internal PortableExecutableParser(string dllPath)
{
_dllBuffer = MemoryTools.StoreBytesInBuffer(File.ReadAllBytes(dllPath));
_peHeaders = new PeHeaders();
ReadHeaders();
}
internal PortableExecutableParser(byte[] dllBytes)
{
_dllBuffer = MemoryTools.StoreBytesInBuffer(dllBytes);
_peHeaders = new PeHeaders();
ReadHeaders();
}
internal TStructure ReadVirtualMemory <TStructure>(IntPtr baseAddress) where TStructure : struct
{
// Read the bytes of the structure from the memory region
var structureBytes = ReadVirtualMemory(baseAddress, Marshal.SizeOf <TStructure>());
// Marshal the bytes into a structure
var structureBytesBuffer = MemoryTools.StoreBytesInBuffer(structureBytes);
var structure = Marshal.PtrToStructure <TStructure>(structureBytesBuffer);
MemoryTools.FreeMemoryForBuffer(structureBytesBuffer);
return(structure);
}
internal bool Call()
{
var localDllBaseAddress = MemoryTools.StoreBytesInBuffer(_propertyWrapper.DllBytes);
var peHeaders = _propertyWrapper.PeParser.GetHeaders();
// Build the import table of the DLL in the local process
BuildImportTable(localDllBaseAddress);
// Allocate memory for the DLL in the target process
var dllSize = _propertyWrapper.TargetProcess.IsWow64 ? peHeaders.NtHeaders32.OptionalHeader.SizeOfImage : peHeaders.NtHeaders64.OptionalHeader.SizeOfImage;
var remoteDllAddress = _propertyWrapper.MemoryManager.AllocateVirtualMemory((int)dllSize, Enumerations.MemoryProtectionType.ExecuteReadWrite);
// Perform the needed relocations in the local process
PerformRelocations(localDllBaseAddress, remoteDllAddress);
// Map the sections of the DLL into the target process
MapSections(localDllBaseAddress, remoteDllAddress);
// Call any TLS callbacks
CallTlsCallbacks(remoteDllAddress);
// Call the entry point of the DLL
var dllEntryPointAddress = _propertyWrapper.TargetProcess.IsWow64
? (uint)remoteDllAddress + peHeaders.NtHeaders32.OptionalHeader.AddressOfEntryPoint
: (ulong)remoteDllAddress + peHeaders.NtHeaders64.OptionalHeader.AddressOfEntryPoint;
if (dllEntryPointAddress != 0)
{
CallEntryPoint(remoteDllAddress, (IntPtr)dllEntryPointAddress);
}
MemoryTools.FreeMemoryForBuffer(localDllBaseAddress);
return(true);
}
internal void WriteVirtualMemory(IntPtr baseAddress, byte[] bytesToWrite)
{
// Store the bytes to write in a buffer
var bytesBuffer = MemoryTools.StoreBytesInBuffer(bytesToWrite);
// Adjust the protection of the memory region to ensure it has write privileges
var oldProtectionType = ProtectVirtualMemory(baseAddress, bytesToWrite.Length, Enumerations.MemoryProtectionType.ReadWrite);
// Write the bytes into the memory region
_syscallManager.InvokeSyscall <NtWriteVirtualMemory>(_processHandle, baseAddress, bytesBuffer, bytesToWrite.Length);
// Restore the protection of the memory region
ProtectVirtualMemory(baseAddress, bytesToWrite.Length, oldProtectionType);
MemoryTools.FreeMemoryForBuffer(bytesBuffer);
}
