public PeHeader(MainType mainType, PeImage peImage) { uint headerOffset; version = getHeaderOffsetAndVersion(peImage, out headerOffset); headerData = peImage.offsetReadBytes(headerOffset, 0x1000); }
internal NETHeaderReader(NTHeader header, NETHeader parent) { this.parent = parent; header._assembly._netHeader = parent; image = header._assembly._peImage; this.ntHeader = header; }
internal ResourcesReader(NTHeader header) { this.header = header; image = header.assembly.peImage; resourceDirectory = header.OptionalHeader.DataDirectories[(int)DataDirectoryName.Resource]; ReadRootDirectory(); }
private static async Task <string> DownloadPdb(PeImage peImage) { // Ensure a temporary directory exists on disk to store the PDB var directoryInfo = Directory.CreateDirectory(Path.Combine(Path.GetTempPath(), "Lunar", "PDB", peImage.Headers.PEHeader.Magic == PEMagic.PE32 ? "WOW64" : "X64")); // Clear the directory if the correct PDB hasn't been downloaded var pdbFilePath = Path.Combine(directoryInfo.FullName, $"{peImage.DebugDirectoryData.Path.Replace(".pdb", "")}-{peImage.DebugDirectoryData.Guid.ToString().Replace("-", "")}.pdb"); foreach (var file in directoryInfo.EnumerateFiles()) { if (file.FullName.Equals(pdbFilePath)) { return(pdbFilePath); } try { file.Delete(); } catch (IOException) { // The file is currently open and cannot be safely deleted } }
static EncryptionVersion getHeaderOffsetAndVersion(PeImage peImage, out uint headerOffset) { headerOffset = 0; var version = getVersion(peImage, headerOffset); if (version != EncryptionVersion.Unknown) { return(version); } var section = peImage.findSection(".rsrc"); if (section == null) { return(EncryptionVersion.Unknown); } headerOffset = section.pointerToRawData; uint end = section.pointerToRawData + section.sizeOfRawData - 0x1000 + 1; while (headerOffset < end) { version = getVersion(peImage, headerOffset); if (version != EncryptionVersion.Unknown) { return(version); } headerOffset++; } return(EncryptionVersion.Unknown); }
public ImportExportTableReader(NTHeader header) { this.header = header; image = header.assembly.peImage; LoadExports(); LoadImports(); }
// Old CS versions byte[] unpackNativeFile1(PeImage peImage) { const int dataDirNum = 6; // debug dir const int dotNetDirNum = 14; if (peImage.OptionalHeader.dataDirectories[dataDirNum].virtualAddress == 0) { return(null); } if (peImage.OptionalHeader.dataDirectories[dataDirNum].size != 0x48) { return(null); } var fileData = peImage.readAllBytes(); int dataDir = (int)peImage.OptionalHeader.offsetOfDataDirectory(dataDirNum); int dotNetDir = (int)peImage.OptionalHeader.offsetOfDataDirectory(dotNetDirNum); writeUInt32(fileData, dotNetDir, BitConverter.ToUInt32(fileData, dataDir)); writeUInt32(fileData, dotNetDir + 4, BitConverter.ToUInt32(fileData, dataDir + 4)); writeUInt32(fileData, dataDir, 0); writeUInt32(fileData, dataDir + 4, 0); ModuleBytes = fileData; return(fileData); }
bool unpackNativeImage(IEnumerable <IDeobfuscator> deobfuscators) { var peImage = new PeImage(Utils.readFile(Filename)); foreach (var deob in deobfuscators) { byte[] unpackedData = null; try { unpackedData = deob.unpackNativeFile(peImage); } catch { } if (unpackedData == null) { continue; } try { module = assemblyModule.load(unpackedData); } catch { Log.w("Could not load unpacked data. Deobfuscator: {0}", deob.TypeLong); continue; } this.deob = deob; return(true); } return(false); }
/// <summary> /// Provides the functionality to map a DLL from memory into a process /// </summary> public LibraryMapper(Process process, ReadOnlyMemory <byte> dllBytes) { // Validate the arguments if (process is null || process.HasExited) { throw new ArgumentException("The process provided was invalid"); } if (dllBytes.IsEmpty) { throw new ArgumentException("The DLL bytes provided were invalid"); } EnterDebugMode(); _dllBytes = new Memory <byte>(new byte[dllBytes.Length]); dllBytes.CopyTo(_dllBytes); _peImage = new PeImage(dllBytes); _processManager = new ProcessManager(process); _symbolParser = new SymbolParser(RetrieveNtdllFilePath(process), "RtlInsertInvertedFunctionTable", "RtlRemoveInvertedFunctionTable"); }
/// <summary> /// Provides the functionality to map a DLL from disk into a process /// </summary> public LibraryMapper(Process process, string dllFilePath) { // Validate the arguments if (process is null || process.HasExited) { throw new ArgumentException("The process provided was invalid"); } if (string.IsNullOrWhiteSpace(dllFilePath)) { throw new ArgumentException("The DLL file path provided was invalid"); } EnterDebugMode(); var dllBytes = File.ReadAllBytes(dllFilePath); _dllBytes = new Memory <byte>(new byte[dllBytes.Length]); dllBytes.CopyTo(_dllBytes); _peImage = new PeImage(dllBytes); _processManager = new ProcessManager(process); _symbolParser = new SymbolParser(RetrieveNtdllFilePath(process), "RtlInsertInvertedFunctionTable", "RtlRemoveInvertedFunctionTable"); }
internal ResourceDirectoryEntry(PeImage image, uint offset, Structures.IMAGE_RESOURCE_DIRECTORY_ENTRY rawEntry, string customName) { this._image = image; this._offset = offset; this._rawEntry = rawEntry; this._customName = customName; }
/// <summary> /// Initialises an instances of the <see cref="LibraryMapper"/> class with the functionality to map a DLL from disk into a process /// </summary> public LibraryMapper(Process process, string dllFilePath, MappingFlags mappingFlags = MappingFlags.None) { if (process is null || process.HasExited) { throw new ArgumentException("The provided process is not currently running"); } if (string.IsNullOrWhiteSpace(dllFilePath) || !File.Exists(dllFilePath)) { throw new ArgumentException("The provided file path did not point to a valid file"); } if (!Environment.Is64BitProcess && process.GetArchitecture() == Architecture.X64) { throw new NotSupportedException("The provided process cannot be mapped into from an x86 build"); } _dllBytes = File.ReadAllBytes(dllFilePath); _fileResolver = new FileResolver(process, Path.GetDirectoryName(dllFilePath)); _mappingFlags = mappingFlags; _peImage = new PeImage(_dllBytes.ToArray()); _processContext = new ProcessContext(process); }
/// <summary> /// Initialises an instances of the <see cref="LibraryMapper"/> class with the functionality to map a DLL from memory into a process /// </summary> public LibraryMapper(Process process, Memory <byte> dllBytes, MappingFlags mappingFlags = MappingFlags.None) { if (process is null || process.HasExited) { throw new ArgumentException("The provided process is not currently running"); } if (dllBytes.IsEmpty) { throw new ArgumentException("The provided DLL bytes were empty"); } if (!Environment.Is64BitProcess && process.GetArchitecture() == Architecture.X64) { throw new NotSupportedException("The provided process cannot be mapped into from an x86 build"); } _dllBytes = dllBytes.ToArray(); _fileResolver = new FileResolver(process, null); _mappingFlags = mappingFlags; _peImage = new PeImage(dllBytes); _processContext = new ProcessContext(process); }
/// <summary> /// Provides the functionality to map a DLL from memory into a remote process /// </summary> public LibraryMapper(Process process, Memory <byte> dllBytes) { // Validate the arguments passed into the constructor if (process == default || process.HasExited) { throw new ArgumentException("The process provided was invalid"); } if (dllBytes.IsEmpty) { throw new ArgumentException("The DLL bytes provided were invalid"); } EnterDebugMode(); _dllBytes = dllBytes; _peImage = new PeImage(dllBytes); _processManager = new ProcessManager(process); _symbolParser = new SymbolParser(_processManager.Modules.First(module => module.Name.Equals("ntdll.dll"))); ValidateArchitecture(); }
public bool decrypt(byte[] fileData, ref DumpedMethods dumpedMethods) { if (decrypter == null) { return(false); } var peImage = new PeImage(fileData); if (peImage.Sections.Length <= 0) { return(false); } var methodsData = findMethodsData(peImage, fileData); if (methodsData == null) { return(false); } decrypter.initialize(methodsData); dumpedMethods = createDumpedMethods(peImage, fileData, methodsData); if (dumpedMethods == null) { return(false); } return(true); }
/// <summary> /// Provides the functionality to map a DLL from disk into a remote process /// </summary> public LibraryMapper(Process process, string dllPath) { // Validate the arguments passed into the constructor if (process == default || process.HasExited) { throw new ArgumentException("The process provided was invalid"); } if (string.IsNullOrWhiteSpace(dllPath)) { throw new ArgumentException("The DLL path provided was invalid"); } EnterDebugMode(); _dllBytes = File.ReadAllBytes(dllPath); _peImage = new PeImage(_dllBytes); _processManager = new ProcessManager(process); _symbolParser = new SymbolParser(_processManager.Modules.First(module => module.Name.Equals("ntdll.dll"))); ValidateArchitecture(); }
internal LibraryReference(PeImage image, uint offset, Structures.IMAGE_IMPORT_DESCRIPTOR rawDescriptor, string libraryName, ImportMethod[] importMethods) { this._image = image; this._offset = offset; this._rawDescriptor = rawDescriptor; this.LibraryName = libraryName; this.ImportMethods = importMethods; }
internal ResourceDirectory(PeImage image, uint offset, ResourceDirectoryEntry parentEntry, ResourceDirectoryEntry[] childEntries, PE.Structures.IMAGE_RESOURCE_DIRECTORY rawDirectory) { this.image = image; this.ParentEntry = parentEntry; this.ChildEntries = childEntries; this.offset = offset; this.rawDirectory = rawDirectory; }
public DecrypterInfo(MainType mainType, byte[] fileData) { this.mainType = mainType; this.peImage = new PeImage(fileData); this.peHeader = new PeHeader(mainType, peImage); this.mcKey = new McKey(peImage, peHeader); this.fileData = fileData; }
public ProDecrypter(PeImage peImage, CodeHeader codeHeader) : base(peImage, codeHeader) { for (int i = 0; i < 4; i++) { key[i] = be_readUInt32(codeHeader.decryptionKey, i * 4); } }
public MSILAssembler(MethodBody methodBody) { this.MethodBody = methodBody; _disassembler = new MSILDisassembler(methodBody); _image = methodBody.Method._netheader._assembly.Image; _offsetConverter = new OffsetConverter(Section.GetSectionByRva(methodBody.Method._netheader._assembly, methodBody.Method.RVA)); _bodyOffset = _offsetConverter.RvaToFileOffset(methodBody.Method.RVA) + methodBody.HeaderSize; _tokenResolver = methodBody.Method._netheader.TokenResolver; }
static void patchDwords(PeImage peImage, BinaryReader reader, int count) { for (int i = 0; i < count; i++) { uint rva = reader.ReadUInt32(); uint data = reader.ReadUInt32(); peImage.dotNetSafeWrite(rva, BitConverter.GetBytes(data)); } }
internal ResourceDirectory(PeImage image, uint offset, ResourcesReader reader, ResourceDirectoryEntry parentEntry, PE.Structures.IMAGE_RESOURCE_DIRECTORY rawDirectory) { this.image = image; this.ParentEntry = parentEntry; this.offset = offset; this.fileOffset = offset + image.ParentAssembly.ntHeader.OptionalHeader.DataDirectories[(int)DataDirectoryName.Resource].TargetOffset.FileOffset; this.rawDirectory = rawDirectory; this.reader = reader; }
internal ResourceDirectory(PeImage image, uint offset, ResourcesReader reader, ResourceDirectoryEntry parentEntry, PE.Structures.IMAGE_RESOURCE_DIRECTORY rawDirectory) { this._image = image; this.ParentEntry = parentEntry; this._offset = offset; this._fileOffset = offset + image.ParentAssembly._ntHeader.OptionalHeader.DataDirectories[(int)DataDirectoryName.Resource].TargetOffset.FileOffset; this._rawDirectory = rawDirectory; this._reader = reader; }
byte[] findMethodsData(PeImage peImage, byte[] fileData) { var section = peImage.Sections[0]; var reader = new BinaryReader(new MemoryStream(fileData)); const int RVA_EXECUTIVE_OFFSET = 1 * 4; const int ENC_CODE_OFFSET = 6 * 4; int lastOffset = (int)(section.pointerToRawData + section.sizeOfRawData); for (int offset = getStartOffset(peImage); offset < lastOffset;) { offset = findSig(fileData, offset, lastOffset, initializeMethodEnd); if (offset < 0) { return(null); } offset += initializeMethodEnd.Length; short retImm16 = BitConverter.ToInt16(fileData, offset); if (retImm16 != 0x0C && retImm16 != 0x10) { continue; } offset += 2; if (offset + ENC_CODE_OFFSET + 4 > lastOffset) { return(null); } // rva is 0 when the assembly has been embedded int rva = BitConverter.ToInt32(fileData, offset + RVA_EXECUTIVE_OFFSET); if (rva != 0 && mainType.Rvas.IndexOf(rva) < 0) { continue; } int relOffs = BitConverter.ToInt32(fileData, offset + ENC_CODE_OFFSET); if (relOffs <= 0 || relOffs >= section.sizeOfRawData) { continue; } reader.BaseStream.Position = section.pointerToRawData + relOffs; int size = DeobUtils.readVariableLengthInt32(reader); int endOffset = relOffs + size; if (endOffset < relOffs || endOffset > section.sizeOfRawData) { continue; } return(reader.ReadBytes(size)); } return(null); }
public McKey(PeImage peImage, PeHeader peHeader) { this.peHeader = peHeader; try { this.data = peImage.readBytes(peHeader.getMcKeyRva(), 0x2000); } catch (IOException) { this.data = peImage.readBytes(peHeader.getMcKeyRva(), 0x1000); } }
internal ResourceDataEntry(PeImage image, uint offset, ResourceDirectoryEntry parentEntry, Structures.IMAGE_RESOURCE_DATA_ENTRY rawDataEntry) { this.image = image; this.offset = offset; this.ParentEntry = parentEntry; this.rawDataEntry = rawDataEntry; Section resourceSection = Section.GetSectionByRva(image.assembly, image.assembly.ntHeader.OptionalHeader.DataDirectories[(int)DataDirectoryName.Resource].TargetOffset.Rva); targetOffset = OffsetToData - resourceSection.RVA + resourceSection.RawOffset; }
internal EjectDll(InjectionWrapper injectionWrapper) { _injectionMethod = injectionWrapper.InjectionMethod; _injectionFlags = injectionWrapper.InjectionFlags; _peImage = injectionWrapper.PeImage; _process = injectionWrapper.Process; }
public bool patch(PeImage peImage) { try { return(patch2(peImage)); } catch { Log.w("Could not patch the file"); return(false); } }
internal NETMethodReader(PeImage peImage, MethodBody methodbody) { tokenResolver = new MetaDataTokenResolver(peImage.ParentAssembly._netHeader); this.peImage = peImage; this.rva = methodbody.Method.RVA; this.methodbody = methodbody; peImage.SetOffset(Offset.FromRva(rva, peImage.ParentAssembly).FileOffset); rawoffset = (uint)peImage.Stream.Position; signature = peImage.Reader.ReadByte(); }
public PeHeader(MainType mainType, PeImage peImage) { headerData = getPeHeaderData(peImage); if (!mainType.IsOld && peImage.readUInt32(0x2008) != 0x48) { rvaDispl1 = readUInt32(0x0FB0) ^ XOR_KEY; rvaDispl2 = readUInt32(0x0FB4) ^ XOR_KEY; } }
static void clearDllBit(byte[] peImageData) { var mainPeImage = new PeImage(peImageData); uint characteristicsOffset = mainPeImage.FileHeaderOffset + 18; ushort characteristics = mainPeImage.offsetReadUInt16(characteristicsOffset); characteristics &= 0xDFFF; characteristics |= 2; mainPeImage.offsetWriteUInt16(characteristicsOffset, characteristics); }
protected InjectionBase(byte[] dllBytes, Process process, InjectionFlags injectionFlags) { DllBytes = dllBytes; InjectionFlags = injectionFlags; PeImage = new PeImage(dllBytes); ProcessManager = new ProcessManager(process); }
internal HijackThread(InjectionWrapper injectionWrapper) { _dllPath = injectionWrapper.DllPath; _injectionFlags = injectionWrapper.InjectionFlags; _peImage = injectionWrapper.PeImage; _process = injectionWrapper.Process; }
internal ResourcesReader(NTHeader header) { this.header = header; this.image = header._assembly._peImage; resourceDirectory = header.OptionalHeader.DataDirectories[(int)DataDirectoryName.Resource]; if (header._assembly._peImage.TrySetOffset(resourceDirectory.TargetOffset.FileOffset)) { stream = header._assembly._peImage.ReadStream((int)resourceDirectory.Size); reader = new BinaryReader(stream); ReadRootDirectory(); } }
public void AfterWeaving() { if (!dotGitDirExists) { return; } try { using (var fileStream = File.Open(AssemblyFilePath, FileMode.Open, FileAccess.ReadWrite)) { var peReader = new PeImage(fileStream); peReader.ReadHeader(); peReader.CalculateCheckSum(); var versionStream = peReader.GetVersionResourceStream(); var reader = new VersionResourceReader(versionStream); var versions = reader.Read(); var fixedFileInfo = versions.FixedFileInfo.Value; fixedFileInfo.FileVersion = assemblyVersion; fixedFileInfo.ProductVersion = assemblyVersion; versions.FixedFileInfo = fixedFileInfo; foreach (var stringTable in versions.StringFileInfo) { if (stringTable.Values.ContainsKey("FileVersion")) { stringTable.Values["FileVersion"] = assemblyVersion.ToString(); } if (stringTable.Values.ContainsKey("ProductVersion")) { stringTable.Values["ProductVersion"] = assemblyInfoVersion; } } versionStream.Position = 0; var writer = new VersionResourceWriter(versionStream); writer.Write(versions); peReader.SetVersionResourceStream(versionStream); peReader.WriteCheckSum(); } } catch (Exception ex) { throw new WeavingException($"Failed to update the assembly information. {ex.Message}"); } }
internal NETHeaderReader(NTHeader header, NETHeader parent) { header.assembly.netHeader = parent; image = header.assembly.peImage; this.ntHeader = header; }
/// <summary> /// Creates a new instance of a disassembler. /// </summary> /// <param name="assembly">The assembly to be disassembled.</param> public x86Disassembler(Win32Assembly assembly) { this.image = assembly.peImage; }
internal x86Assembler(Win32Assembly assembly) { this.image = assembly.peImage; disassembler = assembly.disassembler; offsetConverter = new OffsetConverter(Section.GetSectionByRva(assembly, assembly.ntheader.OptionalHeader.BaseOfCode)); }