private bool ProcessDelayedImportTable(IntPtr baseAddress, IntPtr remoteAddress)
{
var imageNtHeaders = GetNtHeader(baseAddress);
if (imageNtHeaders == null)
{
return(false);
}
if (imageNtHeaders.Value.OptionalHeader.DelayImportDescriptor.Size > 0)
{
var imageDelayedImportDescriptor =
(PIMAGE_IMPORT_DESCRIPTOR)RvaToPointer(imageNtHeaders.Value.OptionalHeader.DelayImportDescriptor.VirtualAddress, baseAddress);
if (imageDelayedImportDescriptor != null)
{
for (; imageDelayedImportDescriptor.Value.Name > 0; imageDelayedImportDescriptor++)
{
var moduleName = (PCHAR)RvaToPointer(imageDelayedImportDescriptor.Value.Name, baseAddress);
if (moduleName == null)
{
continue;
}
var moduleBase = GetRemoteModuleHandleA(moduleName.ToString());
if (moduleBase == IntPtr.Zero)
{
// todo manual map injection for dependency
InjectDependency(moduleName.ToString());
moduleBase = GetRemoteModuleHandleA(moduleName.ToString());
if (moduleBase == IntPtr.Zero)
{
#if DEBUG
Debug.WriteLine("[ProcessDelayedImportTable] no imports");
#endif
// failed to obtain module handle
continue;
}
}
PIMAGE_THUNK_DATA imageThunkData = null;
PIMAGE_THUNK_DATA imageFuncData = null;
if (imageDelayedImportDescriptor.Value.OriginalFirstThunk > 0)
{
imageThunkData = (PIMAGE_THUNK_DATA)RvaToPointer(imageDelayedImportDescriptor.Value.OriginalFirstThunk, baseAddress);
imageFuncData = (PIMAGE_THUNK_DATA)RvaToPointer(imageDelayedImportDescriptor.Value.FirstThunk, baseAddress);
}
else
{
imageThunkData = (PIMAGE_THUNK_DATA)RvaToPointer(imageDelayedImportDescriptor.Value.FirstThunk, baseAddress);
imageFuncData = (PIMAGE_THUNK_DATA)RvaToPointer(imageDelayedImportDescriptor.Value.FirstThunk, baseAddress);
}
for (; imageThunkData.Value.AddressOfData > 0; imageThunkData++, imageFuncData++)
{
IntPtr functionAddress;
var bSnapByOrdinal = ((imageThunkData.Value.Ordinal & /*IMAGE_ORDINAL_FLAG32*/ 0x80000000) != 0);
if (bSnapByOrdinal)
{
var ordinal = (short)(imageThunkData.Value.Ordinal & 0xffff);
functionAddress = GetDependencyProcAddressA(moduleBase, new PCHAR(ordinal));
if (functionAddress == IntPtr.Zero)
{
return(false);
}
}
else
{
var imageImportByName = (PIMAGE_IMPORT_BY_NAME)RvaToPointer(imageFuncData.Value.Ordinal, baseAddress);
var mameOfImport = (PCHAR)imageImportByName.Address + /*imageImportByName->Name*/ 2;
functionAddress = GetDependencyProcAddressA(moduleBase, mameOfImport);
}
//ImageFuncData->u1.Function = (size_t)FunctionAddress;
Marshal.WriteInt32(imageFuncData.Address, functionAddress.ToInt32());
}
}
return(true);
}
else
{
#if DEBUG
Debug.WriteLine("[ProcessDelayedImportTable] Size of table confirmed but pointer to data invalid");
#endif
// Size of table confirmed but pointer to data invalid
return(false);
}
}
else
{
// no imports
return(true);
}
}
private bool process_delayed_import_table(IntPtr base_address)
{
var image_nt_headers = get_nt_header(base_address);
if (image_nt_headers == null)
{
return(false);
}
if (image_nt_headers.Value.OptionalHeader.DelayImportDescriptor.Size > 0)
{
var image_delayed_import_descriptor =
(PIMAGE_IMPORT_DESCRIPTOR)rva_to_pointer(image_nt_headers.Value.OptionalHeader.DelayImportDescriptor.VirtualAddress, base_address);
if (image_delayed_import_descriptor != null)
{
for (; image_delayed_import_descriptor.Value.Name > 0; image_delayed_import_descriptor++)
{
var module_name = (PCHAR)rva_to_pointer(image_delayed_import_descriptor.Value.Name, base_address);
if (module_name == null)
{
continue;
}
var module_base = get_remote_module_handle_a(module_name.ToString());
if (module_base == IntPtr.Zero)
{
// todo manual map injection for dependency
inject_dependency(module_name.ToString());
module_base = get_remote_module_handle_a(module_name.ToString());
if (module_base == IntPtr.Zero)
{
#if DEBUG
Debug.WriteLine("[process_delayed_import_table] no imports");
#endif
// failed to obtain module handle
continue;
}
}
PIMAGE_THUNK_DATA image_thunk_data = null;
PIMAGE_THUNK_DATA image_func_data = null;
if (image_delayed_import_descriptor.Value.OriginalFirstThunk > 0)
{
image_thunk_data = (PIMAGE_THUNK_DATA)rva_to_pointer(image_delayed_import_descriptor.Value.OriginalFirstThunk, base_address);
image_func_data = (PIMAGE_THUNK_DATA)rva_to_pointer(image_delayed_import_descriptor.Value.FirstThunk, base_address);
}
else
{
image_thunk_data = (PIMAGE_THUNK_DATA)rva_to_pointer(image_delayed_import_descriptor.Value.FirstThunk, base_address);
image_func_data = (PIMAGE_THUNK_DATA)rva_to_pointer(image_delayed_import_descriptor.Value.FirstThunk, base_address);
}
for (; image_thunk_data.Value.AddressOfData > 0; image_thunk_data++, image_func_data++)
{
IntPtr function_address;
var snap_by_ordinal = ((image_thunk_data.Value.Ordinal & /*IMAGE_ORDINAL_FLAG32*/ 0x80000000) != 0);
if (snap_by_ordinal)
{
var ordinal = (short)(image_thunk_data.Value.Ordinal & 0xffff);
function_address = get_dep_proc_address_a(module_base, new PCHAR(ordinal));
if (function_address == IntPtr.Zero)
{
return(false);
}
}
else
{
var image_import_by_name = (PIMAGE_IMPORT_BY_NAME)rva_to_pointer(image_func_data.Value.Ordinal, base_address);
var name_of_import = (PCHAR)image_import_by_name.Address + /*image_import_by_name->Name*/ 2;
function_address = get_dep_proc_address_a(module_base, name_of_import);
}
//ImageFuncData->u1.Function = (size_t)FunctionAddress;
Marshal.WriteInt32(image_func_data.Address, function_address.ToInt32());
}
}
return(true);
}
else
{
#if DEBUG
Debug.WriteLine("[process_delayed_import_table] Size of table confirmed but pointer to data invalid");
#endif
// Size of table confirmed but pointer to data invalid
return(false);
}
}
else
{
// no imports
return(true);
}
}
