public static void RewriteModuleIAT(PE.PE_META_DATA PEINFO, IntPtr ModuleMemoryBase)
{
PE.IMAGE_DATA_DIRECTORY idd = PEINFO.Is32Bit ? PEINFO.OptHeader32.ImportTable : PEINFO.OptHeader64.ImportTable;
IntPtr pImportTable = (IntPtr)((ulong)ModuleMemoryBase + idd.VirtualAddress);
Native.OSVERSIONINFOEX OSVersion = new Native.OSVERSIONINFOEX();
Native.RtlGetVersion(ref OSVersion);
Dictionary <string, string> ApiSetDict = new Dictionary <string, string>();
if (OSVersion.MajorVersion >= 10)
{
ApiSetDict = Generic.GetApiSetMapping();
}
int counter = 0;
Win32.Kernel32.IMAGE_IMPORT_DESCRIPTOR iid = new Win32.Kernel32.IMAGE_IMPORT_DESCRIPTOR();
iid = (Win32.Kernel32.IMAGE_IMPORT_DESCRIPTOR)Marshal.PtrToStructure(
(IntPtr)((ulong)pImportTable + (uint)(Marshal.SizeOf(iid) * counter)),
typeof(Win32.Kernel32.IMAGE_IMPORT_DESCRIPTOR)
);
while (iid.Name != 0)
{
string DllName = string.Empty;
try
{
DllName = Marshal.PtrToStringAnsi((IntPtr)((ulong)ModuleMemoryBase + iid.Name));
}
catch { }
if (DllName == string.Empty)
{
throw new InvalidOperationException("Failed to read DLL name.");
}
else
{
if (OSVersion.MajorVersion >= 10 && (DllName.StartsWith("api-") || DllName.StartsWith("ext-")) &&
ApiSetDict.ContainsKey(DllName) && ApiSetDict[DllName].Length > 0)
{
DllName = ApiSetDict[DllName];
}
IntPtr hModule = Generic.GetLoadedModuleAddress(DllName);
if (hModule == IntPtr.Zero)
{
hModule = Generic.LoadModuleFromDisk(DllName);
if (hModule == IntPtr.Zero)
{
throw new FileNotFoundException(DllName + ", unable to find the specified file.");
}
}
if (PEINFO.Is32Bit)
{
PE.IMAGE_THUNK_DATA32 oft_itd = new PE.IMAGE_THUNK_DATA32();
for (int i = 0; true; i++)
{
oft_itd = (PE.IMAGE_THUNK_DATA32)Marshal.PtrToStructure((IntPtr)((ulong)ModuleMemoryBase + iid.OriginalFirstThunk + (uint)(i * (sizeof(uint)))), typeof(PE.IMAGE_THUNK_DATA32));
IntPtr ft_itd = (IntPtr)((ulong)ModuleMemoryBase + iid.FirstThunk + (ulong)(i * (sizeof(uint))));
if (oft_itd.AddressOfData == 0)
{
break;
}
if (oft_itd.AddressOfData < 0x80000000)
{
IntPtr pImpByName = (IntPtr)((ulong)ModuleMemoryBase + oft_itd.AddressOfData + sizeof(ushort));
IntPtr pFunc = IntPtr.Zero;
pFunc = Generic.GetNativeExportAddress(hModule, Marshal.PtrToStringAnsi(pImpByName));
Marshal.WriteInt32(ft_itd, pFunc.ToInt32());
}
else
{
ulong fOrdinal = oft_itd.AddressOfData & 0xFFFF;
IntPtr pFunc = IntPtr.Zero;
pFunc = Generic.GetNativeExportAddress(hModule, (short)fOrdinal);
Marshal.WriteInt32(ft_itd, pFunc.ToInt32());
}
}
}
else
{
PE.IMAGE_THUNK_DATA64 oft_itd = new PE.IMAGE_THUNK_DATA64();
for (int i = 0; true; i++)
{
oft_itd = (PE.IMAGE_THUNK_DATA64)Marshal.PtrToStructure((IntPtr)((ulong)ModuleMemoryBase + iid.OriginalFirstThunk + (ulong)(i * (sizeof(ulong)))), typeof(PE.IMAGE_THUNK_DATA64));
IntPtr ft_itd = (IntPtr)((ulong)ModuleMemoryBase + iid.FirstThunk + (ulong)(i * (sizeof(ulong))));
if (oft_itd.AddressOfData == 0)
{
break;
}
if (oft_itd.AddressOfData < 0x8000000000000000)
{
IntPtr pImpByName = (IntPtr)((ulong)ModuleMemoryBase + oft_itd.AddressOfData + sizeof(ushort));
IntPtr pFunc = IntPtr.Zero;
pFunc = Generic.GetNativeExportAddress(hModule, Marshal.PtrToStringAnsi(pImpByName));
Marshal.WriteInt64(ft_itd, pFunc.ToInt64());
}
else
{
ulong fOrdinal = oft_itd.AddressOfData & 0xFFFF;
IntPtr pFunc = IntPtr.Zero;
pFunc = Generic.GetNativeExportAddress(hModule, (short)fOrdinal);
Marshal.WriteInt64(ft_itd, pFunc.ToInt64());
}
}
}
counter++;
iid = (Win32.Kernel32.IMAGE_IMPORT_DESCRIPTOR)Marshal.PtrToStructure(
(IntPtr)((ulong)pImportTable + (uint)(Marshal.SizeOf(iid) * counter)),
typeof(Win32.Kernel32.IMAGE_IMPORT_DESCRIPTOR)
);
}
}
}