private static void LoadExports(uint hLib, bool mappedAsImage) { unsafe { void *hMod = (void *)hLib; uint BaseAddress = (uint)hMod; // var hMod = (void*)loadedImage.MappedAddress; if (hMod != null) { uint size; IMAGE_EXPORT_DIRECTORY *pExportDir = (IMAGE_EXPORT_DIRECTORY *)Interop.ImageDirectoryEntryToData((void *)hLib, true, Interop.IMAGE_DIRECTORY_ENTRY_EXPORT, out size); if (pExportDir != null) { Console.WriteLine("Got Image Export Descriptor"); uint *pFuncNames = (uint *)(BaseAddress + pExportDir->AddressOfNames); for (uint i = 0; i < pExportDir->NumberOfNames; i++) { uint funcNameRva = pFuncNames[i]; if (funcNameRva != 0) { char *funcName = (char *)(BaseAddress + funcNameRva); var name = Marshal.PtrToStringAnsi((IntPtr)funcName); Console.WriteLine("Exported functionName: {0}", name); // exports.Add(name); } } } } } }
private ExportDictionaries GetExportDictionaries(Image image) { Dictionary <string, HarmonyExport> exportsByName = new Dictionary <string, HarmonyExport>(); Dictionary <ushort, HarmonyExport> exportsByOrdinal = new Dictionary <ushort, HarmonyExport>(); IMAGE_DATA_DIRECTORY directory = Environment.Is64BitProcess ? image.OptionalHeader64->ExportTable : image.OptionalHeader32->ExportTable; if (directory.VirtualAddress == 0) { return(new ExportDictionaries(exportsByName, exportsByOrdinal)); } IMAGE_EXPORT_DIRECTORY *exportDirectory = (IMAGE_EXPORT_DIRECTORY *)(image.BasePtr + directory.VirtualAddress); UIntPtr nameRef = (UIntPtr)(image.BasePtr + exportDirectory->AddressOfNames); UIntPtr ordinalRef = (UIntPtr)(image.BasePtr + exportDirectory->AddressOfNameOrdinals); ushort ordinalBase = (ushort)exportDirectory->Base; for (int i = 0; i < exportDirectory->NumberOfNames; i++, nameRef += sizeof(UInt32), ordinalRef += sizeof(UInt16)) { byte * namePtr = image.BasePtr + (int)*(UInt32 *)nameRef; string name = StringOperations.NulTerminatedBytesToString(namePtr, image.BasePtr, image.Size); ushort ordinal = *(UInt16 *)ordinalRef; IntPtr exportAddress = (IntPtr)(image.BasePtr + (int)*(UInt32 *)(image.BasePtr + exportDirectory->AddressOfFunctions + ordinal * sizeof(UInt32))); ushort displayOrdinal = (ushort)(ordinal + ordinalBase); HarmonyExport export = new HarmonyExport(name, displayOrdinal, exportAddress); exportsByName[name] = export; exportsByOrdinal[displayOrdinal] = export; } return(new ExportDictionaries(exportsByName, exportsByOrdinal)); }
public static void Main() { if (!Native.GetModuleHandleEx(ModuleHandleFlags.UnchangedRefCount, "Inkjet.dll", out ThisModule)) { ThisModule = IntPtr.Zero; } IntPtr ExeHandle; List <string> ExportNames = new List <string>(); if (Native.GetModuleHandleEx(ModuleHandleFlags.UnchangedRefCount, null, out ExeHandle)) { IMAGE_DOS_HEADER * DosHeader = (IMAGE_DOS_HEADER *)ExeHandle; IMAGE_NT_HEADERS * Header = (IMAGE_NT_HEADERS *)(ExeHandle + (int)DosHeader->LFaNew); IMAGE_EXPORT_DIRECTORY *Exports = (IMAGE_EXPORT_DIRECTORY *)(ExeHandle + Header->OptionalHeader.ExportTable.VirtualAddress); IntPtr Names = ExeHandle + Exports->AddressOfNames; for (int i = 0; i < Exports->NumberOfNames; i++) { string Name = Marshal.PtrToStringAnsi(ExeHandle + ((int *)Names)[i]); if (Name.Trim().Length == 0) { continue; } ExportNames.Add(Name); } } File.WriteAllText("E:\\Projects\\Hackery\\bin\\HAAX.txt", string.Join("\n", ExportNames)); Process Cur = Process.GetCurrentProcess(); MessageBox.Show("Magic!", string.Format("{0} ({1})", Cur.ProcessName, Cur.Id)); }
/// <summary> /// return the exported function from the selected file /// </summary> /// <param name="filePath"></param> /// <param name="mappedAsImage"></param> /// <returns></returns> private void LoadExports(string filePath, bool mappedAsImage, List <FunctionObject> ExportedFunctions) { var hLib = LoadLibraryEx(filePath, 0, DONT_RESOLVE_DLL_REFERENCES | LOAD_IGNORE_CODE_AUTHZ_LEVEL); unsafe { void *hMod = (void *)hLib; uint BaseAddress = (uint)hMod; if (hMod != null) { uint size; IMAGE_EXPORT_DIRECTORY *pExportDir = (IMAGE_EXPORT_DIRECTORY *)Interop.ImageDirectoryEntryToData((void *)hLib, true, Interop.IMAGE_DIRECTORY_ENTRY_EXPORT, out size); if (pExportDir != null) { uint *pFuncNames = (uint *)(BaseAddress + pExportDir->AddressOfNames); for (uint i = 0; i < pExportDir->NumberOfNames; i++) { uint funcNameRva = pFuncNames[i]; if (funcNameRva != 0) { char *funcName = (char *)(BaseAddress + funcNameRva); var name = Marshal.PtrToStringAnsi((IntPtr)funcName); ExportedFunctions.Add(new FunctionObject(name)); } } } } //else //{ // smartSuggestionEngine.readErrorCode("basic error 3", 8); //} } return; }
public static unsafe Dictionary <string, UInt32> dumpSymbolsFromFile(byte *pBin) { Dictionary <string, UInt32> ExportTable = new Dictionary <string, UInt32>(); NTHeaders *ntHeaders = GetNtHeaders(pBin); IMAGE_EXPORT_DIRECTORY *exportDir = (IMAGE_EXPORT_DIRECTORY *)(pBin + RVAtoOffset(ntHeaders->optnHeader.exportTable.VirtualAddress, ntHeaders, pBin)); if (ntHeaders->optnHeader.numberOfRvaAndSizes <= 0) { throw new ArgumentException("Error, This file has no exports."); } for (UInt32 i = 0; i < exportDir->NumberOfNames; i++) { UInt32 offset = (UInt32)RVAtoOffset((*(UInt32 *)(pBin + RVAtoOffset(exportDir->AddressOfFunctions, ntHeaders, pBin) + (i * sizeof(UInt32)))), ntHeaders, pBin); UInt32 nameOffset = (UInt32)RVAtoOffset((UInt32)exportDir->AddressOfNames, ntHeaders, pBin) + (i * sizeof(UInt32)); string methodName = Marshal.PtrToStringAnsi((IntPtr) (pBin + RVAtoOffset((*(UInt32 *)(pBin + nameOffset)), ntHeaders, pBin))); ExportTable.Add(methodName, offset); } return(ExportTable); }
private void LoadExports(LOADED_IMAGE loadedImage) { var hMod = (void *)loadedImage.MappedAddress; if (hMod != null) { uint size; IMAGE_EXPORT_DIRECTORY *pExportDir = (IMAGE_EXPORT_DIRECTORY *)ImageDirectoryEntryToData((void *)loadedImage.MappedAddress, false, IMAGE_DIRECTORY_ENTRY_EXPORT, out size); if (pExportDir != null) { uint *pFuncNames = (uint *)RvaToVa(loadedImage, pExportDir->AddressOfNames); for (uint i = 0; i < pExportDir->NumberOfNames; i++) { uint funcNameRva = pFuncNames[i]; if (funcNameRva != 0) { char * funcName = (char *)RvaToVa(loadedImage, funcNameRva); string name = Marshal.PtrToStringAnsi((IntPtr)funcName); Exports.Add(name); } } } } }
static unsafe USysCall64() { UNICODE_STRING szNtdll = new UNICODE_STRING("ntdll"); UIntPtr ptrNtdll = UIntPtr.Zero; long ntstatus = LdrGetDllHandle(IntPtr.Zero, IntPtr.Zero, ref szNtdll, ref ptrNtdll); if (ntstatus != 0) { Debugger.Break(); } byte * lpNtdll = (byte *)ptrNtdll; IMAGE_DOS_HEADER * piDH = (IMAGE_DOS_HEADER *)lpNtdll; IMAGE_OPTIONAL_HEADER64 *piOH = (IMAGE_OPTIONAL_HEADER64 *)(lpNtdll + piDH->e_lfanew + 0x18); IMAGE_EXPORT_DIRECTORY * exportDir = (IMAGE_EXPORT_DIRECTORY *)(lpNtdll + piOH->ExportTable.VirtualAddress); uint * names = (uint *)(lpNtdll + exportDir->AddressOfNames); uint * functions = (uint *)(lpNtdll + exportDir->AddressOfFunctions); ushort *ordinals = (ushort *)(lpNtdll + exportDir->AddressOfNameOrdinals); var listOfNames = new List <string>(); var dictOfZwFunctions = new Dictionary <string, ulong>(); for (int i = 0; i < exportDir->NumberOfNames; i++) { var name = Marshal.PtrToStringAnsi(new IntPtr(lpNtdll + names[i])); if (!name.StartsWith("Zw")) { continue; } var fnAddr = new UIntPtr(lpNtdll + functions[ordinals[i]]); dictOfZwFunctions.Add(name, fnAddr.ToUInt64()); } var sortedByAddr = dictOfZwFunctions .OrderBy(x => x.Value) .ToDictionary(x => "Nt" + x.Key.Substring(2, x.Key.Length - 2), x => x.Value); var sysCallLookup = new Dictionary <string, uint>(); uint sysNo = 0; foreach (var entry in sortedByAddr) { sysCallLookup.Add(entry.Key, sysNo); sysNo++; } SysCallTable = sysCallLookup; }
public ExportResolver(ProcessModule module) { lib = (IMAGE_DOS_HEADER *)module.BaseAddress; if (lib->e_magic != IMAGE_DOS_SIGNATURE) { throw new Exception("Invalid IMAGE_DOS_HEADER signature"); } header = (IMAGE_NT_HEADERS *)((byte *)lib + lib->e_lfanew); if (header->Signature != IMAGE_NT_SIGNATURE) { throw new Exception("Invalid IMAGE_NT_HEADERS signature"); } if (header->OptionalHeader.NumberOfRvaAndSizes == 0) { throw new Exception("Invalid NumberOfRvaAndSizes"); } exports = (IMAGE_EXPORT_DIRECTORY *)((byte *)lib + header->OptionalHeader.ExportTable.VirtualAddress); }
public static Symbol[] GetExports(IntPtr Handle) { List <Symbol> Exports = new List <Symbol>(); IMAGE_DOS_HEADER * DOS = (IMAGE_DOS_HEADER *)Handle; IMAGE_NT_HEADERS * NT = (IMAGE_NT_HEADERS *)((byte *)DOS + DOS->LFaNew); IMAGE_OPTIONAL_HEADER * Optional = &NT->OptionalHeader; IMAGE_EXPORT_DIRECTORY *ExportsDir = (IMAGE_EXPORT_DIRECTORY *)((byte *)Handle + Optional->ExportTable.VirtualAddress); uint *AddrOfNames = (uint *)((byte *)Handle + ExportsDir->AddressOfNames); uint *AddrOfFuncs = (uint *)((byte *)Handle + ExportsDir->AddressOfNames); for (int j = 0; j < ExportsDir->NumberOfNames; j++) { string Name = Marshal.PtrToStringAnsi((IntPtr)((uint)Handle + AddrOfNames[j])); long Func = AddrOfFuncs[j]; Exports.Add(new Symbol(Name, (ulong)Func, 0)); } return(Exports.ToArray()); }
public ExportObject Load64Exports(ExportObject myObject, string filePath, bool mappedAsImage) { List <FunctionObject> exportList = myObject.ExportFunctionObjectList; //var hLib = LoadLibraryEx(filePath, 0, // DONT_RESOLVE_DLL_REFERENCES | LOAD_IGNORE_CODE_AUTHZ_LEVEL); var hLib = LoadLibrary(filePath); unsafe { void *hMod = (void *)hLib; ulong BaseAddress = (ulong)hMod; if (hMod != null) { ulong size; IMAGE_EXPORT_DIRECTORY *pExportDir = (IMAGE_EXPORT_DIRECTORY *)Interop.ImageDirectoryEntryToData((void *)hLib, true, Interop.IMAGE_DIRECTORY_ENTRY_EXPORT, out size); if (pExportDir != null) { ulong *pFuncNames = (ulong *)(BaseAddress + pExportDir->AddressOfNames); for (uint i = 0; i < pExportDir->NumberOfNames; i++) { ulong funcNameRva = pFuncNames[i]; // ulong funcNameRva = pFuncNames[i]; if (funcNameRva != 0) { char *funcName = (char *)(BaseAddress + funcNameRva); var name = Marshal.PtrToStringAnsi((IntPtr)funcName); exportList.Add(new FunctionObject(name)); } } } } } return(myObject); }
/// <summary> /// 获取API函数地址 /// </summary> /// <param name="sProcName"></param> /// <returns></returns> private unsafe IntPtr GetProcAddress(String sProcName) { if (this.mModuleHandle == IntPtr.Zero) { return(IntPtr.Zero); } if (String.IsNullOrEmpty(sProcName)) { return(IntPtr.Zero); } IMAGE_DOS_HEADER *pDosHeader = (IMAGE_DOS_HEADER *)this.mModuleHandle; IMAGE_NT_HEADERS *pPEHeader = (IMAGE_NT_HEADERS *)(this.mModuleHandle + pDosHeader->e_lfanew); var exportDirectoryEntry = pPEHeader->OptionalHeader.GetDirectory(IMAGE_DIRECTORY_ENTRY.IMAGE_DIRECTORY_ENTRY_EXPORT); var iOffsetStart = exportDirectoryEntry.VirtualAddress; var iSize = exportDirectoryEntry.Size; if (iOffsetStart == 0 || iSize == 0) { return(IntPtr.Zero); } #if _WIN64 IMAGE_EXPORT_DIRECTORY *pExportDirectory = (IMAGE_EXPORT_DIRECTORY *)((IntPtr)((Int64)this.mModuleHandle + (Int64)iOffsetStart)); UInt32 *pAddressOfFunctions = (UInt32 *)((IntPtr)((Int64)this.mModuleHandle + (Int64)pExportDirectory->AddressOfFunctions)); UInt16 *pAddressOfNameOrdinals = (UInt16 *)((IntPtr)((Int64)this.mModuleHandle + (Int64)pExportDirectory->AddressOfNameOrdinals)); UInt32 *pAddressOfNames = (UInt32 *)((IntPtr)((Int64)this.mModuleHandle + (Int64)pExportDirectory->AddressOfNames)); #else IMAGE_EXPORT_DIRECTORY *pExportDirectory = (IMAGE_EXPORT_DIRECTORY *)(this.mModuleHandle + (Int32)iOffsetStart); UInt32 *pAddressOfFunctions = (UInt32 *)(this.mModuleHandle + (Int32)pExportDirectory->AddressOfFunctions); UInt16 *pAddressOfNameOrdinals = (UInt16 *)(this.mModuleHandle + (Int32)pExportDirectory->AddressOfNameOrdinals); UInt32 *pAddressOfNames = (UInt32 *)(this.mModuleHandle + (Int32)pExportDirectory->AddressOfNames); #endif UInt16 iOrdinal = 0; if (UInt16.TryParse(sProcName, out iOrdinal)) { if (iOrdinal >= pExportDirectory->Base) { iOrdinal = (UInt16)(iOrdinal - pExportDirectory->Base); if (iOrdinal >= 0 && iOrdinal < pExportDirectory->NumberOfFunctions) { var iFunctionOffset = pAddressOfFunctions[iOrdinal]; if (iFunctionOffset > iOffsetStart && iFunctionOffset < (iOffsetStart + iSize)) // maybe Export Forwarding { return(IntPtr.Zero); } else { #if _WIN64 return((IntPtr)((Int64)this.mModuleHandle + iFunctionOffset)); #else return((IntPtr)((Int32)this.mModuleHandle + iFunctionOffset)); #endif } } } } else { for (Int32 i = 0; i < pExportDirectory->NumberOfNames; i++) { #if _WIN64 var sFuncName = Marshal.PtrToStringAnsi((IntPtr)((Int64)this.mModuleHandle + (Int64)pAddressOfNames[i])); #else var sFuncName = Marshal.PtrToStringAnsi(this.mModuleHandle + (Int32)pAddressOfNames[i]); #endif if (sProcName.Equals(sFuncName)) { iOrdinal = pAddressOfNameOrdinals[i]; if (iOrdinal >= 0 && iOrdinal < pExportDirectory->NumberOfFunctions) { var iFunctionOffset = pAddressOfFunctions[iOrdinal]; if (iFunctionOffset > iOffsetStart && iFunctionOffset < (iOffsetStart + iSize)) // maybe Export Forwarding { return(IntPtr.Zero); } else { #if _WIN64 return((IntPtr)((Int64)this.mModuleHandle + iFunctionOffset)); #else return((IntPtr)((Int32)this.mModuleHandle + iFunctionOffset)); #endif } } } } } return(IntPtr.Zero); }