public static IntPtr GetLocalExportOffset(String Module, String Export)
{
UNICODE_STRING uModuleName = new UNICODE_STRING();
RtlInitUnicodeString(ref uModuleName, Module);
IntPtr hModule = IntPtr.Zero;
UInt32 CallResult = LdrGetDllHandle(IntPtr.Zero, IntPtr.Zero, ref uModuleName, ref hModule);
if (CallResult != 0 || hModule == IntPtr.Zero)
{
return(IntPtr.Zero);
}
// Hey MSFT, why is RtlInitAnsiString not working on Win7..?
UNICODE_STRING uFuncName = new UNICODE_STRING();
RtlInitUnicodeString(ref uFuncName, Export);
ANSI_STRING aFuncName = new ANSI_STRING();
RtlUnicodeStringToAnsiString(ref aFuncName, ref uFuncName, true);
IntPtr pExport = IntPtr.Zero;
CallResult = LdrGetProcedureAddress(hModule, ref aFuncName, 0, ref pExport);
if (CallResult != 0 || pExport == IntPtr.Zero)
{
return(IntPtr.Zero);
}
IntPtr FuncOffset = (IntPtr)((Int64)(pExport) - (Int64)(hModule));
return(FuncOffset);
}
public static IntPtr GetLocalExportOffset(String Module, String Export)
{
UNICODE_STRING uModuleName = new UNICODE_STRING();
IntPtr pFunction = Generic.GetLibraryAddress(@"ntdll.dll", "RtlInitUnicodeString");
RtlInitUnicodeString rtlInitUnicodeString = (RtlInitUnicodeString)Marshal.GetDelegateForFunctionPointer(pFunction, typeof(RtlInitUnicodeString));
rtlInitUnicodeString(ref uModuleName, Module);
IntPtr hModule = Generic.GetPebLdrModuleEntry(Module);
if (hModule == IntPtr.Zero)
{
Console.WriteLine("[!] Failed to get " + Module + " handle..");
return(IntPtr.Zero);
}
else
{
Console.WriteLine(" |-> LdrGetDllHandle OK");
}
UNICODE_STRING uFuncName = new UNICODE_STRING();
rtlInitUnicodeString(ref uFuncName, Export);
ANSI_STRING aFuncName = new ANSI_STRING();
pFunction = Generic.GetLibraryAddress(@"ntdll.dll", "RtlUnicodeStringToAnsiString");
RtlUnicodeStringToAnsiString rtlUnicodeStringToAnsiString = (RtlUnicodeStringToAnsiString)Marshal.GetDelegateForFunctionPointer(pFunction, typeof(RtlUnicodeStringToAnsiString));
rtlUnicodeStringToAnsiString(ref aFuncName, ref uFuncName, true);
IntPtr pExport = IntPtr.Zero;
pFunction = Generic.GetLibraryAddress(@"ntdll.dll", "LdrGetProcedureAddress");
LdrGetProcedureAddress ldrGetProcedureAddress = (LdrGetProcedureAddress)Marshal.GetDelegateForFunctionPointer(pFunction, typeof(LdrGetProcedureAddress));
UInt32 CallResult = ldrGetProcedureAddress(hModule, ref aFuncName, 0, ref pExport);
if (CallResult != 0 || pExport == IntPtr.Zero)
{
Console.WriteLine("[!] Failed to get " + Export + " address..");
return(IntPtr.Zero);
}
else
{
Console.WriteLine(" |-> " + Export + ": 0x" + String.Format("{0:X}", (pExport).ToInt64()));
}
IntPtr FuncOffset = (IntPtr)((Int64)pExport - (Int64)hModule);
Console.WriteLine(" |-> Offset: 0x" + String.Format("{0:X}", (FuncOffset).ToInt64()));
return(FuncOffset);
}
static IntPtr GetProcAddressManaged(IntPtr hModule, IntPtr ProcNamePtr)
{
ushort Ordinal = 0;
if (ProcNamePtr.ToUlong() > ushort.MaxValue)
{
var ProcedureName = new ANSI_STRING();
var ProcName = Marshal.PtrToStringAnsi(ProcNamePtr);
ProcedureName.Length = (short)ProcName.Length;
ProcedureName.MaximumLength = ProcedureName.Length;
ProcedureName.Buffer = ProcName;
var Addr = Marshal.AllocHGlobal(ProcName.Length + 5);
Marshal.StructureToPtr(ProcedureName, Addr, false);
ProcNamePtr = Addr;
}
else
{
Ordinal = (ushort)ProcNamePtr.ToUlong();
}
IntPtr hMapped = BasepMapModuleHandle(hModule, false);
var Status = LdrGetProcedureAddress(hMapped, ProcNamePtr, Ordinal, out IntPtr fnExp);
Marshal.FreeHGlobal(ProcNamePtr);
if (!NT_SUCCESS(Status))
{
SetLastError(Status.ToInt32());
return(IntPtr.Zero);
}
if (fnExp == hMapped)
{
if (ProcNamePtr.ToUlong() > ushort.MaxValue)
{
SetLastError(0xC0000139);//STATUS_ENTRYPOINT_NOT_FOUND
}
else
{
SetLastError(0xC0000138);//STATUS_ORDINAL_NOT_FOUND
}
return(IntPtr.Zero);
}
return(fnExp);
}
public static IntPtr GetLocalExportOffset(String Module, String Export)
{
UNICODE_STRING uModuleName = new UNICODE_STRING();
RtlInitUnicodeString(ref uModuleName, Module);
IntPtr hModule = IntPtr.Zero;
UInt32 CallResult = LdrGetDllHandle(IntPtr.Zero, IntPtr.Zero, ref uModuleName, ref hModule);
if (CallResult != 0 || hModule == IntPtr.Zero)
{
Console.WriteLine("[!] Failed to get " + Module + " handle..");
return(IntPtr.Zero);
}
else
{
Console.WriteLine(" |-> LdrGetDllHandle OK");
}
// Hey MSFT, why is RtlInitAnsiString not working on Win7..?
UNICODE_STRING uFuncName = new UNICODE_STRING();
RtlInitUnicodeString(ref uFuncName, Export);
ANSI_STRING aFuncName = new ANSI_STRING();
RtlUnicodeStringToAnsiString(ref aFuncName, ref uFuncName, true);
IntPtr pExport = IntPtr.Zero;
CallResult = LdrGetProcedureAddress(hModule, ref aFuncName, 0, ref pExport);
if (CallResult != 0 || pExport == IntPtr.Zero)
{
Console.WriteLine("[!] Failed to get " + Export + " address..");
return(IntPtr.Zero);
}
else
{
Console.WriteLine(" |-> " + Export + ": 0x" + String.Format("{0:X}", (pExport).ToInt64()));
}
IntPtr FuncOffset = (IntPtr)((Int64)(pExport) - (Int64)(hModule));
Console.WriteLine(" |-> Offset: 0x" + String.Format("{0:X}", (FuncOffset).ToInt64()));
return(FuncOffset);
}
public static extern UInt32 LdrGetProcedureAddress(
IntPtr hModule,
ref ANSI_STRING ModName,
UInt32 Ordinal,
ref IntPtr FunctionAddress);
public static extern UInt32 RtlUnicodeStringToAnsiString(
ref ANSI_STRING DestinationString,
ref UNICODE_STRING SourceString,
bool AllocateDestinationString);
