private static byte *FindKernelProcedure(string szName)
{
ulong ntoskrnlHandle = NT.LoadLibrary("ntoskrnl.exe");
ulong kernelBase = GetKernelBase();
ulong functionPointer = NT.GetProcAddress(ntoskrnlHandle, szName);
return((byte *)(functionPointer - ntoskrnlHandle + kernelBase));
}
public void FixImportTable(UInt32 localImage, NT.IMAGE_OPTIONAL_HEADER64 optionalHeader)
{
NT.IMAGE_IMPORT_DESCRIPTOR *importDescriptor = (NT.IMAGE_IMPORT_DESCRIPTOR *)(localImage + optionalHeader.ImportTable.VirtualAddress);
for (; importDescriptor->FirstThunk > 0; ++importDescriptor)
{
string libraryName = Marshal.PtrToStringAnsi((IntPtr)(localImage + importDescriptor->Name));
// RECODE THIS, THIS IS STUPID & DANGEROUS
// I AM ONLY DOING THIS BECAUSE OF API-SET DLLS
// I COULDNT BE ARSED TO MAKE A PINVOKE FOR ApiSetResolveToHost
ulong localLibraryHandle = NT.LoadLibrary(libraryName);
libraryName = NTM.GetModuleBaseName(Process.GetCurrentProcess().Handle, localLibraryHandle).ToLower();
// IF WE MAPPED DEPENDENCY EARLIER, WE SHOULD USE RVA
// INSTEAD OF STATIC MEMORY ADDRESS
bool mappedDependency = MappedModules.TryGetValue(libraryName, out ulong remoteLibraryHandle);
bool linkedInProcess = LinkedModules.TryGetValue(libraryName, out remoteLibraryHandle);
if (!mappedDependency && !linkedInProcess) // DEPENDENCY NOT FOUND, MAP IT!
{
string dependencyPath = Tools.FindDll(libraryName);
// SKIP IF DEPENDENCY COULDN'T BE FOUND
if (dependencyPath == null)
{
continue;
}
// [8:44 PM] markhc: i had something similar
// [8:44 PM] markhc: it was deep inside CRT initialization(edited)
// [8:45 PM] Ch40zz: how did you fix it?
// [8:46 PM] markhc: i didnt fix it
// [8:46 PM] markhc: i thought it was something wrong with my manual mapper code, but i couldnt figure out what was it
// [8:46 PM] markhc: so i threw it all away
if (libraryName == "msvcp140.dll")
{
var tempOptions = Options;
tempOptions.EraseHeaders = false;
new LoadLibraryInjection(TargetProcess, TypeOfExecution, tempOptions).InjectImage(dependencyPath);
--importDescriptor;
continue;
}
remoteLibraryHandle = MapImage(libraryName, File.ReadAllBytes(dependencyPath));
mappedDependency = true;
}
UInt32 *functionAddress = (UInt32 *)(localImage + importDescriptor->FirstThunk);
UInt32 *importEntry = (UInt32 *)(localImage + importDescriptor->OriginalFirstThunk);
do
{
ulong procNamePointer = *importEntry < 0x8000000000000000 /*IMAGE_ORDINAL_FLAG64*/ ? // IS ORDINAL?
localImage + *importEntry + sizeof(ushort) /*SKIP HINT*/ : // FUNCTION BY NAME
*importEntry & 0xFFFF; // ORDINAL
var localFunctionPointer = NT.GetProcAddress(localLibraryHandle, procNamePointer);
var rva = localFunctionPointer - localLibraryHandle;
// SET NEW FUNCTION POINTER
*functionAddress = (UInt32)(mappedDependency ? remoteLibraryHandle + rva : localFunctionPointer);
// GET NEXT ENTRY
++functionAddress;
++importEntry;
} while (*importEntry > 0);
}
}
