private static void MapSections(PortableExecutable image, IntPtr hProcess, IntPtr pModule) { //very straightforward really. Just iterate through all the sections and map them to their desired virtual addresses in the remote process. //I'm not 100% sure about how well masking the section header characteristics and passing them off as memory protection constants goes. But //so far I haven't hit any issues. (i.e a section header with characteristics "IMAGE_SCN_TYPE_NO_PAD" will set "PAGE_WRITECOPY" memory protection. byte[] databuffer; uint n; foreach (var pSecHd in image.EnumSectionHeaders()) { databuffer = new byte[pSecHd.SizeOfRawData]; if (image.Read(pSecHd.PointerToRawData, SeekOrigin.Begin, databuffer)) { if ((pSecHd.Characteristics & 0x02000000) == 0) //can actually ignore this section (usually the reloc section) { WinAPI.WriteProcessMemory(hProcess, pModule.Add(pSecHd.VirtualAddress), databuffer, databuffer.Length, out n); WinAPI.VirtualProtectEx(hProcess, pModule.Add(pSecHd.VirtualAddress), pSecHd.SizeOfRawData, pSecHd.Characteristics & 0x00FFFFFF, out n); } } else { throw image.GetLastError(); } } }
// Token: 0x06000120 RID: 288 RVA: 0x0000DAC8 File Offset: 0x0000BCC8 private static void MapSections(PortableExecutable image, IntPtr hProcess, IntPtr pModule) { foreach (IMAGE_SECTION_HEADER image_SECTION_HEADER in image.EnumSectionHeaders()) { byte[] array = new byte[image_SECTION_HEADER.SizeOfRawData]; if (!image.Read((long)((ulong)image_SECTION_HEADER.PointerToRawData), SeekOrigin.Begin, array)) { throw image.GetLastError(); } if ((image_SECTION_HEADER.Characteristics & 33554432u) == 0u) { uint num; WinAPI.WriteProcessMemory(hProcess, pModule.Add((long)((ulong)image_SECTION_HEADER.VirtualAddress)), array, array.Length, out num); WinAPI.VirtualProtectEx(hProcess, pModule.Add((long)((ulong)image_SECTION_HEADER.VirtualAddress)), image_SECTION_HEADER.SizeOfRawData, image_SECTION_HEADER.Characteristics & 16777215u, out num); } } }