// Get function addresses
private static Boolean GetFunctionAddreses(ref IntPtr VirtualAllocAddr, ref IntPtr CreateThreadAddr, ref IntPtr WaitForSingleObjectAddr)
{
// Get 'Kernel32.dll' image base address
IntPtr Kernel32BaseAddr = FindKernel32();
IMAGE_DOS_HEADER ImageDosHeader = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(Kernel32BaseAddr, typeof(IMAGE_DOS_HEADER));
MagicType Architecture = (MagicType)Marshal.ReadInt32((IntPtr)(Kernel32BaseAddr.ToInt64() + ImageDosHeader.e_lfanew + 4 + 20));
IMAGE_EXPORT_DIRECTORY ImageExportDirectory;
switch (Architecture)
{
case MagicType.IMAGE_NT_OPTIONAL_HDR32_MAGIC:
IMAGE_OPTIONAL_HEADER32 PEHeader32 = (IMAGE_OPTIONAL_HEADER32)Marshal.PtrToStructure((IntPtr)(Kernel32BaseAddr.ToInt64() + ImageDosHeader.e_lfanew + 4 + 20), typeof(IMAGE_OPTIONAL_HEADER32));
ImageExportDirectory = (IMAGE_EXPORT_DIRECTORY)Marshal.PtrToStructure((IntPtr)(Kernel32BaseAddr.ToInt64() + (int)PEHeader32.ExportTable.VirtualAddress), typeof(IMAGE_EXPORT_DIRECTORY));
break;
case MagicType.IMAGE_NT_OPTIONAL_HDR64_MAGIC:
IMAGE_OPTIONAL_HEADER64 PEHeader64 = (IMAGE_OPTIONAL_HEADER64)Marshal.PtrToStructure((IntPtr)(Kernel32BaseAddr.ToInt64() + ImageDosHeader.e_lfanew + 4 + 20), typeof(IMAGE_OPTIONAL_HEADER64));
ImageExportDirectory = (IMAGE_EXPORT_DIRECTORY)Marshal.PtrToStructure((IntPtr)(Kernel32BaseAddr.ToInt64() + (int)PEHeader64.ExportTable.VirtualAddress), typeof(IMAGE_EXPORT_DIRECTORY));
break;
default:
Console.WriteLine("Failed to identify 'kernel32.dll' architecture");
return(false);
}
;
// Setup variables for iterating over export table
int CurrentFunctionNameAddr;
String CurrentFunctionName;
// Iterate over export table
for (int i = 0; i < ImageExportDirectory.NumberOfNames; i++)
{
// Get current function's address (pointer) and name (pointer)
CurrentFunctionNameAddr = Marshal.ReadInt32((IntPtr)(Kernel32BaseAddr.ToInt64() + (int)ImageExportDirectory.AddressOfNames + (i * 4)));
CurrentFunctionName = Marshal.PtrToStringAnsi((IntPtr)(Kernel32BaseAddr.ToInt64() + (int)CurrentFunctionNameAddr));
// Check to see if it is the required function
if (CurrentFunctionName.Equals("VirtualAlloc"))
{
VirtualAllocAddr = (IntPtr)(Kernel32BaseAddr.ToInt64() + Marshal.ReadInt32((IntPtr)(Kernel32BaseAddr.ToInt64() + (int)ImageExportDirectory.AddressOfFunctions + (i * 4))));
}
else if (CurrentFunctionName.Equals("CreateThread"))
{
CreateThreadAddr = (IntPtr)(Kernel32BaseAddr.ToInt64() + Marshal.ReadInt32((IntPtr)(Kernel32BaseAddr.ToInt64() + (int)ImageExportDirectory.AddressOfFunctions + (i * 4))));
}
else if (CurrentFunctionName.Equals("WaitForSingleObject"))
{
WaitForSingleObjectAddr = (IntPtr)(Kernel32BaseAddr.ToInt64() + Marshal.ReadInt32((IntPtr)(Kernel32BaseAddr.ToInt64() + (int)ImageExportDirectory.AddressOfFunctions + (i * 4))));
}
// Return if all functions have been found
if ((VirtualAllocAddr != IntPtr.Zero) && (CreateThreadAddr != IntPtr.Zero) && (WaitForSingleObjectAddr != IntPtr.Zero))
{
return(true);
}
}
return(false);
}
public override void EnterFunctionDecl(GoParser.FunctionDeclContext context)
{
base.EnterFunctionDecl(context);
m_variableIdentifiers.Clear();
m_variableTypes.Clear();
if (CurrentFunction is null)
{
throw new InvalidOperationException($"Failed to find metadata for function \"{CurrentFunctionName}\".");
}
FunctionSignature function = CurrentFunction.Signature;
if (function is null)
{
throw new InvalidOperationException($"Failed to find signature metadata for function \"{CurrentFunctionName}\".");
}
string scope = char.IsUpper(OriginalFunctionName[0]) ? "public" : "private";
// Handle Go "main" function as a special case, in C# this should be capitalized "Main"
if (CurrentFunctionName.Equals("main"))
{
CurrentFunctionName = "Main";
// Track file names that contain main function in main package
if (Package.Equals("main"))
{
s_mainPackageFiles.Add(TargetFileName);
}
}
// Function signature containing result type and parameters have not been visited yet,
// so we mark their desired positions and replace once the visit has occurred
m_functionResultTypeMarker = string.Format(FunctionResultTypeMarker, CurrentFunctionName);
m_functionParametersMarker = string.Format(FunctionParametersMarker, CurrentFunctionName);
m_functionExecContextMarker = string.Format(FunctionExecContextMarker, CurrentFunctionName);
PushInnerBlockPrefix(string.Format(FunctionBlockPrefixMarker, CurrentFunctionName));
m_targetFile.AppendLine($"{Spacing()}{scope} static {m_functionResultTypeMarker} {CurrentFunctionName}{m_functionParametersMarker}{m_functionExecContextMarker}");
}
public static void FindFunctions(ref IntPtr VirtualAllocExNumaAddr, ref IntPtr VirtualAllocExAddr, ref IntPtr FlsAllocAddr, ref IntPtr GetCurrentProcessAddr)
{
// Get 'Kernel32.dll' image base address
IntPtr Kernel32BaseAddr = IntPtr.Zero;
foreach (ProcessModule Module in Process.GetCurrentProcess().Modules)
{
if (Module.ModuleName.ToLower().Equals("kernel32.dll"))
{
Kernel32BaseAddr = Module.BaseAddress;
}
}
if (Kernel32BaseAddr == IntPtr.Zero)
{
Console.WriteLine("Failed to find 'kernel32.dll' base address");
return;
}
IMAGE_DOS_HEADER ImageDosHeader = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(Kernel32BaseAddr, typeof(IMAGE_DOS_HEADER));
MagicType Architecture = (MagicType)Marshal.ReadInt32((IntPtr)(Kernel32BaseAddr.ToInt64() + ImageDosHeader.e_lfanew + 4 + 20));
IMAGE_EXPORT_DIRECTORY ImageExportDirectory;
switch (Architecture)
{
case MagicType.IMAGE_NT_OPTIONAL_HDR32_MAGIC:
IMAGE_OPTIONAL_HEADER32 PEHeader32 = (IMAGE_OPTIONAL_HEADER32)Marshal.PtrToStructure((IntPtr)(Kernel32BaseAddr.ToInt64() + ImageDosHeader.e_lfanew + 4 + 20), typeof(IMAGE_OPTIONAL_HEADER32));
ImageExportDirectory = (IMAGE_EXPORT_DIRECTORY)Marshal.PtrToStructure((IntPtr)(Kernel32BaseAddr.ToInt64() + (int)PEHeader32.ExportTable.VirtualAddress), typeof(IMAGE_EXPORT_DIRECTORY));
break;
case MagicType.IMAGE_NT_OPTIONAL_HDR64_MAGIC:
IMAGE_OPTIONAL_HEADER64 PEHeader64 = (IMAGE_OPTIONAL_HEADER64)Marshal.PtrToStructure((IntPtr)(Kernel32BaseAddr.ToInt64() + ImageDosHeader.e_lfanew + 4 + 20), typeof(IMAGE_OPTIONAL_HEADER64));
ImageExportDirectory = (IMAGE_EXPORT_DIRECTORY)Marshal.PtrToStructure((IntPtr)(Kernel32BaseAddr.ToInt64() + (int)PEHeader64.ExportTable.VirtualAddress), typeof(IMAGE_EXPORT_DIRECTORY));
break;
default:
Console.WriteLine("Failed to identify 'kernel32.dll' architecture");
return;
}
;
// Setup variables for iterating over export table
int CurrentFunctionNameAddr;
String CurrentFunctionName;
// Iterate over export table
for (int i = 0; i < ImageExportDirectory.NumberOfNames; i++)
{
// Get current function's address (pointer) and name (pointer)
CurrentFunctionNameAddr = Marshal.ReadInt32((IntPtr)(Kernel32BaseAddr.ToInt64() + (int)ImageExportDirectory.AddressOfNames + (i * 4)));
CurrentFunctionName = Marshal.PtrToStringAnsi((IntPtr)(Kernel32BaseAddr.ToInt64() + (int)CurrentFunctionNameAddr));
// Check to see if it is the required function
if (CurrentFunctionName.Equals("VirtualAllocExNuma"))
{
VirtualAllocExNumaAddr = (IntPtr)(Kernel32BaseAddr.ToInt64() + Marshal.ReadInt32((IntPtr)(Kernel32BaseAddr.ToInt64() + (int)ImageExportDirectory.AddressOfFunctions + (i * 4))));
}
else if (CurrentFunctionName.Equals("VirtualAllocEx"))
{
VirtualAllocExAddr = (IntPtr)(Kernel32BaseAddr.ToInt64() + Marshal.ReadInt32((IntPtr)(Kernel32BaseAddr.ToInt64() + (int)ImageExportDirectory.AddressOfFunctions + (i * 4))));
}
else if (CurrentFunctionName.Equals("FlsAlloc"))
{
FlsAllocAddr = (IntPtr)(Kernel32BaseAddr.ToInt64() + Marshal.ReadInt32((IntPtr)(Kernel32BaseAddr.ToInt64() + (int)ImageExportDirectory.AddressOfFunctions + (i * 4))));
}
else if (CurrentFunctionName.Equals("GetCurrentProcess"))
{
GetCurrentProcessAddr = (IntPtr)(Kernel32BaseAddr.ToInt64() + Marshal.ReadInt32((IntPtr)(Kernel32BaseAddr.ToInt64() + (int)ImageExportDirectory.AddressOfFunctions + (i * 4))));
}
// Check to see if all functions have been derived
if ((VirtualAllocExAddr != IntPtr.Zero) && (VirtualAllocExNumaAddr != IntPtr.Zero) && (FlsAllocAddr != IntPtr.Zero) && (GetCurrentProcessAddr != IntPtr.Zero))
{
break;
}
}
}
