private static void MapSections(PortableExecutable image, IntPtr hProcess, IntPtr pModule)
{
//very straightforward really. Just iterate through all the sections and map them to their desired virtual addresses in the remote process.
//I'm not 100% sure about how well masking the section header characteristics and passing them off as memory protection constants goes. But
//so far I haven't hit any issues. (i.e a section header with characteristics "IMAGE_SCN_TYPE_NO_PAD" will set "PAGE_WRITECOPY" memory protection.
byte[] databuffer;
uint n;
foreach (var pSecHd in image.EnumSectionHeaders())
{
databuffer = new byte[pSecHd.SizeOfRawData];
if (image.Read(pSecHd.PointerToRawData, SeekOrigin.Begin, databuffer))
{
if ((pSecHd.Characteristics & 0x02000000) == 0) //can actually ignore this section (usually the reloc section)
{
WinAPI.WriteProcessMemory(hProcess, pModule.Add(pSecHd.VirtualAddress), databuffer, databuffer.Length, out n);
WinAPI.VirtualProtectEx(hProcess, pModule.Add(pSecHd.VirtualAddress), pSecHd.SizeOfRawData, pSecHd.Characteristics & 0x00FFFFFF, out n);
}
}
else
{
throw image.GetLastError();
}
}
}
// Token: 0x06000120 RID: 288 RVA: 0x0000DAC8 File Offset: 0x0000BCC8
private static void MapSections(PortableExecutable image, IntPtr hProcess, IntPtr pModule)
{
foreach (IMAGE_SECTION_HEADER image_SECTION_HEADER in image.EnumSectionHeaders())
{
byte[] array = new byte[image_SECTION_HEADER.SizeOfRawData];
if (!image.Read((long)((ulong)image_SECTION_HEADER.PointerToRawData), SeekOrigin.Begin, array))
{
throw image.GetLastError();
}
if ((image_SECTION_HEADER.Characteristics & 33554432u) == 0u)
{
uint num;
WinAPI.WriteProcessMemory(hProcess, pModule.Add((long)((ulong)image_SECTION_HEADER.VirtualAddress)), array, array.Length, out num);
WinAPI.VirtualProtectEx(hProcess, pModule.Add((long)((ulong)image_SECTION_HEADER.VirtualAddress)), image_SECTION_HEADER.SizeOfRawData, image_SECTION_HEADER.Characteristics & 16777215u, out num);
}
}
}
