private static IEnumerable <RpcOffset> FindRpcServerInterfaces(ImageSection sect, bool return_clients) { byte[] rdata = sect.ToArray(); foreach (int ofs in FindBytes(rdata, TransferSyntax.ToByteArray()).Concat(FindBytes(rdata, TransferSyntax64.ToByteArray()))) { if (ofs < 24) { continue; } int expected_size = Environment.Is64BitProcess ? 0x60 : 0x44; if (expected_size != BitConverter.ToInt32(rdata, ofs - 24)) { continue; } long ptr; if (Environment.Is64BitProcess) { ptr = BitConverter.ToInt64(rdata, ofs + 20); } else { ptr = BitConverter.ToInt32(rdata, ofs + 20); } // No dispatch table, likely to be a RPC_CLIENT_INTERFACE. if (ptr == 0 && !return_clients) { continue; } yield return(new RpcOffset(ofs + sect.RelativeVirtualAddress - 24, ptr == 0)); } }
private void SetupValues() { if (_loaded_values) { return; } _loaded_values = true; _image_sections = new List <ImageSection>(); IntPtr base_ptr = GetBasePointer(); if (base_ptr == IntPtr.Zero) { return; } IntPtr header_ptr = GetHeaderPointer(base_ptr); if (header_ptr == IntPtr.Zero) { return; } ImageNtHeaders header = (ImageNtHeaders)Marshal.PtrToStructure(header_ptr, typeof(ImageNtHeaders)); var buffer = header_ptr + Marshal.SizeOf(header) + header.FileHeader.SizeOfOptionalHeader; int header_size = Marshal.SizeOf(typeof(ImageSectionHeader)); for (int i = 0; i < header.FileHeader.NumberOfSections; ++i) { ImageSectionHeader section = (ImageSectionHeader)Marshal.PtrToStructure(buffer + i * header_size, typeof(ImageSectionHeader)); ImageSection sect = new ImageSection(section, MappedAsImage, base_ptr); _image_sections.Add(sect); } IImageOptionalHeader optional_header = GetOptionalHeader(header_ptr); if (optional_header == null) { return; } _image_base_address = optional_header.GetImageBase(); _image_entry_point = optional_header.GetAddressOfEntryPoint(); _is_64bit = optional_header.GetMagic() == IMAGE_NT_OPTIONAL_HDR_MAGIC.HDR64; _dll_characteristics = optional_header.GetDllCharacteristics(); }