Ejemplo n.º 1
        /// <summary>
        /// Loads a unmanged (native) DLL in the memory.
        /// </summary>
        /// <param name="data">Dll as a byte array</param>
        public MemoryModule(byte[] data)
            if (data == null)
                throw new ArgumentNullException("data");

            _headers     = null;
            _codeBase    = null;
            _pageSize    = 0;
            _modules     = new List <HCoustomMudule>();
            _initialized = false;
            _exeEntry    = null;
            _dllEntry    = null;

            Disposed     = false;
            _isRelocated = false;

Ejemplo n.º 2
    void MemoryLoadLibrary(byte[] data)
        if (data.Length < Marshal.SizeOf(typeof(IMAGE_DOS_HEADER)))
            throw new DllException("Not a valid executable file");
        IMAGE_DOS_HEADER DosHeader = BytesReadStructAt <IMAGE_DOS_HEADER>(data, 0);

        if (DosHeader.e_magic != Win.IMAGE_DOS_SIGNATURE)
            throw new BadImageFormatException("Not a valid executable file");

        if (data.Length < DosHeader.e_lfanew + Marshal.SizeOf(typeof(IMAGE_NT_HEADERS)))
            throw new DllException("Not a valid executable file");
        IMAGE_NT_HEADERS OrgNTHeaders = BytesReadStructAt <IMAGE_NT_HEADERS>(data, DosHeader.e_lfanew);

        if (OrgNTHeaders.Signature != Win.IMAGE_NT_SIGNATURE)
            throw new BadImageFormatException("Not a valid PE file");
        if (OrgNTHeaders.FileHeader.Machine != GetMachineType())
            throw new BadImageFormatException("Machine type doesn't fit (i386 vs. AMD64)");
        if ((OrgNTHeaders.OptionalHeader.SectionAlignment & 1) > 0)
            throw new BadImageFormatException("Wrong section alignment");                                                         //Only support multiple of 2
        if (OrgNTHeaders.OptionalHeader.AddressOfEntryPoint == 0)
            throw new DllException("Module has no entry point");

        SYSTEM_INFO systemInfo;

        Win.GetNativeSystemInfo(out systemInfo);
        uint lastSectionEnd = 0;
        int  ofSection      = Win.IMAGE_FIRST_SECTION(DosHeader.e_lfanew, OrgNTHeaders.FileHeader.SizeOfOptionalHeader);

        for (int i = 0; i != OrgNTHeaders.FileHeader.NumberOfSections; i++, ofSection += Sz.IMAGE_SECTION_HEADER)
            IMAGE_SECTION_HEADER Section = BytesReadStructAt <IMAGE_SECTION_HEADER>(data, ofSection);
            uint endOfSection            = Section.VirtualAddress + (Section.SizeOfRawData > 0 ? Section.SizeOfRawData : OrgNTHeaders.OptionalHeader.SectionAlignment);
            if (endOfSection > lastSectionEnd)
                lastSectionEnd = endOfSection;

        uint alignedImageSize   = AlignValueUp(OrgNTHeaders.OptionalHeader.SizeOfImage, systemInfo.dwPageSize);
        uint alignedLastSection = AlignValueUp(lastSectionEnd, systemInfo.dwPageSize);

        if (alignedImageSize != alignedLastSection)
            throw new BadImageFormatException("Wrong section alignment");

        IntPtr oldHeader_OptionalHeader_ImageBase;

        if (Is64BitProcess)
            oldHeader_OptionalHeader_ImageBase = (IntPtr) unchecked ((long)(OrgNTHeaders.OptionalHeader.ImageBaseLong));
            oldHeader_OptionalHeader_ImageBase = (IntPtr) unchecked ((int)(OrgNTHeaders.OptionalHeader.ImageBaseLong >> 32));

        // reserve memory for image of library
        pCode = Win.VirtualAlloc(oldHeader_OptionalHeader_ImageBase, (UIntPtr)OrgNTHeaders.OptionalHeader.SizeOfImage, AllocationType.RESERVE | AllocationType.COMMIT, MemoryProtection.READWRITE);
        //pCode = IntPtr.Zero; //test relocation with this

        // try to allocate memory at arbitrary position
        if (pCode == IntPtr.Zero)
            pCode = Win.VirtualAlloc(IntPtr.Zero, (UIntPtr)OrgNTHeaders.OptionalHeader.SizeOfImage, AllocationType.RESERVE | AllocationType.COMMIT, MemoryProtection.READWRITE);

        if (pCode == IntPtr.Zero)
            throw new DllException("Out of Memory");

        if (Is64BitProcess && PtrSpanBoundary(pCode, alignedImageSize, 32))
            // Memory block may not span 4 GB (32 bit) boundaries.
            System.Collections.Generic.List <IntPtr> BlockedMemory = new System.Collections.Generic.List <IntPtr>();
            while (PtrSpanBoundary(pCode, alignedImageSize, 32))
                pCode = Win.VirtualAlloc(IntPtr.Zero, (UIntPtr)alignedImageSize, AllocationType.RESERVE | AllocationType.COMMIT, MemoryProtection.READWRITE);
                if (pCode == IntPtr.Zero)
            foreach (IntPtr ptr in BlockedMemory)
                Win.VirtualFree(ptr, IntPtr.Zero, AllocationType.RELEASE);
            if (pCode == IntPtr.Zero)
                throw new DllException("Out of Memory");

        // commit memory for headers
        IntPtr headers = Win.VirtualAlloc(pCode, (UIntPtr)OrgNTHeaders.OptionalHeader.SizeOfHeaders, AllocationType.COMMIT, MemoryProtection.READWRITE);

        if (headers == IntPtr.Zero)
            throw new DllException("Out of Memory");

        // copy PE header to code
        Marshal.Copy(data, 0, headers, (int)(OrgNTHeaders.OptionalHeader.SizeOfHeaders));
        pNTHeaders = PtrAdd(headers, DosHeader.e_lfanew);

        IntPtr locationDelta = PtrSub(pCode, oldHeader_OptionalHeader_ImageBase);

        if (locationDelta != IntPtr.Zero)
            // update relocated position
            Marshal.OffsetOf(typeof(IMAGE_NT_HEADERS), "OptionalHeader");
            Marshal.OffsetOf(typeof(IMAGE_OPTIONAL_HEADER), "ImageBaseLong");
            IntPtr pImageBase = PtrAdd(pNTHeaders, Of.IMAGE_NT_HEADERS_OptionalHeader + (Is64BitProcess ? Of64.IMAGE_OPTIONAL_HEADER_ImageBase : Of32.IMAGE_OPTIONAL_HEADER_ImageBase));
            PtrWrite(pImageBase, pCode);

        // copy sections from DLL file block to new memory location
        CopySections(ref OrgNTHeaders, pCode, pNTHeaders, data);

        // adjust base address of imported data
        _isRelocated = (locationDelta != IntPtr.Zero ? PerformBaseRelocation(ref OrgNTHeaders, pCode, locationDelta) : true);

        // load required dlls and adjust function table of imports
        ImportModules = BuildImportTable(ref OrgNTHeaders, pCode);

        // mark memory pages depending on section headers and release
        // sections that are marked as "discardable"
        FinalizeSections(ref OrgNTHeaders, pCode, pNTHeaders, systemInfo.dwPageSize);

        // TLS callbacks are executed BEFORE the main loading
        ExecuteTLS(ref OrgNTHeaders, pCode, pNTHeaders);

        // get entry point of loaded library
        IsDll = ((OrgNTHeaders.FileHeader.Characteristics & Win.IMAGE_FILE_DLL) != 0);
        if (OrgNTHeaders.OptionalHeader.AddressOfEntryPoint != 0)
            if (IsDll)
                // notify library about attaching to process
                IntPtr dllEntryPtr = PtrAdd(pCode, OrgNTHeaders.OptionalHeader.AddressOfEntryPoint);
                _dllEntry = (DllEntryDelegate)Marshal.GetDelegateForFunctionPointer(dllEntryPtr, typeof(DllEntryDelegate));

                _initialized = (_dllEntry != null && _dllEntry(pCode, DllReason.DLL_PROCESS_ATTACH, IntPtr.Zero));
                if (!_initialized)
                    throw new DllException("Can't attach DLL to process");
                IntPtr exeEntryPtr = PtrAdd(pCode, OrgNTHeaders.OptionalHeader.AddressOfEntryPoint);
                _exeEntry = (ExeEntryDelegate)Marshal.GetDelegateForFunctionPointer(exeEntryPtr, typeof(ExeEntryDelegate));
Ejemplo n.º 3
        private void MemoryLoadLibrary(byte[] data)
            IMAGE_DOS_HEADER *    dosHeader;
            IMAGE_NT_HEADERS *    oldHeader;
            IMAGE_SECTION_HEADER *section;
            SYSTEM_INFO           systemInfo;
            void *   dllEntryPtr;
            void *   exeEntryPtr;
            byte *   headers, dataPtr, code;
            SizeT    optionalSectionSize;
            SizeT    lastSectionEnd = 0;
            SizeT    alignedImageSize;
            PtrDiffT locationDelta;

            _dataHandle = GCHandle.Alloc(data, GCHandleType.Pinned);
            if (!_dataHandle.IsAllocated)
                throw new NativeDllLoadException("Can't allocate memory.");

            dataPtr = (byte *)_dataHandle.AddrOfPinnedObject();

            dosHeader = (IMAGE_DOS_HEADER *)dataPtr;
            if (dosHeader->e_magic != Win.IMAGE_DOS_SIGNATURE)
                throw new BadImageFormatException("Not a valid executable file.");

            oldHeader = (IMAGE_NT_HEADERS *)(dataPtr + dosHeader->e_lfanew);
            if (oldHeader->Signature != Win.IMAGE_NT_SIGNATURE)
                throw new BadImageFormatException("Not a valid PE file.");

            if (oldHeader->FileHeader.Machine != GetMachineType())
                throw new BadImageFormatException("Machine type doesn't fit. (i386 vs. AMD64)");

            if ((oldHeader->OptionalHeader.SectionAlignment & 1) > 0)
                throw new BadImageFormatException("Wrong section alignment");

            section             = Win.IMAGE_FIRST_SECTION(oldHeader);
            optionalSectionSize = oldHeader->OptionalHeader.SectionAlignment;
            for (int i = 0; i < oldHeader->FileHeader.NumberOfSections; i++, section++)
                SizeT endOfSection;
                if (section->SizeOfRawData == 0) // Section without data in the DLL
                    endOfSection = section->VirtualAddress + optionalSectionSize;
                    endOfSection = section->VirtualAddress + section->SizeOfRawData;

                if (endOfSection > lastSectionEnd)
                    lastSectionEnd = endOfSection;

            alignedImageSize = AlignValueUp(oldHeader->OptionalHeader.SizeOfImage, systemInfo.dwPageSize);
            if (alignedImageSize != AlignValueUp(lastSectionEnd, systemInfo.dwPageSize))
                throw new BadImageFormatException("Wrong section alignment.");

            code = (byte *)Win.VirtualAlloc(
                (void *)(oldHeader->OptionalHeader.ImageBase),
                AllocationType.RESERVE | AllocationType.COMMIT,

            if (code == null)
                code = (byte *)Win.VirtualAlloc(
                    AllocationType.RESERVE | AllocationType.COMMIT,

            if (code == null)
                throw new NativeDllLoadException("Out of Memory");

#if WIN64
            while ((((ulong)code) >> 32) < (((ulong)(code + alignedImageSize)) >> 32))

                code = (byte *)Win.VirtualAlloc(
                    AllocationType.RESERVE | AllocationType.COMMIT,

                if (code == null)
                    throw new NativeDllLoadException("Out of Memory");

            _pageSize = systemInfo.dwPageSize;
            _codeBase = code;
            IsDll     = (oldHeader->FileHeader.Characteristics & Win.IMAGE_FILE_DLL) != 0;

            headers = (byte *)Win.VirtualAlloc(

            if (headers == null)
                throw new NativeDllLoadException("Out of Memory");

            Marshal.Copy(data, 0, (IntPtr)headers, (int)(dosHeader->e_lfanew + oldHeader->OptionalHeader.SizeOfHeaders));
            _headers = (IMAGE_NT_HEADERS *)&(headers)[dosHeader->e_lfanew];

            _headers->OptionalHeader.ImageBase = (UIntPtrT)code;

            CopySections(data, oldHeader);

            locationDelta = (PtrDiffT)(_headers->OptionalHeader.ImageBase - oldHeader->OptionalHeader.ImageBase);
            if (locationDelta != 0)
                _isRelocated = PerformBaseRelocation(locationDelta);
                _isRelocated = true;


            if (_headers->OptionalHeader.AddressOfEntryPoint == 0)
                throw new NativeDllLoadException("DLL has no entry point");

            if (IsDll)
                dllEntryPtr = code + _headers->OptionalHeader.AddressOfEntryPoint;
                _dllEntry   = (DllEntryDelegate)Marshal.GetDelegateForFunctionPointer((IntPtr)dllEntryPtr, typeof(DllEntryDelegate));

                if (_dllEntry != null && _dllEntry(code, DllReason.DLL_PROCESS_ATTACH, null))
                    _initialized = true;
                    _initialized = false;
                    throw new NativeDllLoadException("Can't attach DLL to process.");
                exeEntryPtr = code + _headers->OptionalHeader.AddressOfEntryPoint;
                _exeEntry   = Marshal.GetDelegateForFunctionPointer <ExeEntryDelegate>((IntPtr)exeEntryPtr);