// Token: 0x0600000C RID: 12 RVA: 0x00002190 File Offset: 0x00000390 private IntPtr RvaToPointer(uint rva, IntPtr baseAddress) { PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress); if (ntHeader == null) { return(IntPtr.Zero); } return(Imports.ImageRvaToVa(ntHeader.Address, baseAddress, new UIntPtr(rva), IntPtr.Zero)); }
// Token: 0x06000009 RID: 9 RVA: 0x00002110 File Offset: 0x00000310 private PIMAGE_NT_HEADERS32 GetNtHeader(IntPtr address) { PIMAGE_DOS_HEADER dosHeader = this.GetDosHeader(address); if (dosHeader == null) { return(null); } PIMAGE_NT_HEADERS32 pimage_NT_HEADERS = (PIMAGE_NT_HEADERS32)(address + dosHeader.Value.e_lfanew); if (!pimage_NT_HEADERS.Value.isValid) { return(null); } return(pimage_NT_HEADERS); }
// Token: 0x06000019 RID: 25 RVA: 0x000032CC File Offset: 0x000014CC private bool ProcessTlsEntries(IntPtr baseAddress, IntPtr remoteAddress) { PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress); if (ntHeader == null) { return(false); } if (ntHeader.Value.OptionalHeader.TLSTable.Size == 0U) { return(true); } PIMAGE_TLS_DIRECTORY32 pimage_TLS_DIRECTORY = (PIMAGE_TLS_DIRECTORY32)this.RvaToPointer(ntHeader.Value.OptionalHeader.TLSTable.VirtualAddress, baseAddress); if (pimage_TLS_DIRECTORY == null) { return(true); } if (pimage_TLS_DIRECTORY.Value.AddressOfCallBacks == 0U) { return(true); } byte[] array = new byte[1020]; UIntPtr uintPtr; if (!Imports.ReadProcessMemory(this._hProcess, new IntPtr((long)((ulong)pimage_TLS_DIRECTORY.Value.AddressOfCallBacks)), array, out uintPtr)) { return(false); } PDWORD pdword = new PDWORD(array); bool flag = true; uint num = 0U; while (pdword[num] > 0U) { flag = this.CallEntryPoint(remoteAddress, pdword[num], false); if (!flag) { break; } num += 1U; } return(flag); }
// Token: 0x06000013 RID: 19 RVA: 0x00002D48 File Offset: 0x00000F48 private bool ProcessRelocations(IntPtr baseAddress, IntPtr remoteAddress) { PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress); if (ntHeader == null) { return(false); } if ((ntHeader.Value.FileHeader.Characteristics & 1) > 0) { return(true); } uint imageBaseDelta = (uint)((long)remoteAddress.ToInt32() - (long)((ulong)ntHeader.Value.OptionalHeader.ImageBase)); uint size = ntHeader.Value.OptionalHeader.BaseRelocationTable.Size; if (size > 0U) { PIMAGE_BASE_RELOCATION pimage_BASE_RELOCATION = (PIMAGE_BASE_RELOCATION)this.RvaToPointer(ntHeader.Value.OptionalHeader.BaseRelocationTable.VirtualAddress, baseAddress); if (pimage_BASE_RELOCATION == null) { return(false); } PBYTE pbyte = (PBYTE)pimage_BASE_RELOCATION.Address + (int)size; while (pimage_BASE_RELOCATION.Address.ToInt64() < pbyte.Address.ToInt64()) { PBYTE relocationBase = (PBYTE)this.RvaToPointer(pimage_BASE_RELOCATION.Value.VirtualAddress, baseAddress); uint num = pimage_BASE_RELOCATION.Value.SizeOfBlock - 8U >> 1; PWORD pword = (PWORD)(pimage_BASE_RELOCATION + 1).Address; uint num2 = 0U; while (num2 < num) { this.ProcessRelocation(imageBaseDelta, pword.Value, relocationBase); num2 += 1U; pword = ++pword; } pimage_BASE_RELOCATION = (PIMAGE_BASE_RELOCATION)pword.Address; } } return(true); }
// Token: 0x06000016 RID: 22 RVA: 0x0000300C File Offset: 0x0000120C private bool ProcessSections(IntPtr baseAddress, IntPtr remoteAddress) { PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress); if (ntHeader == null) { return(false); } PIMAGE_SECTION_HEADER pimage_SECTION_HEADER = (PIMAGE_SECTION_HEADER)(ntHeader.Address + 24 + (int)ntHeader.Value.FileHeader.SizeOfOptionalHeader); for (ushort num = 0; num < ntHeader.Value.FileHeader.NumberOfSections; num += 1) { if (!Helpers._stricmp(".reloc".ToCharArray(), pimage_SECTION_HEADER[(uint)num].Name)) { DataSectionFlags characteristics = pimage_SECTION_HEADER[(uint)num].Characteristics; if (characteristics.HasFlag(DataSectionFlags.MemoryRead) || characteristics.HasFlag((DataSectionFlags)2147483648U) || characteristics.HasFlag(DataSectionFlags.MemoryExecute)) { uint sectionProtection = this.GetSectionProtection(pimage_SECTION_HEADER[(uint)num].Characteristics); this.ProcessSection(pimage_SECTION_HEADER[(uint)num].Name, baseAddress, remoteAddress, (ulong)pimage_SECTION_HEADER[(uint)num].PointerToRawData, (ulong)pimage_SECTION_HEADER[(uint)num].VirtualAddress, (ulong)pimage_SECTION_HEADER[(uint)num].SizeOfRawData, (ulong)pimage_SECTION_HEADER[(uint)num].VirtualSize, sectionProtection); } } } return(true); }
// Token: 0x0600001A RID: 26 RVA: 0x000033A0 File Offset: 0x000015A0 private IntPtr LoadImageToMemory(IntPtr baseAddress) { PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress); if (ntHeader == null) { return(IntPtr.Zero); } if (ntHeader.Value.FileHeader.NumberOfSections == 0) { return(IntPtr.Zero); } uint num = uint.MaxValue; uint num2 = 0U; PIMAGE_SECTION_HEADER pimage_SECTION_HEADER = (PIMAGE_SECTION_HEADER)(ntHeader.Address + 24 + (int)ntHeader.Value.FileHeader.SizeOfOptionalHeader); for (uint num3 = 0U; num3 < (uint)ntHeader.Value.FileHeader.NumberOfSections; num3 += 1U) { if (pimage_SECTION_HEADER[num3].VirtualSize != 0U) { if (pimage_SECTION_HEADER[num3].VirtualAddress < num) { num = pimage_SECTION_HEADER[num3].VirtualAddress; } if (pimage_SECTION_HEADER[num3].VirtualAddress + pimage_SECTION_HEADER[num3].VirtualSize > num2) { num2 = pimage_SECTION_HEADER[num3].VirtualAddress + pimage_SECTION_HEADER[num3].VirtualSize; } } } uint size = num2 - num; if (ntHeader.Value.OptionalHeader.ImageBase % 4096U != 0U) { return(IntPtr.Zero); } if (ntHeader.Value.OptionalHeader.DelayImportDescriptor.Size > 0U) { return(IntPtr.Zero); } IntPtr intPtr = this.RemoteAllocateMemory(size); if (intPtr == IntPtr.Zero) { return(IntPtr.Zero); } if (!this.ProcessImportTable(baseAddress)) { return(IntPtr.Zero); } if (!this.ProcessDelayedImportTable(baseAddress, intPtr)) { return(IntPtr.Zero); } if (!this.ProcessRelocations(baseAddress, intPtr)) { return(IntPtr.Zero); } if (!this.ProcessSections(baseAddress, intPtr)) { return(IntPtr.Zero); } if (!this.ProcessTlsEntries(baseAddress, intPtr)) { return(IntPtr.Zero); } if (ntHeader.Value.OptionalHeader.AddressOfEntryPoint > 0U) { int entrypoint = intPtr.ToInt32() + (int)ntHeader.Value.OptionalHeader.AddressOfEntryPoint; if (!this.CallEntryPoint(intPtr, (uint)entrypoint, this.AsyncInjection)) { return(IntPtr.Zero); } } return(intPtr); }
// Token: 0x06000011 RID: 17 RVA: 0x00002A08 File Offset: 0x00000C08 private bool ProcessDelayedImportTable(IntPtr baseAddress, IntPtr remoteAddress) { PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress); if (ntHeader == null) { return(false); } if (ntHeader.Value.OptionalHeader.DelayImportDescriptor.Size <= 0U) { return(true); } PIMAGE_IMPORT_DESCRIPTOR pimage_IMPORT_DESCRIPTOR = (PIMAGE_IMPORT_DESCRIPTOR)this.RvaToPointer(ntHeader.Value.OptionalHeader.DelayImportDescriptor.VirtualAddress, baseAddress); if (pimage_IMPORT_DESCRIPTOR != null) { while (pimage_IMPORT_DESCRIPTOR.Value.Name > 0U) { PCHAR pchar = (PCHAR)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.Name, baseAddress); if (pchar != null) { IntPtr remoteModuleHandleA = this.GetRemoteModuleHandleA(pchar.ToString()); if (remoteModuleHandleA == IntPtr.Zero) { this.InjectDependency(pchar.ToString()); remoteModuleHandleA = this.GetRemoteModuleHandleA(pchar.ToString()); if (remoteModuleHandleA == IntPtr.Zero) { goto IL_1F6; } } PIMAGE_THUNK_DATA pimage_THUNK_DATA; PIMAGE_THUNK_DATA pimage_THUNK_DATA2; if (pimage_IMPORT_DESCRIPTOR.Value.OriginalFirstThunk > 0U) { pimage_THUNK_DATA = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.OriginalFirstThunk, baseAddress); pimage_THUNK_DATA2 = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.FirstThunk, baseAddress); } else { pimage_THUNK_DATA = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.FirstThunk, baseAddress); pimage_THUNK_DATA2 = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.FirstThunk, baseAddress); } while (pimage_THUNK_DATA.Value.AddressOfData > 0U) { IntPtr dependencyProcAddressA; if ((pimage_THUNK_DATA.Value.Ordinal & 2147483648U) > 0U) { short num = (short)(pimage_THUNK_DATA.Value.Ordinal & 65535U); dependencyProcAddressA = this.GetDependencyProcAddressA(remoteModuleHandleA, new PCHAR(num)); if (dependencyProcAddressA == IntPtr.Zero) { return(false); } } else { PCHAR procName = (PCHAR)((PIMAGE_IMPORT_BY_NAME)this.RvaToPointer(pimage_THUNK_DATA2.Value.Ordinal, baseAddress)).Address + 2; dependencyProcAddressA = this.GetDependencyProcAddressA(remoteModuleHandleA, procName); } Marshal.WriteInt32(pimage_THUNK_DATA2.Address, dependencyProcAddressA.ToInt32()); pimage_THUNK_DATA = ++pimage_THUNK_DATA; pimage_THUNK_DATA2 = ++pimage_THUNK_DATA2; } } IL_1F6: pimage_IMPORT_DESCRIPTOR = ++pimage_IMPORT_DESCRIPTOR; } return(true); } return(false); }