private IEnumerable <PEImport> GetImports(int lpOffsetTable, int lpThunkTable)
{
var importIndex = 0;
bool is32bit = Headers.PEHeader.Magic == PEMagic.PE32;
do
{
// Read the import thunk
var functionOffset = lpOffsetTable + (is32bit ? sizeof(int) : sizeof(long)) * importIndex;
var importThunkOffset = lpThunkTable + (is32bit ? sizeof(int) : sizeof(long)) * importIndex;
PointerEx importThunk = is32bit ? MemoryMarshal.Read <int>(ImageData.Span.Slice(importThunkOffset)) : MemoryMarshal.Read <long>(ImageData.Span.Slice(importThunkOffset));
if (!importThunk)
{
break;
}
int importOrdinal;
// Check if the function is imported via ordinal
if ((importThunk & int.MinValue) != 0)
{
importOrdinal = importThunk & (long)ushort.MaxValue;
yield return(new PEImport(null, functionOffset, importOrdinal));
continue;
}
// Read the import ordinal and name
var lpImportOrdinal = RelativeToOffset(importThunk);
importOrdinal = MemoryMarshal.Read <short>(ImageData.Span.Slice(lpImportOrdinal));
var lpImportName = lpImportOrdinal + sizeof(short);
var importNameLength = ImageData.Span.Slice(lpImportName).IndexOf(byte.MinValue);
var importName = Encoding.UTF8.GetString(ImageData.Span.Slice(lpImportName, importNameLength).ToArray());
yield return(new PEImport(importName, functionOffset, importOrdinal));
}while ((importIndex += 1) > 0);
}
public bool GetContext(PointerEx thread)
{
Marshal.StructureToPtr(ContextStruct, hAlignedMemory, false);
bool result = GetContext(thread, hAlignedMemory);
ContextStruct = Marshal.PtrToStructure(hAlignedMemory, ContextStruct.GetType());
return(result);
}
internal int GetPtrFromRVA(int rva, PointerEx imageBase)
{
PointerEx delta;
var sectionHeader = Headers.SectionHeaders[Headers.GetContainingSectionIndex(rva)];
delta = (sectionHeader.VirtualAddress - sectionHeader.PointerToRawData);
return(imageBase + rva - delta);
}
/// <summary>
/// Manually map module into current process.
/// </summary>
/// <author>Ruben Boonen (@FuzzySec)</author> (modified for external)
/// <param name="modulePath">Full path to the module on disk.</param>
/// <param name="noCache">If true, will ignore any previous mappings cached locally</param>
/// <returns>PE_MANUAL_MAP object</returns>
public static PE_MANUAL_MAP MapModuleToMemory(string modulePath, bool noCache = false)
{
if (modulePath == null)
{
throw new Exception(DSTR(DSTR_DINVOKE_MOD_CANNOT_BE_NULL));
}
modulePath = modulePath.ToLower();
if (!noCache && MappedModulesCache.ContainsKey(modulePath))
{
return(MappedModulesCache[modulePath]);
}
// Alloc module into memory for parsing
PointerEx pModule = File.ReadAllBytes(modulePath).Unmanaged();
var result = MapModuleToMemory(pModule);
MappedModulesCache[modulePath] = result;
return(result);
}
/// <summary>
/// Manually map module into current process.
/// </summary>
/// <author>Ruben Boonen (@FuzzySec)</author> (modified for external)
/// <param name="pModule">Pointer to the module base.</param>
/// <returns>PE_MANUAL_MAP object</returns>
private static PE_MANUAL_MAP MapModuleToMemory(PointerEx pModule)
{
// Fetch PE meta data
PE_META_DATA PEINFO = GetPeMetaData(pModule);
// Check module matches the process architecture
if ((PEINFO.Is32Bit && IntPtr.Size == 8) || (!PEINFO.Is32Bit && IntPtr.Size == 4))
{
Marshal.FreeHGlobal(pModule);
throw new Exception(DSTR(DSTR_MOD_ARCHITECTURE_WRONG));
}
// Alloc PE image memory -> RW
IntPtr BaseAddress = IntPtr.Zero;
IntPtr RegionSize = PEINFO.Is32Bit ? (IntPtr)PEINFO.OptHeader32.SizeOfImage : (IntPtr)PEINFO.OptHeader64.SizeOfImage;
IntPtr pImage = Native.NtAllocateVirtualMemoryD(
(IntPtr)(-1), ref BaseAddress, IntPtr.Zero, ref RegionSize,
Native.AllocationType.Commit | Native.AllocationType.Reserve,
Native.PAGE_READWRITE
);
return(MapModuleToMemory(pModule, pImage, PEINFO));
}
protected abstract bool GetContext(PointerEx thread, PointerEx context);
public bool SetContext(PointerEx thread)
{
Marshal.StructureToPtr(ContextStruct, hAlignedMemory, false);
return(SetContext(thread, hAlignedMemory));
}
public ThreadContextEx()
{
//Get/SetThreadContext needs to be 16 byte aligned memory offset on x64
hInternalMemory = Marshal.AllocHGlobal(Marshal.SizeOf(ContextStruct) + 1024);
hAlignedMemory = (long)hInternalMemory & ~0xF;
}