private static uint FindEntryPoint(IntPtr hProcess, IntPtr hModule)
{
if (hProcess.IsNull() || hProcess.Compare(-1L))
{
throw new ArgumentException("Invalid process handle.", "hProcess");
}
if (hModule.IsNull())
{
throw new ArgumentException("Invalid module handle.", "hModule");
}
byte[] array = WinAPI.ReadRemoteMemory(hProcess, hModule, (uint)Marshal.SizeOf(typeof(IMAGE_DOS_HEADER)));
if (array != null)
{
ushort num = BitConverter.ToUInt16(array, 0);
uint num2 = BitConverter.ToUInt32(array, 60);
if (num == 23117)
{
byte[] array2 = WinAPI.ReadRemoteMemory(hProcess, hModule.Add((long)((ulong)num2)), (uint)Marshal.SizeOf(typeof(IMAGE_NT_HEADER32)));
if (array2 != null && BitConverter.ToUInt32(array2, 0) == 17744u)
{
IMAGE_NT_HEADER32 iMAGE_NT_HEADER = default(IMAGE_NT_HEADER32);
using (UnmanagedBuffer unmanagedBuffer = new UnmanagedBuffer(256))
{
if (unmanagedBuffer.Translate <IMAGE_NT_HEADER32>(array2, out iMAGE_NT_HEADER))
{
return(iMAGE_NT_HEADER.OptionalHeader.AddressOfEntryPoint);
}
}
return(0u);
}
}
}
return(0u);
}
/**
* Find the entry point of a loaded module
* based on its Base Address. Reverses the PE
* structure to find the entry point
*/
private static uint FindEntryPoint(IntPtr hProcess, IntPtr hModule)
{
if (hProcess.IsNull() || hProcess.Compare(-1))
{
throw new ArgumentException("Invalid process handle.", "hProcess");
}
if (hModule.IsNull())
{
throw new ArgumentException("Invalid module handle.", "hModule");
}
byte[] bDosHeader = WinAPI.ReadRemoteMemory(hProcess, hModule, (uint)Marshal.SizeOf(typeof(IMAGE_DOS_HEADER)));
if (bDosHeader != null)
{
ushort e_magic = BitConverter.ToUInt16(bDosHeader, 0);
uint e_lfanew = BitConverter.ToUInt32(bDosHeader, 0x3C);
if (e_magic == 23117)
{
byte[] bNtHeader = WinAPI.ReadRemoteMemory(hProcess, hModule.Add(e_lfanew), (uint)Marshal.SizeOf(typeof(IMAGE_NT_HEADER32)));
if (bNtHeader != null && BitConverter.ToUInt32(bNtHeader, 0) == 17744)
{
IMAGE_NT_HEADER32 ntHd = default(IMAGE_NT_HEADER32);
using (var buffer = new UnmanagedBuffer(256))
if (buffer.Translate <IMAGE_NT_HEADER32>(bNtHeader, out ntHd))
{
return(ntHd.OptionalHeader.AddressOfEntryPoint);
}
}
}
}
return(0);
}
private static uint FindEntryPoint(IntPtr hProcess, IntPtr hModule)
{
if (hProcess.IsNull() || hProcess.Compare(-1L))
{
throw new ArgumentException("Invalid process handle.", "hProcess");
}
if (hModule.IsNull())
{
throw new ArgumentException("Invalid module handle.", "hModule");
}
byte[] buffer = WinAPI.ReadRemoteMemory(hProcess, hModule, (uint)Marshal.SizeOf(typeof(IMAGE_DOS_HEADER)));
if (buffer != null)
{
ushort num = BitConverter.ToUInt16(buffer, 0);
uint num2 = BitConverter.ToUInt32(buffer, 60);
if (num == 0x5a4d)
{
byte[] buffer2 = WinAPI.ReadRemoteMemory(hProcess, hModule.Add((long)num2), (uint)Marshal.SizeOf(typeof(IMAGE_NT_HEADER32)));
if ((buffer2 != null) && (BitConverter.ToUInt32(buffer2, 0) == 0x4550))
{
IMAGE_NT_HEADER32 result = new IMAGE_NT_HEADER32();
using (UnmanagedBuffer buffer3 = new UnmanagedBuffer(0x100))
{
if (buffer3.Translate <IMAGE_NT_HEADER32>(buffer2, out result))
{
return(result.OptionalHeader.AddressOfEntryPoint);
}
}
}
}
}
return(0);
}
