public MainForm()
{
// Sets up stealth calls for native funcs to try to avoid api hooking
NativeStealth.SetStealthMode(NativeStealthType.ManualInvoke);
InitializeComponent();
UIThemeManager.OnThemeChanged(this, OnThemeChanged_Implementation);
this.SetThemeAware();
MaximizeBox = true;
MinimizeBox = true;
}
/// <summary>
/// Set correct module section permissions.
/// </summary>
/// <author>Ruben Boonen (@FuzzySec)</author> (modified for external ProcessEx)
/// <param name="PEINFO">Module meta data struct (PE.PE_META_DATA).</param>
/// <param name="ModuleMemoryBase">Base address of the module in memory.</param>
/// <returns>void</returns>
public void MMSetModuleSectionPermissions(PE_META_DATA PEINFO, IntPtr ModuleMemoryBase, byte[] rawData)
{
// Apply RO to the module header
IntPtr BaseOfCode = PEINFO.Is32Bit ? (IntPtr)PEINFO.OptHeader32.BaseOfCode : (IntPtr)PEINFO.OptHeader64.BaseOfCode;
NativeStealth.VirtualProtectEx(Handle, ModuleMemoryBase, BaseOfCode.ToInt32(), (int)Native.PAGE_READONLY, out _);
// Apply section permissions
foreach (IMAGE_SECTION_HEADER ish in PEINFO.Sections)
{
bool isRead = (ish.Characteristics & DataSectionFlags.MEM_READ) != 0;
bool isWrite = (ish.Characteristics & DataSectionFlags.MEM_WRITE) != 0;
bool isExecute = (ish.Characteristics & DataSectionFlags.MEM_EXECUTE) != 0;
uint flNewProtect = 0;
if (isRead & !isWrite & !isExecute)
{
flNewProtect = Native.PAGE_READONLY;
}
else if (isRead & isWrite & !isExecute)
{
flNewProtect = Native.PAGE_READWRITE;
}
else if (isRead & isWrite & isExecute)
{
flNewProtect = Native.PAGE_EXECUTE_READWRITE;
}
else if (isRead & !isWrite & isExecute)
{
flNewProtect = Native.PAGE_EXECUTE_READ;
}
else if (!isRead & !isWrite & isExecute)
{
flNewProtect = Native.PAGE_EXECUTE;
}
else
{
throw new InvalidOperationException(DSTR(DSTR_UNK_SEC_FLAG, ish.Characteristics));
}
// Calculate base
IntPtr pVirtualSectionBase = (IntPtr)((UInt64)ModuleMemoryBase + ish.VirtualAddress);
IntPtr ProtectSize = (IntPtr)ish.VirtualSize;
// Set protection
NativeStealth.VirtualProtectEx(Handle, pVirtualSectionBase, ProtectSize.ToInt32(), (int)flNewProtect, out _);
}
}
public bool TryMapModule(out PointerEx hModule)
{
var sModule = new PEImage(RawDLL);
hModule = NativeStealth.VirtualAllocEx(HostProcess.Handle, 0, (uint)sModule.Headers.PEHeader.SizeOfImage, Native.AllocationType.Commit | Native.AllocationType.Reserve, Native.MemoryProtection.ReadOnly);
if (!hModule)
{
throw new Exception("Unable to allocate enough memory to map the module");
}
try
{
MMLoadDependencies(sModule, hModule);
}
catch
{
if (HostProcess.Handle)
{
ProcessEx.VirtualFreeEx(HostProcess.Handle, hModule, (uint)sModule.Headers.PEHeader.SizeOfImage, (int)FreeType.Release);
}
throw;
}
ModuleHandle = hModule;
return(true);
}