// Token: 0x0600000C RID: 12 RVA: 0x00002190 File Offset: 0x00000390
private IntPtr RvaToPointer(uint rva, IntPtr baseAddress)
{
PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress);
if (ntHeader == null)
{
return(IntPtr.Zero);
}
return(Imports.ImageRvaToVa(ntHeader.Address, baseAddress, new UIntPtr(rva), IntPtr.Zero));
}
// Token: 0x06000009 RID: 9 RVA: 0x00002110 File Offset: 0x00000310
private PIMAGE_NT_HEADERS32 GetNtHeader(IntPtr address)
{
PIMAGE_DOS_HEADER dosHeader = this.GetDosHeader(address);
if (dosHeader == null)
{
return(null);
}
PIMAGE_NT_HEADERS32 pimage_NT_HEADERS = (PIMAGE_NT_HEADERS32)(address + dosHeader.Value.e_lfanew);
if (!pimage_NT_HEADERS.Value.isValid)
{
return(null);
}
return(pimage_NT_HEADERS);
}
// Token: 0x06000019 RID: 25 RVA: 0x000032CC File Offset: 0x000014CC
private bool ProcessTlsEntries(IntPtr baseAddress, IntPtr remoteAddress)
{
PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress);
if (ntHeader == null)
{
return(false);
}
if (ntHeader.Value.OptionalHeader.TLSTable.Size == 0U)
{
return(true);
}
PIMAGE_TLS_DIRECTORY32 pimage_TLS_DIRECTORY = (PIMAGE_TLS_DIRECTORY32)this.RvaToPointer(ntHeader.Value.OptionalHeader.TLSTable.VirtualAddress, baseAddress);
if (pimage_TLS_DIRECTORY == null)
{
return(true);
}
if (pimage_TLS_DIRECTORY.Value.AddressOfCallBacks == 0U)
{
return(true);
}
byte[] array = new byte[1020];
UIntPtr uintPtr;
if (!Imports.ReadProcessMemory(this._hProcess, new IntPtr((long)((ulong)pimage_TLS_DIRECTORY.Value.AddressOfCallBacks)), array, out uintPtr))
{
return(false);
}
PDWORD pdword = new PDWORD(array);
bool flag = true;
uint num = 0U;
while (pdword[num] > 0U)
{
flag = this.CallEntryPoint(remoteAddress, pdword[num], false);
if (!flag)
{
break;
}
num += 1U;
}
return(flag);
}
// Token: 0x06000013 RID: 19 RVA: 0x00002D48 File Offset: 0x00000F48
private bool ProcessRelocations(IntPtr baseAddress, IntPtr remoteAddress)
{
PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress);
if (ntHeader == null)
{
return(false);
}
if ((ntHeader.Value.FileHeader.Characteristics & 1) > 0)
{
return(true);
}
uint imageBaseDelta = (uint)((long)remoteAddress.ToInt32() - (long)((ulong)ntHeader.Value.OptionalHeader.ImageBase));
uint size = ntHeader.Value.OptionalHeader.BaseRelocationTable.Size;
if (size > 0U)
{
PIMAGE_BASE_RELOCATION pimage_BASE_RELOCATION = (PIMAGE_BASE_RELOCATION)this.RvaToPointer(ntHeader.Value.OptionalHeader.BaseRelocationTable.VirtualAddress, baseAddress);
if (pimage_BASE_RELOCATION == null)
{
return(false);
}
PBYTE pbyte = (PBYTE)pimage_BASE_RELOCATION.Address + (int)size;
while (pimage_BASE_RELOCATION.Address.ToInt64() < pbyte.Address.ToInt64())
{
PBYTE relocationBase = (PBYTE)this.RvaToPointer(pimage_BASE_RELOCATION.Value.VirtualAddress, baseAddress);
uint num = pimage_BASE_RELOCATION.Value.SizeOfBlock - 8U >> 1;
PWORD pword = (PWORD)(pimage_BASE_RELOCATION + 1).Address;
uint num2 = 0U;
while (num2 < num)
{
this.ProcessRelocation(imageBaseDelta, pword.Value, relocationBase);
num2 += 1U;
pword = ++pword;
}
pimage_BASE_RELOCATION = (PIMAGE_BASE_RELOCATION)pword.Address;
}
}
return(true);
}
// Token: 0x06000016 RID: 22 RVA: 0x0000300C File Offset: 0x0000120C
private bool ProcessSections(IntPtr baseAddress, IntPtr remoteAddress)
{
PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress);
if (ntHeader == null)
{
return(false);
}
PIMAGE_SECTION_HEADER pimage_SECTION_HEADER = (PIMAGE_SECTION_HEADER)(ntHeader.Address + 24 + (int)ntHeader.Value.FileHeader.SizeOfOptionalHeader);
for (ushort num = 0; num < ntHeader.Value.FileHeader.NumberOfSections; num += 1)
{
if (!Helpers._stricmp(".reloc".ToCharArray(), pimage_SECTION_HEADER[(uint)num].Name))
{
DataSectionFlags characteristics = pimage_SECTION_HEADER[(uint)num].Characteristics;
if (characteristics.HasFlag(DataSectionFlags.MemoryRead) || characteristics.HasFlag((DataSectionFlags)2147483648U) || characteristics.HasFlag(DataSectionFlags.MemoryExecute))
{
uint sectionProtection = this.GetSectionProtection(pimage_SECTION_HEADER[(uint)num].Characteristics);
this.ProcessSection(pimage_SECTION_HEADER[(uint)num].Name, baseAddress, remoteAddress, (ulong)pimage_SECTION_HEADER[(uint)num].PointerToRawData, (ulong)pimage_SECTION_HEADER[(uint)num].VirtualAddress, (ulong)pimage_SECTION_HEADER[(uint)num].SizeOfRawData, (ulong)pimage_SECTION_HEADER[(uint)num].VirtualSize, sectionProtection);
}
}
}
return(true);
}
// Token: 0x0600001A RID: 26 RVA: 0x000033A0 File Offset: 0x000015A0
private IntPtr LoadImageToMemory(IntPtr baseAddress)
{
PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress);
if (ntHeader == null)
{
return(IntPtr.Zero);
}
if (ntHeader.Value.FileHeader.NumberOfSections == 0)
{
return(IntPtr.Zero);
}
uint num = uint.MaxValue;
uint num2 = 0U;
PIMAGE_SECTION_HEADER pimage_SECTION_HEADER = (PIMAGE_SECTION_HEADER)(ntHeader.Address + 24 + (int)ntHeader.Value.FileHeader.SizeOfOptionalHeader);
for (uint num3 = 0U; num3 < (uint)ntHeader.Value.FileHeader.NumberOfSections; num3 += 1U)
{
if (pimage_SECTION_HEADER[num3].VirtualSize != 0U)
{
if (pimage_SECTION_HEADER[num3].VirtualAddress < num)
{
num = pimage_SECTION_HEADER[num3].VirtualAddress;
}
if (pimage_SECTION_HEADER[num3].VirtualAddress + pimage_SECTION_HEADER[num3].VirtualSize > num2)
{
num2 = pimage_SECTION_HEADER[num3].VirtualAddress + pimage_SECTION_HEADER[num3].VirtualSize;
}
}
}
uint size = num2 - num;
if (ntHeader.Value.OptionalHeader.ImageBase % 4096U != 0U)
{
return(IntPtr.Zero);
}
if (ntHeader.Value.OptionalHeader.DelayImportDescriptor.Size > 0U)
{
return(IntPtr.Zero);
}
IntPtr intPtr = this.RemoteAllocateMemory(size);
if (intPtr == IntPtr.Zero)
{
return(IntPtr.Zero);
}
if (!this.ProcessImportTable(baseAddress))
{
return(IntPtr.Zero);
}
if (!this.ProcessDelayedImportTable(baseAddress, intPtr))
{
return(IntPtr.Zero);
}
if (!this.ProcessRelocations(baseAddress, intPtr))
{
return(IntPtr.Zero);
}
if (!this.ProcessSections(baseAddress, intPtr))
{
return(IntPtr.Zero);
}
if (!this.ProcessTlsEntries(baseAddress, intPtr))
{
return(IntPtr.Zero);
}
if (ntHeader.Value.OptionalHeader.AddressOfEntryPoint > 0U)
{
int entrypoint = intPtr.ToInt32() + (int)ntHeader.Value.OptionalHeader.AddressOfEntryPoint;
if (!this.CallEntryPoint(intPtr, (uint)entrypoint, this.AsyncInjection))
{
return(IntPtr.Zero);
}
}
return(intPtr);
}
// Token: 0x06000011 RID: 17 RVA: 0x00002A08 File Offset: 0x00000C08
private bool ProcessDelayedImportTable(IntPtr baseAddress, IntPtr remoteAddress)
{
PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress);
if (ntHeader == null)
{
return(false);
}
if (ntHeader.Value.OptionalHeader.DelayImportDescriptor.Size <= 0U)
{
return(true);
}
PIMAGE_IMPORT_DESCRIPTOR pimage_IMPORT_DESCRIPTOR = (PIMAGE_IMPORT_DESCRIPTOR)this.RvaToPointer(ntHeader.Value.OptionalHeader.DelayImportDescriptor.VirtualAddress, baseAddress);
if (pimage_IMPORT_DESCRIPTOR != null)
{
while (pimage_IMPORT_DESCRIPTOR.Value.Name > 0U)
{
PCHAR pchar = (PCHAR)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.Name, baseAddress);
if (pchar != null)
{
IntPtr remoteModuleHandleA = this.GetRemoteModuleHandleA(pchar.ToString());
if (remoteModuleHandleA == IntPtr.Zero)
{
this.InjectDependency(pchar.ToString());
remoteModuleHandleA = this.GetRemoteModuleHandleA(pchar.ToString());
if (remoteModuleHandleA == IntPtr.Zero)
{
goto IL_1F6;
}
}
PIMAGE_THUNK_DATA pimage_THUNK_DATA;
PIMAGE_THUNK_DATA pimage_THUNK_DATA2;
if (pimage_IMPORT_DESCRIPTOR.Value.OriginalFirstThunk > 0U)
{
pimage_THUNK_DATA = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.OriginalFirstThunk, baseAddress);
pimage_THUNK_DATA2 = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.FirstThunk, baseAddress);
}
else
{
pimage_THUNK_DATA = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.FirstThunk, baseAddress);
pimage_THUNK_DATA2 = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.FirstThunk, baseAddress);
}
while (pimage_THUNK_DATA.Value.AddressOfData > 0U)
{
IntPtr dependencyProcAddressA;
if ((pimage_THUNK_DATA.Value.Ordinal & 2147483648U) > 0U)
{
short num = (short)(pimage_THUNK_DATA.Value.Ordinal & 65535U);
dependencyProcAddressA = this.GetDependencyProcAddressA(remoteModuleHandleA, new PCHAR(num));
if (dependencyProcAddressA == IntPtr.Zero)
{
return(false);
}
}
else
{
PCHAR procName = (PCHAR)((PIMAGE_IMPORT_BY_NAME)this.RvaToPointer(pimage_THUNK_DATA2.Value.Ordinal, baseAddress)).Address + 2;
dependencyProcAddressA = this.GetDependencyProcAddressA(remoteModuleHandleA, procName);
}
Marshal.WriteInt32(pimage_THUNK_DATA2.Address, dependencyProcAddressA.ToInt32());
pimage_THUNK_DATA = ++pimage_THUNK_DATA;
pimage_THUNK_DATA2 = ++pimage_THUNK_DATA2;
}
}
IL_1F6:
pimage_IMPORT_DESCRIPTOR = ++pimage_IMPORT_DESCRIPTOR;
}
return(true);
}
return(false);
}
