private bool ProcessDelayedImportTable(IntPtr baseAddress, IntPtr remoteAddress) { var imageNtHeaders = GetNtHeader(baseAddress); if (imageNtHeaders == null) { return(false); } if (imageNtHeaders.Value.OptionalHeader.DelayImportDescriptor.Size > 0) { var imageDelayedImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)RvaToPointer(imageNtHeaders.Value.OptionalHeader.DelayImportDescriptor.VirtualAddress, baseAddress); if (imageDelayedImportDescriptor != null) { for (; imageDelayedImportDescriptor.Value.Name > 0; imageDelayedImportDescriptor++) { var moduleName = (PCHAR)RvaToPointer(imageDelayedImportDescriptor.Value.Name, baseAddress); if (moduleName == null) { continue; } var moduleBase = GetRemoteModuleHandleA(moduleName.ToString()); if (moduleBase == IntPtr.Zero) { // todo manual map injection for dependency InjectDependency(moduleName.ToString()); moduleBase = GetRemoteModuleHandleA(moduleName.ToString()); if (moduleBase == IntPtr.Zero) { #if DEBUG Debug.WriteLine("[ProcessDelayedImportTable] no imports"); #endif // failed to obtain module handle continue; } } PIMAGE_THUNK_DATA imageThunkData = null; PIMAGE_THUNK_DATA imageFuncData = null; if (imageDelayedImportDescriptor.Value.OriginalFirstThunk > 0) { imageThunkData = (PIMAGE_THUNK_DATA)RvaToPointer(imageDelayedImportDescriptor.Value.OriginalFirstThunk, baseAddress); imageFuncData = (PIMAGE_THUNK_DATA)RvaToPointer(imageDelayedImportDescriptor.Value.FirstThunk, baseAddress); } else { imageThunkData = (PIMAGE_THUNK_DATA)RvaToPointer(imageDelayedImportDescriptor.Value.FirstThunk, baseAddress); imageFuncData = (PIMAGE_THUNK_DATA)RvaToPointer(imageDelayedImportDescriptor.Value.FirstThunk, baseAddress); } for (; imageThunkData.Value.AddressOfData > 0; imageThunkData++, imageFuncData++) { IntPtr functionAddress; var bSnapByOrdinal = ((imageThunkData.Value.Ordinal & /*IMAGE_ORDINAL_FLAG32*/ 0x80000000) != 0); if (bSnapByOrdinal) { var ordinal = (short)(imageThunkData.Value.Ordinal & 0xffff); functionAddress = GetDependencyProcAddressA(moduleBase, new PCHAR(ordinal)); if (functionAddress == IntPtr.Zero) { return(false); } } else { var imageImportByName = (PIMAGE_IMPORT_BY_NAME)RvaToPointer(imageFuncData.Value.Ordinal, baseAddress); var mameOfImport = (PCHAR)imageImportByName.Address + /*imageImportByName->Name*/ 2; functionAddress = GetDependencyProcAddressA(moduleBase, mameOfImport); } //ImageFuncData->u1.Function = (size_t)FunctionAddress; Marshal.WriteInt32(imageFuncData.Address, functionAddress.ToInt32()); } } return(true); } else { #if DEBUG Debug.WriteLine("[ProcessDelayedImportTable] Size of table confirmed but pointer to data invalid"); #endif // Size of table confirmed but pointer to data invalid return(false); } } else { // no imports return(true); } }
private bool process_delayed_import_table(IntPtr base_address) { var image_nt_headers = get_nt_header(base_address); if (image_nt_headers == null) { return(false); } if (image_nt_headers.Value.OptionalHeader.DelayImportDescriptor.Size > 0) { var image_delayed_import_descriptor = (PIMAGE_IMPORT_DESCRIPTOR)rva_to_pointer(image_nt_headers.Value.OptionalHeader.DelayImportDescriptor.VirtualAddress, base_address); if (image_delayed_import_descriptor != null) { for (; image_delayed_import_descriptor.Value.Name > 0; image_delayed_import_descriptor++) { var module_name = (PCHAR)rva_to_pointer(image_delayed_import_descriptor.Value.Name, base_address); if (module_name == null) { continue; } var module_base = get_remote_module_handle_a(module_name.ToString()); if (module_base == IntPtr.Zero) { // todo manual map injection for dependency inject_dependency(module_name.ToString()); module_base = get_remote_module_handle_a(module_name.ToString()); if (module_base == IntPtr.Zero) { #if DEBUG Debug.WriteLine("[process_delayed_import_table] no imports"); #endif // failed to obtain module handle continue; } } PIMAGE_THUNK_DATA image_thunk_data = null; PIMAGE_THUNK_DATA image_func_data = null; if (image_delayed_import_descriptor.Value.OriginalFirstThunk > 0) { image_thunk_data = (PIMAGE_THUNK_DATA)rva_to_pointer(image_delayed_import_descriptor.Value.OriginalFirstThunk, base_address); image_func_data = (PIMAGE_THUNK_DATA)rva_to_pointer(image_delayed_import_descriptor.Value.FirstThunk, base_address); } else { image_thunk_data = (PIMAGE_THUNK_DATA)rva_to_pointer(image_delayed_import_descriptor.Value.FirstThunk, base_address); image_func_data = (PIMAGE_THUNK_DATA)rva_to_pointer(image_delayed_import_descriptor.Value.FirstThunk, base_address); } for (; image_thunk_data.Value.AddressOfData > 0; image_thunk_data++, image_func_data++) { IntPtr function_address; var snap_by_ordinal = ((image_thunk_data.Value.Ordinal & /*IMAGE_ORDINAL_FLAG32*/ 0x80000000) != 0); if (snap_by_ordinal) { var ordinal = (short)(image_thunk_data.Value.Ordinal & 0xffff); function_address = get_dep_proc_address_a(module_base, new PCHAR(ordinal)); if (function_address == IntPtr.Zero) { return(false); } } else { var image_import_by_name = (PIMAGE_IMPORT_BY_NAME)rva_to_pointer(image_func_data.Value.Ordinal, base_address); var name_of_import = (PCHAR)image_import_by_name.Address + /*image_import_by_name->Name*/ 2; function_address = get_dep_proc_address_a(module_base, name_of_import); } //ImageFuncData->u1.Function = (size_t)FunctionAddress; Marshal.WriteInt32(image_func_data.Address, function_address.ToInt32()); } } return(true); } else { #if DEBUG Debug.WriteLine("[process_delayed_import_table] Size of table confirmed but pointer to data invalid"); #endif // Size of table confirmed but pointer to data invalid return(false); } } else { // no imports return(true); } }