private uint GetSectionProtection(DataSectionFlags characteristics)
{
uint result = 0;
if (characteristics.HasFlag(DataSectionFlags.MemoryNotCached))
result |= /*PAGE_NOCACHE*/ 0x200;
if (characteristics.HasFlag(DataSectionFlags.MemoryExecute))
{
if (characteristics.HasFlag(DataSectionFlags.MemoryRead))
{
if (characteristics.HasFlag(DataSectionFlags.MemoryWrite))
result |= /*PAGE_EXECUTE_READWRITE*/ 0x40;
else
result |= /*PAGE_EXECUTE_READ*/ 0x20;
}
else if (characteristics.HasFlag(DataSectionFlags.MemoryWrite))
result |= /*PAGE_EXECUTE_WRITECOPY*/ 0x80;
else
result |= /*PAGE_EXECUTE*/ 0x10;
}
else if (characteristics.HasFlag(DataSectionFlags.MemoryRead))
{
if (characteristics.HasFlag(DataSectionFlags.MemoryWrite))
result |= /*PAGE_READWRITE*/ 0x04;
else
result |= /*PAGE_READONLY*/ 0x02;
}
else if (characteristics.HasFlag(DataSectionFlags.MemoryWrite))
result |= /*PAGE_WRITECOPY*/ 0x08;
else
result |= /*PAGE_NOACCESS*/ 0x01;
return result;
}
private static Protection ChooseMemoryProtection(DataSectionFlags sectionFlags)
{
switch (sectionFlags & (DataSectionFlags.MemoryExecute | DataSectionFlags.MemoryRead | DataSectionFlags.MemoryWrite))
{
default:
return(Protection.PAGE_NOACCESS);
case DataSectionFlags.MemoryRead:
return(Protection.PAGE_READONLY);
case DataSectionFlags.MemoryWrite:
return(Protection.PAGE_WRITECOPY);
case DataSectionFlags.MemoryRead | DataSectionFlags.MemoryWrite:
return(Protection.PAGE_READWRITE);
case DataSectionFlags.MemoryExecute:
return(Protection.PAGE_EXECUTE);
case DataSectionFlags.MemoryExecute | DataSectionFlags.MemoryRead:
return(Protection.PAGE_EXECUTE_READ);
case DataSectionFlags.MemoryExecute | DataSectionFlags.MemoryWrite:
return(Protection.PAGE_EXECUTE_WRITECOPY);
case DataSectionFlags.MemoryExecute | DataSectionFlags.MemoryRead | DataSectionFlags.MemoryWrite:
return(Protection.PAGE_EXECUTE_READWRITE);
}
}
internal ImageSectionInfo(ImageSectionHeader struc, int number, IntPtr address)
{
Number = number;
Name = struc.Section;
Address = address;
Size = (int)struc.VirtualSize;
Characteristics = struc.Characteristics;
}
public IMAGE_SECTION_HEADER AddSection(string szSectionName, ulong uSize, DataSectionFlags Flag)
{
// 섹션을 한칸 늘리고 SizeOfImage 를 추가함 다시 읽어옴
NtHeader.FileHeader.NumberOfSections++;
NtHeader.OptionalHeader.SizeOfImage += (uint)VirtualAlign(uSize);
/*
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
*/
// 그냥 샘.
NtHeader.OptionalHeader.DataDirectory[11].VirtualAddress = 0;
NtHeader.OptionalHeader.DataDirectory[11].Size = 0;
StructureToBytes(DosHeader.e_lfanew, NtHeader);
ReadSection();
// 섹션을 작성함
ulong LastSection = (ulong)NtHeader.FileHeader.NumberOfSections - 1;
byte[] tmpSecName = Encoding.ASCII.GetBytes(szSectionName);
byte[] StrByte = new byte[8];
Buffer.BlockCopy(tmpSecName, 0, StrByte, 0, tmpSecName.Length);
SecHeader[LastSection].Name = StrByte;
SecHeader[LastSection].VirtualAddress = (uint)VirtualAlign(SecHeader[LastSection - 1].VirtualAddress + SecHeader[LastSection - 1].VirtualSize);
SecHeader[LastSection].VirtualSize = (uint)VirtualAlign(uSize);
SecHeader[LastSection].PointerToRawData = (uint)RawAlign(SecHeader[LastSection - 1].PointerToRawData + SecHeader[LastSection - 1].SizeOfRawData);
SecHeader[LastSection].SizeOfRawData = (uint)RawAlign(uSize);
SecHeader[LastSection].Characteristics = Flag;
StructureToBytes(DosHeader.e_lfanew + 248 + 40 * (int)LastSection, SecHeader[LastSection]);
// 바이너리 추가 (realloc)
byte[] temp = new byte[FileBinary.Length + (uint)RawAlign(uSize)];
FileBinary.CopyTo(temp, 0);
FileBinary = new byte[temp.Length];
temp.CopyTo(FileBinary, 0);
return(SecHeader[LastSection]);
}
private uint get_section_protection(DataSectionFlags characteristics)
{
uint result = 0;
if (characteristics.HasFlag(DataSectionFlags.MemoryNotCached))
{
result |= /*PAGE_NOCACHE*/ 0x200;
}
if (characteristics.HasFlag(DataSectionFlags.MemoryExecute))
{
if (characteristics.HasFlag(DataSectionFlags.MemoryRead))
{
if (characteristics.HasFlag(DataSectionFlags.MemoryWrite))
{
result |= /*PAGE_EXECUTE_READWRITE*/ 0x40;
}
else
{
result |= /*PAGE_EXECUTE_READ*/ 0x20;
}
}
else if (characteristics.HasFlag(DataSectionFlags.MemoryWrite))
{
result |= /*PAGE_EXECUTE_WRITECOPY*/ 0x80;
}
else
{
result |= /*PAGE_EXECUTE*/ 0x10;
}
}
else if (characteristics.HasFlag(DataSectionFlags.MemoryRead))
{
if (characteristics.HasFlag(DataSectionFlags.MemoryWrite))
{
result |= /*PAGE_READWRITE*/ 0x04;
}
else
{
result |= /*PAGE_READONLY*/ 0x02;
}
}
else if (characteristics.HasFlag(DataSectionFlags.MemoryWrite))
{
result |= /*PAGE_WRITECOPY*/ 0x08;
}
else
{
result |= /*PAGE_NOACCESS*/ 0x01;
}
return(result);
}
// Token: 0x06000014 RID: 20 RVA: 0x00002E90 File Offset: 0x00001090
private uint GetSectionProtection(DataSectionFlags characteristics)
{
uint num = 0U;
if (characteristics.HasFlag(DataSectionFlags.MemoryNotCached))
{
num |= 512U;
}
if (characteristics.HasFlag(DataSectionFlags.MemoryExecute))
{
if (characteristics.HasFlag(DataSectionFlags.MemoryRead))
{
if (characteristics.HasFlag((DataSectionFlags)2147483648U))
{
num |= 64U;
}
else
{
num |= 32U;
}
}
else if (characteristics.HasFlag((DataSectionFlags)2147483648U))
{
num |= 128U;
}
else
{
num |= 16U;
}
}
else if (characteristics.HasFlag(DataSectionFlags.MemoryRead))
{
if (characteristics.HasFlag((DataSectionFlags)2147483648U))
{
num |= 4U;
}
else
{
num |= 2U;
}
}
else if (characteristics.HasFlag((DataSectionFlags)2147483648U))
{
num |= 8U;
}
else
{
num |= 1U;
}
return(num);
}
// Token: 0x06000014 RID: 20 RVA: 0x00002E90 File Offset: 0x00001090
private uint GetSectionProtection(DataSectionFlags characteristics)
{
uint num = 0u;
if (characteristics.HasFlag(DataSectionFlags.MemoryNotCached))
{
num |= 512u;
}
if (characteristics.HasFlag(DataSectionFlags.MemoryExecute))
{
if (characteristics.HasFlag(DataSectionFlags.MemoryRead))
{
if (characteristics.HasFlag((DataSectionFlags)2147483648u))
{
num |= 64u;
}
else
{
num |= 32u;
}
}
else if (characteristics.HasFlag((DataSectionFlags)2147483648u))
{
num |= 128u;
}
else
{
num |= 16u;
}
}
else if (characteristics.HasFlag(DataSectionFlags.MemoryRead))
{
if (characteristics.HasFlag((DataSectionFlags)2147483648u))
{
num |= 4u;
}
else
{
num |= 2u;
}
}
else if (characteristics.HasFlag((DataSectionFlags)2147483648u))
{
num |= 8u;
}
else
{
num |= 1u;
}
return(num);
}
/// <summary>
/// Setup internal data based on given input read from native image.
/// </summary>
bool IBinaryConverter <ImageSectionHeader> .Convert(ref ImageSectionHeader s, uint startOffset, uint size)
{
DataSize = s.SizeOfRawData;
DataAddress = s.PointerToRawData;
RelocationAddress = s.PointerToRelocations;
LineNumberAddress = s.PointerToLinenumbers;
RelocationCount = s.NumberOfRelocations;
LineNumberCount = s.NumberOfLinenumbers;
Characteristics = (DataSectionFlags)s.Characteristics;
UpdateFileInfo(GetName(s.Name), startOffset, size);
UpdateVirtualInfo(s.VirtualAddress, s.PhysicalAddressOrVirtualSize);
return(true);
}
// Token: 0x06000016 RID: 22 RVA: 0x0000300C File Offset: 0x0000120C
private bool ProcessSections(IntPtr baseAddress, IntPtr remoteAddress)
{
PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress);
if (ntHeader == null)
{
return(false);
}
PIMAGE_SECTION_HEADER pimage_SECTION_HEADER = (PIMAGE_SECTION_HEADER)(ntHeader.Address + 24 + (int)ntHeader.Value.FileHeader.SizeOfOptionalHeader);
for (ushort num = 0; num < ntHeader.Value.FileHeader.NumberOfSections; num += 1)
{
if (!Helpers._stricmp(".reloc".ToCharArray(), pimage_SECTION_HEADER[(uint)num].Name))
{
DataSectionFlags characteristics = pimage_SECTION_HEADER[(uint)num].Characteristics;
if (characteristics.HasFlag(DataSectionFlags.MemoryRead) || characteristics.HasFlag((DataSectionFlags)2147483648U) || characteristics.HasFlag(DataSectionFlags.MemoryExecute))
{
uint sectionProtection = this.GetSectionProtection(pimage_SECTION_HEADER[(uint)num].Characteristics);
this.ProcessSection(pimage_SECTION_HEADER[(uint)num].Name, baseAddress, remoteAddress, (ulong)pimage_SECTION_HEADER[(uint)num].PointerToRawData, (ulong)pimage_SECTION_HEADER[(uint)num].VirtualAddress, (ulong)pimage_SECTION_HEADER[(uint)num].SizeOfRawData, (ulong)pimage_SECTION_HEADER[(uint)num].VirtualSize, sectionProtection);
}
}
}
return(true);
}
private static int GetSectionProtection(DataSectionFlags characteristics)
{
var protection = 0;
// Calculate the sections protection
if (characteristics.HasFlag(DataSectionFlags.MemoryNotCached))
{
protection |= (int)MemoryProtection.PageNoCache;
}
if (characteristics.HasFlag(DataSectionFlags.MemoryExecute))
{
if (characteristics.HasFlag(DataSectionFlags.MemoryRead))
{
if (characteristics.HasFlag(DataSectionFlags.MemoryWrite))
{
protection |= (int)MemoryProtection.PageExecuteReadWrite;
}
else
{
protection |= (int)MemoryProtection.PageExecuteRead;
}
}
else if (characteristics.HasFlag(DataSectionFlags.MemoryWrite))
{
protection |= (int)MemoryProtection.PageExecuteWriteCopy;
}
else
{
protection |= (int)MemoryProtection.PageExecute;
}
}
else if (characteristics.HasFlag(DataSectionFlags.MemoryRead))
{
if (characteristics.HasFlag(DataSectionFlags.MemoryWrite))
{
protection |= (int)MemoryProtection.PageReadWrite;
}
else
{
protection |= (int)MemoryProtection.PageReadOnly;
}
}
else if (characteristics.HasFlag(DataSectionFlags.MemoryWrite))
{
protection |= (int)MemoryProtection.PageWriteCopy;
}
else
{
protection |= (int)MemoryProtection.PageNoAccess;
}
return(protection);
}
public bool HasFlag(DataSectionFlags flag)
{
return((this.Characteristics & flag) == flag);
}
