualAddress == 0)
{
return(null);
}
if (peImage.OptionalHeader.dataDirectories[dataDirNum].size != 0x48)
{
return(null);
}
var fileData = peImage.readAllBytes();
int dataDir = (int)peImage.OptionalHeader.offsetOfDataDirectory(dataDirNum);
int dotNetDir = (int)peImage.OptionalHeader.offsetOfDataDirectory(dotNetDirNum);
writeUInt32(fileData, dotNetDir, BitConverter.ToUInt32(fileData, dataDir));
writeUInt32(fileData, dotNetDir + 4, BitConverter.ToUInt32(fileData, dataDir + 4));
writeUInt32(fileData, dataDir, 0);
writeUInt32(fileData, dataDir + 4, 0);
ModuleBytes = fileData;
return(fileData);
}
internal NETHeaderReader(NTHeader header, NETHeader parent)
{
this.parent = parent;
header._assembly._netHeader = parent;
image = header._assembly._peImage;
this.ntHeader = header;
}
bool unpackNativeImage(IEnumerable <IDeobfuscator> deobfuscators)
{
var peImage = new PeImage(Utils.readFile(Filename));
foreach (var deob in deobfuscators)
{
byte[] unpackedData = null;
try {
unpackedData = deob.unpackNativeFile(peImage);
}
catch {
}
if (unpackedData == null)
{
continue;
}
try {
module = assemblyModule.load(unpackedData);
}
catch {
Log.w("Could not load unpacked data. Deobfuscator: {0}", deob.TypeLong);
continue;
}
this.deob = deob;
return(true);
}
return(false);
}
/// <summary>
/// Provides the functionality to map a DLL from memory into a process
/// </summary>
public LibraryMapper(Process process, ReadOnlyMemory <byte> dllBytes)
{
// Validate the arguments
if (process is null || process.HasExited)
{
throw new ArgumentException("The process provided was invalid");
}
if (dllBytes.IsEmpty)
{
throw new ArgumentException("The DLL bytes provided were invalid");
}
EnterDebugMode();
_dllBytes = new Memory <byte>(new byte[dllBytes.Length]);
dllBytes.CopyTo(_dllBytes);
_peImage = new PeImage(dllBytes);
_processManager = new ProcessManager(process);
_symbolParser = new SymbolParser(RetrieveNtdllFilePath(process), "RtlInsertInvertedFunctionTable", "RtlRemoveInvertedFunctionTable");
}
/// <summary>
/// Provides the functionality to map a DLL from disk into a process
/// </summary>
public LibraryMapper(Process process, string dllFilePath)
{
// Validate the arguments
if (process is null || process.HasExited)
{
throw new ArgumentException("The process provided was invalid");
}
if (string.IsNullOrWhiteSpace(dllFilePath))
{
throw new ArgumentException("The DLL file path provided was invalid");
}
EnterDebugMode();
var dllBytes = File.ReadAllBytes(dllFilePath);
_dllBytes = new Memory <byte>(new byte[dllBytes.Length]);
dllBytes.CopyTo(_dllBytes);
_peImage = new PeImage(dllBytes);
_processManager = new ProcessManager(process);
_symbolParser = new SymbolParser(RetrieveNtdllFilePath(process), "RtlInsertInvertedFunctionTable", "RtlRemoveInvertedFunctionTable");
}
public ImportExportTableReader(NTHeader header)
{
this.header = header;
image = header.assembly.peImage;
LoadExports();
LoadImports();
}
internal ResourceDirectoryEntry(PeImage image, uint offset, Structures.IMAGE_RESOURCE_DIRECTORY_ENTRY rawEntry, string customName)
{
this._image = image;
this._offset = offset;
this._rawEntry = rawEntry;
this._customName = customName;
}
/// <summary>
/// Initialises an instances of the <see cref="LibraryMapper"/> class with the functionality to map a DLL from disk into a process
/// </summary>
public LibraryMapper(Process process, string dllFilePath, MappingFlags mappingFlags = MappingFlags.None)
{
if (process is null || process.HasExited)
{
throw new ArgumentException("The provided process is not currently running");
}
if (string.IsNullOrWhiteSpace(dllFilePath) || !File.Exists(dllFilePath))
{
throw new ArgumentException("The provided file path did not point to a valid file");
}
if (!Environment.Is64BitProcess && process.GetArchitecture() == Architecture.X64)
{
throw new NotSupportedException("The provided process cannot be mapped into from an x86 build");
}
_dllBytes = File.ReadAllBytes(dllFilePath);
_fileResolver = new FileResolver(process, Path.GetDirectoryName(dllFilePath));
_mappingFlags = mappingFlags;
_peImage = new PeImage(_dllBytes.ToArray());
_processContext = new ProcessContext(process);
}
/// <summary>
/// Initialises an instances of the <see cref="LibraryMapper"/> class with the functionality to map a DLL from memory into a process
/// </summary>
public LibraryMapper(Process process, Memory <byte> dllBytes, MappingFlags mappingFlags = MappingFlags.None)
{
if (process is null || process.HasExited)
{
throw new ArgumentException("The provided process is not currently running");
}
if (dllBytes.IsEmpty)
{
throw new ArgumentException("The provided DLL bytes were empty");
}
if (!Environment.Is64BitProcess && process.GetArchitecture() == Architecture.X64)
{
throw new NotSupportedException("The provided process cannot be mapped into from an x86 build");
}
_dllBytes = dllBytes.ToArray();
_fileResolver = new FileResolver(process, null);
_mappingFlags = mappingFlags;
_peImage = new PeImage(dllBytes);
_processContext = new ProcessContext(process);
}
internal ResourceDirectoryEntry(PeImage image, uint offset, Structures.IMAGE_RESOURCE_DIRECTORY_ENTRY rawEntry, string customName)
{
this._image = image;
this._offset = offset;
this._rawEntry = rawEntry;
this._customName = customName;
}
/// <summary>
/// Provides the functionality to map a DLL from memory into a remote process
/// </summary>
public LibraryMapper(Process process, Memory <byte> dllBytes)
{
// Validate the arguments passed into the constructor
if (process == default || process.HasExited)
{
throw new ArgumentException("The process provided was invalid");
}
if (dllBytes.IsEmpty)
{
throw new ArgumentException("The DLL bytes provided were invalid");
}
EnterDebugMode();
_dllBytes = dllBytes;
_peImage = new PeImage(dllBytes);
_processManager = new ProcessManager(process);
_symbolParser = new SymbolParser(_processManager.Modules.First(module => module.Name.Equals("ntdll.dll")));
ValidateArchitecture();
}
public bool decrypt(byte[] fileData, ref DumpedMethods dumpedMethods)
{
if (decrypter == null)
{
return(false);
}
var peImage = new PeImage(fileData);
if (peImage.Sections.Length <= 0)
{
return(false);
}
var methodsData = findMethodsData(peImage, fileData);
if (methodsData == null)
{
return(false);
}
decrypter.initialize(methodsData);
dumpedMethods = createDumpedMethods(peImage, fileData, methodsData);
if (dumpedMethods == null)
{
return(false);
}
return(true);
}
/// <summary>
/// Provides the functionality to map a DLL from disk into a remote process
/// </summary>
public LibraryMapper(Process process, string dllPath)
{
// Validate the arguments passed into the constructor
if (process == default || process.HasExited)
{
throw new ArgumentException("The process provided was invalid");
}
if (string.IsNullOrWhiteSpace(dllPath))
{
throw new ArgumentException("The DLL path provided was invalid");
}
EnterDebugMode();
_dllBytes = File.ReadAllBytes(dllPath);
_peImage = new PeImage(_dllBytes);
_processManager = new ProcessManager(process);
_symbolParser = new SymbolParser(_processManager.Modules.First(module => module.Name.Equals("ntdll.dll")));
ValidateArchitecture();
}
internal LibraryReference(PeImage image, uint offset, Structures.IMAGE_IMPORT_DESCRIPTOR rawDescriptor, string libraryName, ImportMethod[] importMethods)
{
this._image = image;
this._offset = offset;
this._rawDescriptor = rawDescriptor;
this.LibraryName = libraryName;
this.ImportMethods = importMethods;
}
internal ResourceDirectory(PeImage image, uint offset, ResourceDirectoryEntry parentEntry, ResourceDirectoryEntry[] childEntries, PE.Structures.IMAGE_RESOURCE_DIRECTORY rawDirectory)
{
this.image = image;
this.ParentEntry = parentEntry;
this.ChildEntries = childEntries;
this.offset = offset;
this.rawDirectory = rawDirectory;
}
public DecrypterInfo(MainType mainType, byte[] fileData)
{
this.mainType = mainType;
this.peImage = new PeImage(fileData);
this.peHeader = new PeHeader(mainType, peImage);
this.mcKey = new McKey(peImage, peHeader);
this.fileData = fileData;
}
public ProDecrypter(PeImage peImage, CodeHeader codeHeader)
: base(peImage, codeHeader)
{
for (int i = 0; i < 4; i++)
{
key[i] = be_readUInt32(codeHeader.decryptionKey, i * 4);
}
}
internal LibraryReference(PeImage image, uint offset, Structures.IMAGE_IMPORT_DESCRIPTOR rawDescriptor, string libraryName, ImportMethod[] importMethods)
{
this._image = image;
this._offset = offset;
this._rawDescriptor = rawDescriptor;
this.LibraryName = libraryName;
this.ImportMethods = importMethods;
}
public MSILAssembler(MethodBody methodBody)
{
this.MethodBody = methodBody;
_disassembler = new MSILDisassembler(methodBody);
_image = methodBody.Method._netheader._assembly.Image;
_offsetConverter = new OffsetConverter(Section.GetSectionByRva(methodBody.Method._netheader._assembly, methodBody.Method.RVA));
_bodyOffset = _offsetConverter.RvaToFileOffset(methodBody.Method.RVA) + methodBody.HeaderSize;
_tokenResolver = methodBody.Method._netheader.TokenResolver;
}
static void patchDwords(PeImage peImage, BinaryReader reader, int count)
{
for (int i = 0; i < count; i++)
{
uint rva = reader.ReadUInt32();
uint data = reader.ReadUInt32();
peImage.dotNetSafeWrite(rva, BitConverter.GetBytes(data));
}
}
public MSILAssembler(MethodBody methodBody)
{
this.MethodBody = methodBody;
_disassembler = new MSILDisassembler(methodBody);
_image = methodBody.Method._netheader._assembly.Image;
_offsetConverter = new OffsetConverter(Section.GetSectionByRva(methodBody.Method._netheader._assembly, methodBody.Method.RVA));
_bodyOffset = _offsetConverter.RvaToFileOffset(methodBody.Method.RVA) + methodBody.HeaderSize;
_tokenResolver = methodBody.Method._netheader.TokenResolver;
}
internal ResourceDirectory(PeImage image, uint offset, ResourcesReader reader, ResourceDirectoryEntry parentEntry, PE.Structures.IMAGE_RESOURCE_DIRECTORY rawDirectory)
{
this.image = image;
this.ParentEntry = parentEntry;
this.offset = offset;
this.fileOffset = offset + image.ParentAssembly.ntHeader.OptionalHeader.DataDirectories[(int)DataDirectoryName.Resource].TargetOffset.FileOffset;
this.rawDirectory = rawDirectory;
this.reader = reader;
}
internal ResourceDirectory(PeImage image, uint offset, ResourcesReader reader, ResourceDirectoryEntry parentEntry, PE.Structures.IMAGE_RESOURCE_DIRECTORY rawDirectory)
{
this._image = image;
this.ParentEntry = parentEntry;
this._offset = offset;
this._fileOffset = offset + image.ParentAssembly._ntHeader.OptionalHeader.DataDirectories[(int)DataDirectoryName.Resource].TargetOffset.FileOffset;
this._rawDirectory = rawDirectory;
this._reader = reader;
}
byte[] findMethodsData(PeImage peImage, byte[] fileData)
{
var section = peImage.Sections[0];
var reader = new BinaryReader(new MemoryStream(fileData));
const int RVA_EXECUTIVE_OFFSET = 1 * 4;
const int ENC_CODE_OFFSET = 6 * 4;
int lastOffset = (int)(section.pointerToRawData + section.sizeOfRawData);
for (int offset = getStartOffset(peImage); offset < lastOffset;)
{
offset = findSig(fileData, offset, lastOffset, initializeMethodEnd);
if (offset < 0)
{
return(null);
}
offset += initializeMethodEnd.Length;
short retImm16 = BitConverter.ToInt16(fileData, offset);
if (retImm16 != 0x0C && retImm16 != 0x10)
{
continue;
}
offset += 2;
if (offset + ENC_CODE_OFFSET + 4 > lastOffset)
{
return(null);
}
// rva is 0 when the assembly has been embedded
int rva = BitConverter.ToInt32(fileData, offset + RVA_EXECUTIVE_OFFSET);
if (rva != 0 && mainType.Rvas.IndexOf(rva) < 0)
{
continue;
}
int relOffs = BitConverter.ToInt32(fileData, offset + ENC_CODE_OFFSET);
if (relOffs <= 0 || relOffs >= section.sizeOfRawData)
{
continue;
}
reader.BaseStream.Position = section.pointerToRawData + relOffs;
int size = DeobUtils.readVariableLengthInt32(reader);
int endOffset = relOffs + size;
if (endOffset < relOffs || endOffset > section.sizeOfRawData)
{
continue;
}
return(reader.ReadBytes(size));
}
return(null);
}
public McKey(PeImage peImage, PeHeader peHeader)
{
this.peHeader = peHeader;
try {
this.data = peImage.readBytes(peHeader.getMcKeyRva(), 0x2000);
}
catch (IOException) {
this.data = peImage.readBytes(peHeader.getMcKeyRva(), 0x1000);
}
}
internal ResourceDataEntry(PeImage image, uint offset, ResourceDirectoryEntry parentEntry, Structures.IMAGE_RESOURCE_DATA_ENTRY rawDataEntry)
{
this.image = image;
this.offset = offset;
this.ParentEntry = parentEntry;
this.rawDataEntry = rawDataEntry;
Section resourceSection = Section.GetSectionByRva(image.assembly, image.assembly.ntHeader.OptionalHeader.DataDirectories[(int)DataDirectoryName.Resource].TargetOffset.Rva);
targetOffset = OffsetToData - resourceSection.RVA + resourceSection.RawOffset;
}
internal EjectDll(InjectionWrapper injectionWrapper)
{
_injectionMethod = injectionWrapper.InjectionMethod;
_injectionFlags = injectionWrapper.InjectionFlags;
_peImage = injectionWrapper.PeImage;
_process = injectionWrapper.Process;
}
public bool patch(PeImage peImage)
{
try {
return(patch2(peImage));
}
catch {
Log.w("Could not patch the file");
return(false);
}
}
internal NETMethodReader(PeImage peImage, MethodBody methodbody)
{
tokenResolver = new MetaDataTokenResolver(peImage.ParentAssembly._netHeader);
this.peImage = peImage;
this.rva = methodbody.Method.RVA;
this.methodbody = methodbody;
peImage.SetOffset(Offset.FromRva(rva, peImage.ParentAssembly).FileOffset);
rawoffset = (uint)peImage.Stream.Position;
signature = peImage.Reader.ReadByte();
}
public PeHeader(MainType mainType, PeImage peImage)
{
headerData = getPeHeaderData(peImage);
if (!mainType.IsOld && peImage.readUInt32(0x2008) != 0x48)
{
rvaDispl1 = readUInt32(0x0FB0) ^ XOR_KEY;
rvaDispl2 = readUInt32(0x0FB4) ^ XOR_KEY;
}
}
internal NETMethodReader(PeImage peImage, MethodBody methodbody)
{
tokenResolver = new MetaDataTokenResolver(peImage.ParentAssembly._netHeader);
this.peImage = peImage;
this.rva = methodbody.Method.RVA;
this.methodbody = methodbody;
peImage.SetOffset(Offset.FromRva(rva, peImage.ParentAssembly).FileOffset);
rawoffset = (uint)peImage.Stream.Position;
signature = peImage.Reader.ReadByte();
}
static void clearDllBit(byte[] peImageData)
{
var mainPeImage = new PeImage(peImageData);
uint characteristicsOffset = mainPeImage.FileHeaderOffset + 18;
ushort characteristics = mainPeImage.offsetReadUInt16(characteristicsOffset);
characteristics &= 0xDFFF;
characteristics |= 2;
mainPeImage.offsetWriteUInt16(characteristicsOffset, characteristics);
}
protected InjectionBase(byte[] dllBytes, Process process, InjectionFlags injectionFlags)
{
DllBytes = dllBytes;
InjectionFlags = injectionFlags;
PeImage = new PeImage(dllBytes);
ProcessManager = new ProcessManager(process);
}
internal HijackThread(InjectionWrapper injectionWrapper)
{
_dllPath = injectionWrapper.DllPath;
_injectionFlags = injectionWrapper.InjectionFlags;
_peImage = injectionWrapper.PeImage;
_process = injectionWrapper.Process;
}
internal ResourcesReader(NTHeader header)
{
this.header = header;
this.image = header._assembly._peImage;
resourceDirectory = header.OptionalHeader.DataDirectories[(int)DataDirectoryName.Resource];
if (header._assembly._peImage.TrySetOffset(resourceDirectory.TargetOffset.FileOffset))
{
stream = header._assembly._peImage.ReadStream((int)resourceDirectory.Size);
reader = new BinaryReader(stream);
ReadRootDirectory();
}
}
public void AfterWeaving()
{
if (!dotGitDirExists)
{
return;
}
try
{
using (var fileStream = File.Open(AssemblyFilePath, FileMode.Open, FileAccess.ReadWrite))
{
var peReader = new PeImage(fileStream);
peReader.ReadHeader();
peReader.CalculateCheckSum();
var versionStream = peReader.GetVersionResourceStream();
var reader = new VersionResourceReader(versionStream);
var versions = reader.Read();
var fixedFileInfo = versions.FixedFileInfo.Value;
fixedFileInfo.FileVersion = assemblyVersion;
fixedFileInfo.ProductVersion = assemblyVersion;
versions.FixedFileInfo = fixedFileInfo;
foreach (var stringTable in versions.StringFileInfo)
{
if (stringTable.Values.ContainsKey("FileVersion"))
{
stringTable.Values["FileVersion"] = assemblyVersion.ToString();
}
if (stringTable.Values.ContainsKey("ProductVersion"))
{
stringTable.Values["ProductVersion"] = assemblyInfoVersion;
}
}
versionStream.Position = 0;
var writer = new VersionResourceWriter(versionStream);
writer.Write(versions);
peReader.SetVersionResourceStream(versionStream);
peReader.WriteCheckSum();
}
}
catch (Exception ex)
{
throw new WeavingException($"Failed to update the assembly information. {ex.Message}");
}
}
internal NETHeaderReader(NTHeader header, NETHeader parent)
{
header.assembly.netHeader = parent;
image = header.assembly.peImage;
this.ntHeader = header;
}
/// <summary>
/// Creates a new instance of a disassembler.
/// </summary>
/// <param name="assembly">The assembly to be disassembled.</param>
public x86Disassembler(Win32Assembly assembly)
{
this.image = assembly.peImage;
}
internal x86Assembler(Win32Assembly assembly)
{
this.image = assembly.peImage;
disassembler = assembly.disassembler;
offsetConverter = new OffsetConverter(Section.GetSectionByRva(assembly, assembly.ntheader.OptionalHeader.BaseOfCode));
}
