//delegate private static void HookApi(SHookInfo hook, FTrunkInfo trunk) { /*SMemoryBasicInformation mbi_thunk = new SMemoryBasicInformation(); * RKernel32.VirtualQuery(pRealThunk, &mbi_thunk, sizeof(MEMORY_BASIC_INFORMATION)); * RKernel32.VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, PAGE_READWRITE, &mbi_thunk.Protect); * if (pHookApi->pOldProc == NULL) { * pHookApi->pOldProc = (PROC)pRealThunk->u1.Function; * } * pRealThunk->u1.Function = (DWORD)pHookApi->pNewProc; * DWORD dwOldProtect; * RKernel32.VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, mbi_thunk.Protect, &dwOldProtect);*/ }
public static FTrunkInfo[] FetchTrunks(IntPtr hModule) { Nullable <SImageNtHeaders> ntHeaders = GetNtHeaders(hModule); SImageDataDirectory idd = ntHeaders.Value.OptionalHeader.DataDirectory[(int)EImageDirectoryEntry.Import]; if (idd.VirtualAddress == 0) { return(null); } // Import uint maddress = (uint)hModule.ToInt32(); IntPtr pIdHeader = (IntPtr)(maddress + idd.VirtualAddress); SImageImportDescriptor impDesc = (SImageImportDescriptor)Marshal.PtrToStructure(pIdHeader, typeof(SImageImportDescriptor)); if (impDesc.Name == 0) { return(null); } // Get module Name // IntPtr moduleNamePtr = (IntPtr)(maddress + impDesc.Name); // Trunk IntPtr pOrgFt = (IntPtr)(maddress + impDesc.OriginalFirstThunk); IntPtr pFt = (IntPtr)(maddress + impDesc.FirstThunk); int ftSize = Marshal.SizeOf(typeof(SImageThunkData32)); int miSize = Marshal.SizeOf(typeof(SMemoryBasicInformation)); FObjects <FTrunkInfo> infos = new FObjects <FTrunkInfo>(); while (true) { SImageThunkData32 origThunk = (SImageThunkData32)Marshal.PtrToStructure(pOrgFt, typeof(SImageThunkData32)); SImageThunkData32 realThunk = (SImageThunkData32)Marshal.PtrToStructure(pFt, typeof(SImageThunkData32)); if (origThunk.Function == 0) { break; } if ((origThunk.Ordinal & 0x80000000) == 0x80000000) { break; } /*uint arrd = (uint)(maddress + origThunk.AddressOfData); * if ((arrd & 0x80000000) == 0x80000000) { * break; * }*/ // Read name IntPtr pName = (IntPtr)(maddress + origThunk.AddressOfData); SImageImportByName byName = (SImageImportByName)Marshal.PtrToStructure(pName, typeof(SImageImportByName)); if (byName.Name[0] == 0) { break; } // Read memory state SMemoryBasicInformation mbi = new SMemoryBasicInformation(); //RKernel32.VirtualQuery((uint)pFt.ToInt32(), ref mbi, miSize); RKernel32.VirtualQuery(realThunk.Function, ref mbi, miSize); // TrunkInfo FTrunkInfo info = new FTrunkInfo(); info.Name = RAscii.GetString(byName.Name); info.Address = origThunk.Function; //info.Entry = (IntPtr)(maddress + origThunk.Function); info.Entry = (IntPtr)realThunk.Function; info.Hint = byName.Hint; info.MemAllocationBase = mbi.AllocationBase; info.MemAllocationProtect = mbi.AllocationProtect; info.MemBaseAddress = mbi.BaseAddress; info.MemProtect = mbi.Protect; info.MemRegionSize = mbi.RegionSize; info.MemState = mbi.State; info.MemType = mbi.Type; infos.Push(info); // Loop pOrgFt = (IntPtr)(pOrgFt.ToInt32() + ftSize); pFt = (IntPtr)(pFt.ToInt32() + ftSize); } return(infos.ToArray()); }
public bool Open() { // Dos header SImageDosHeader dosHeader = _process.ReadStructure <SImageDosHeader>(_handle); if (dosHeader.e_magic != (uint)EImageSignature.Dos) { return(false); } _dosHeader = dosHeader; // Nt header IntPtr pNtHeader = (IntPtr)(_handle.ToInt32() + dosHeader.e_lfanew); SImageNtHeaders ntHeaders = _process.ReadStructure <SImageNtHeaders>(pNtHeader); if (ntHeaders.Signature != (uint)EImageSignature.Nt) { return(false); } _ntHeaders = ntHeaders; // Fetch trunks SImageDataDirectory idd = ntHeaders.OptionalHeader.DataDirectory[(int)EImageDirectoryEntry.Import]; if (idd.VirtualAddress == 0) { return(false); } // Import uint maddress = (uint)_handle.ToInt32(); IntPtr pIdHeader = (IntPtr)(maddress + idd.VirtualAddress); SImageImportDescriptor impDesc = _process.ReadStructure <SImageImportDescriptor>(pIdHeader); if (impDesc.Name == 0) { return(false); } // Get module Name // IntPtr moduleNamePtr = (IntPtr)(maddress + impDesc.Name); // Trunk IntPtr pOrgFt = (IntPtr)(maddress + impDesc.OriginalFirstThunk); IntPtr pFt = (IntPtr)(maddress + impDesc.FirstThunk); int ftSize = Marshal.SizeOf(typeof(SImageThunkData32)); int miSize = Marshal.SizeOf(typeof(SMemoryBasicInformation)); _trunks = new FTrunkInfoCollection(); while (true) { SImageThunkData32 origThunk = _process.ReadStructure <SImageThunkData32>(pOrgFt); SImageThunkData32 realThunk = _process.ReadStructure <SImageThunkData32>(pFt); if (origThunk.Function == 0) { break; } if ((origThunk.Ordinal & 0x80000000) == 0x80000000) { break; } // Read name IntPtr pName = (IntPtr)(maddress + origThunk.AddressOfData); SImageImportByName byName = _process.ReadStructure <SImageImportByName>(pName); if (byName.Name[0] == 0) { break; } // Read memory state SMemoryBasicInformation mbi = new SMemoryBasicInformation(); //RKernel32.VirtualQuery((uint)pFt.ToInt32(), ref mbi, miSize); RKernel32.VirtualQueryEx(_process.Handle, realThunk.Function, ref mbi, miSize); // TrunkInfo FTrunkInfo trunk = new FTrunkInfo(); trunk.Name = RAscii.GetString(byName.Name); trunk.Address = origThunk.Function; //info.Entry = (IntPtr)(maddress + origThunk.Function); trunk.Entry = (IntPtr)realThunk.Function; trunk.EntryPtr = pFt; trunk.Hint = byName.Hint; trunk.MemAllocationBase = mbi.AllocationBase; trunk.MemAllocationProtect = mbi.AllocationProtect; trunk.MemBaseAddress = mbi.BaseAddress; trunk.MemProtect = mbi.Protect; trunk.MemRegionSize = mbi.RegionSize; trunk.MemState = mbi.State; trunk.MemType = mbi.Type; _trunks.Push(trunk); // Loop pOrgFt = (IntPtr)(pOrgFt.ToInt32() + ftSize); pFt = (IntPtr)(pFt.ToInt32() + ftSize); } return(true); }