////////////////////////////////////////////////////////////////////////////////
// Reads in the image to be injected
////////////////////////////////////////////////////////////////////////////////
internal Boolean ReadSourceImageFile(String sourceImage)
{
String file = System.IO.Path.GetFullPath(sourceImage);
if (!System.IO.File.Exists(file))
{
Console.WriteLine("[-] File Not Found");
return(false);
}
image = System.IO.File.ReadAllBytes(file);
pinnedArray = GCHandle.Alloc(image, GCHandleType.Pinned);
imagePtr = pinnedArray.AddrOfPinnedObject();
imageDosHeader = (Winnt._IMAGE_DOS_HEADER)Marshal.PtrToStructure(imagePtr, typeof(Winnt._IMAGE_DOS_HEADER));
IntPtr ntHeaderPtr = new IntPtr(imagePtr.ToInt64() + imageDosHeader.e_lfanew);
imageFileHeader = (Winnt._IMAGE_FILE_HEADER)Marshal.PtrToStructure(new IntPtr(ntHeaderPtr.ToInt64() + sizeof(UInt32)), typeof(Winnt._IMAGE_FILE_HEADER));
if (is32Bit)
{
imageNTHeader32 = (Winnt._IMAGE_NT_HEADERS)Marshal.PtrToStructure(ntHeaderPtr, typeof(Winnt._IMAGE_NT_HEADERS));
}
else
{
imageNTHeader64 = (Winnt._IMAGE_NT_HEADERS64)Marshal.PtrToStructure(ntHeaderPtr, typeof(Winnt._IMAGE_NT_HEADERS64));
}
return(true);
}
////////////////////////////////////////////////////////////////////////////////
// Reads in the image to be injected
////////////////////////////////////////////////////////////////////////////////
internal Boolean ReadSourceImageString(String sourceImage)
{
image = Convert.FromBase64String(sourceImage);
pinnedArray = GCHandle.Alloc(image, GCHandleType.Pinned);
imagePtr = pinnedArray.AddrOfPinnedObject();
imageDosHeader = (Winnt._IMAGE_DOS_HEADER)Marshal.PtrToStructure(imagePtr, typeof(Winnt._IMAGE_DOS_HEADER));
IntPtr ntHeaderPtr = new IntPtr(imagePtr.ToInt64() + imageDosHeader.e_lfanew);
imageFileHeader = (Winnt._IMAGE_FILE_HEADER)Marshal.PtrToStructure(new IntPtr(ntHeaderPtr.ToInt64() + sizeof(UInt32)), typeof(Winnt._IMAGE_FILE_HEADER));
if (is32Bit)
{
imageNTHeader32 = (Winnt._IMAGE_NT_HEADERS)Marshal.PtrToStructure(ntHeaderPtr, typeof(Winnt._IMAGE_NT_HEADERS));
}
else
{
imageNTHeader64 = (Winnt._IMAGE_NT_HEADERS64)Marshal.PtrToStructure(ntHeaderPtr, typeof(Winnt._IMAGE_NT_HEADERS64));
}
return(true);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private Boolean ReadHeaders(ref BinaryReader binaryReader)
{
binaryReader.ReadUInt32();
imageFileHeader = FromBinaryReader <Winnt._IMAGE_FILE_HEADER>(binaryReader);
if (Winnt.CHARACTERISTICS.IMAGE_FILE_DLL == (imageFileHeader.Characteristics & Winnt.CHARACTERISTICS.IMAGE_FILE_DLL))
{
Console.WriteLine("[*] Injecting DLL");
isDll = true;
}
else if (Winnt.CHARACTERISTICS.IMAGE_FILE_EXECUTABLE_IMAGE == (imageFileHeader.Characteristics & Winnt.CHARACTERISTICS.IMAGE_FILE_EXECUTABLE_IMAGE))
{
Console.WriteLine("[*] Injecting EXE");
isExe = true;
}
foreach (Winnt.CHARACTERISTICS c in (Winnt.CHARACTERISTICS[])Enum.GetValues(typeof(Winnt.CHARACTERISTICS)))
{
if ((UInt16)c == (UInt16)(c & imageFileHeader.Characteristics))
{
Console.WriteLine("[*] PE Characteristic: {0}", (Winnt.CHARACTERISTICS)(c & imageFileHeader.Characteristics));
}
}
UInt16 subsystem = 0;
switch (imageFileHeader.Machine)
{
case Winnt.IMAGE_FILE_MACHINE.IMAGE_FILE_MACHINE_I386:
imageOptionalHeader32 = FromBinaryReader <Winnt._IMAGE_OPTIONAL_HEADER>(binaryReader);
sizeOfImage = imageOptionalHeader32.SizeOfImage;
baseRelocationTableAddress = imageOptionalHeader32.ImageDataDirectory[(Int32)IMAGE_DATA_DIRECTORY_OPTIONS.BaseRelocationTable].VirtualAddress;
importTableAddress = imageOptionalHeader32.ImageDataDirectory[(Int32)IMAGE_DATA_DIRECTORY_OPTIONS.ImportTable].VirtualAddress;
addressOfEntryPoint = imageOptionalHeader32.AddressOfEntryPoint;
imageBase = imageOptionalHeader32.ImageBase;
subsystem = (UInt16)imageOptionalHeader32.Subsystem;
dllCharacteristics = (UInt16)imageOptionalHeader32.DllCharacteristics;
is64Bit = false;
break;
case Winnt.IMAGE_FILE_MACHINE.IMAGE_FILE_MACHINE_AMD64:
imageOptionalHeader64 = FromBinaryReader <Winnt._IMAGE_OPTIONAL_HEADER64>(binaryReader);
sizeOfImage = imageOptionalHeader64.SizeOfImage;
baseRelocationTableAddress = imageOptionalHeader64.ImageDataDirectory[(Int32)IMAGE_DATA_DIRECTORY_OPTIONS.BaseRelocationTable].VirtualAddress;
importTableAddress = imageOptionalHeader64.ImageDataDirectory[(Int32)IMAGE_DATA_DIRECTORY_OPTIONS.ImportTable].VirtualAddress;
addressOfEntryPoint = imageOptionalHeader64.AddressOfEntryPoint;
imageBase = imageOptionalHeader64.ImageBase;
subsystem = (UInt16)imageOptionalHeader64.Subsystem;
dllCharacteristics = (UInt16)imageOptionalHeader64.DllCharacteristics;
is64Bit = true;
break;
default:
return(false);
}
;
Console.WriteLine("[+] ImageBase: 0x{0}", imageBase.ToString("X4"));
Console.WriteLine("[+] EntryPoint: 0x{0}", addressOfEntryPoint.ToString("X4"));
foreach (Winnt.SUBSYSTEM ss in (Winnt.SUBSYSTEM[])Enum.GetValues(typeof(Winnt.SUBSYSTEM)))
{
if ((UInt16)ss == ((UInt16)ss & subsystem))
{
Console.WriteLine("[*] PE SubSystem: {0}", (Winnt.SUBSYSTEM)((UInt16)ss & subsystem));
}
}
foreach (Winnt.DLL_CHARACTERISTICS dll in (Winnt.DLL_CHARACTERISTICS[])Enum.GetValues(typeof(Winnt.DLL_CHARACTERISTICS)))
{
if ((UInt16)dll == ((UInt16)dll & dllCharacteristics))
{
Console.WriteLine("[*] DLL Characteristics: {0}", (Winnt.DLL_CHARACTERISTICS)((UInt16)dll & dllCharacteristics));
}
}
imageSectionHeaders = new Winnt._IMAGE_SECTION_HEADER[(Int32)imageFileHeader.NumberOfSections];
for (int i = 0; i < (Int32)imageFileHeader.NumberOfSections; ++i)
{
imageSectionHeaders[i] = FromBinaryReader <Winnt._IMAGE_SECTION_HEADER>(binaryReader);
}
return(true);
}
