bool ProcessTlsEntries(IntPtr baseAddress, IntPtr remoteAddress) { UIntPtr dwRead; var imageNtHeaders = GetNtHeader(baseAddress); if (imageNtHeaders == null) { return(false); } if (imageNtHeaders.Value.OptionalHeader.TLSTable.Size == 0) { return(true); } var tlsDirectory = (PIMAGE_TLS_DIRECTORY32)RvaToPointer(imageNtHeaders.Value.OptionalHeader.TLSTable.VirtualAddress, baseAddress); if (tlsDirectory == null) { return(true); } if (tlsDirectory.Value.AddressOfCallBacks == 0) { return(true); } var buffer = new byte[0xFF * 4]; if (!Imports.ReadProcessMemory(hProcess, new IntPtr(tlsDirectory.Value.AddressOfCallBacks), buffer, out dwRead)) { return(false); } var tLSCallbacks = new PDWORD(buffer); var result = true; for (uint i = 0; tLSCallbacks[i] > 0; i++) { result = CallEntryPoint(remoteAddress, tLSCallbacks[i], false); if (!result) { break; } } return(result); }
private bool process_tls_entries(IntPtr base_address, IntPtr remoteAddress) { UIntPtr dwRead; var image_nt_headers = get_nt_header(base_address); if (image_nt_headers == null) { return(false); } if (image_nt_headers.Value.OptionalHeader.TLSTable.Size == 0) { return(true); } var tls_directory = (PIMAGE_TLS_DIRECTORY32)rva_to_pointer(image_nt_headers.Value.OptionalHeader.TLSTable.VirtualAddress, base_address); if (tls_directory == null) { return(true); } if (tls_directory.Value.AddressOfCallBacks == 0) { return(true); } var buffer = new byte[0xFF * 4]; if (!Imports.ReadProcessMemory(_hProcess, new IntPtr(tls_directory.Value.AddressOfCallBacks), buffer, out dwRead)) { return(false); } var tls_callbacks = new PDWORD(buffer); var result = true; for (uint i = 0; tls_callbacks[i] > 0; i++) { result = call_entry_point(remoteAddress, tls_callbacks[i], false); if (!result) { break; } } return(result); }
// Token: 0x06000019 RID: 25 RVA: 0x000032CC File Offset: 0x000014CC private bool ProcessTlsEntries(IntPtr baseAddress, IntPtr remoteAddress) { PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress); if (ntHeader == null) { return(false); } if (ntHeader.Value.OptionalHeader.TLSTable.Size == 0U) { return(true); } PIMAGE_TLS_DIRECTORY32 pimage_TLS_DIRECTORY = (PIMAGE_TLS_DIRECTORY32)this.RvaToPointer(ntHeader.Value.OptionalHeader.TLSTable.VirtualAddress, baseAddress); if (pimage_TLS_DIRECTORY == null) { return(true); } if (pimage_TLS_DIRECTORY.Value.AddressOfCallBacks == 0U) { return(true); } byte[] array = new byte[1020]; UIntPtr uintPtr; if (!Imports.ReadProcessMemory(this._hProcess, new IntPtr((long)((ulong)pimage_TLS_DIRECTORY.Value.AddressOfCallBacks)), array, out uintPtr)) { return(false); } PDWORD pdword = new PDWORD(array); bool flag = true; uint num = 0U; while (pdword[num] > 0U) { flag = this.CallEntryPoint(remoteAddress, pdword[num], false); if (!flag) { break; } num += 1U; } return(flag); }
// Token: 0x06000012 RID: 18 RVA: 0x00002C28 File Offset: 0x00000E28 private bool ProcessRelocation(uint imageBaseDelta, ushort data, PBYTE relocationBase) { bool result = true; switch (data >> 12 & 15) { case 0: case 4: return(result); case 1: { PSHORT pshort = (PSHORT)(relocationBase + (int)(data & 4095)).Address; Marshal.WriteInt16(pshort.Address, (short)((long)pshort.Value + (long)((ulong)((ushort)(imageBaseDelta >> 16 & 65535U))))); return(result); } case 2: { PSHORT pshort = (PSHORT)(relocationBase + (int)(data & 4095)).Address; Marshal.WriteInt16(pshort.Address, (short)((long)pshort.Value + (long)((ulong)((ushort)(imageBaseDelta & 65535U))))); return(result); } case 3: { PDWORD pdword = (PDWORD)(relocationBase + (int)(data & 4095)).Address; Marshal.WriteInt32(pdword.Address, (int)(pdword.Value + imageBaseDelta)); return(result); } case 10: { PDWORD pdword = (PDWORD)(relocationBase + (int)(data & 4095)).Address; Marshal.WriteInt32(pdword.Address, (int)(pdword.Value + imageBaseDelta)); return(result); } } result = false; return(result); }
// Token: 0x0600000F RID: 15 RVA: 0x00002478 File Offset: 0x00000678 private IntPtr GetDependencyProcAddressA(IntPtr moduleBase, PCHAR procName) { IntPtr intPtr = IntPtr.Zero; IMAGE_DOS_HEADER image_DOS_HEADER; UIntPtr uintPtr; Imports.ReadProcessMemory <IMAGE_DOS_HEADER>(this._hProcess, moduleBase, out image_DOS_HEADER, out uintPtr); if (!image_DOS_HEADER.isValid) { return(IntPtr.Zero); } IMAGE_NT_HEADERS32 image_NT_HEADERS; Imports.ReadProcessMemory <IMAGE_NT_HEADERS32>(this._hProcess, moduleBase + image_DOS_HEADER.e_lfanew, out image_NT_HEADERS, out uintPtr); if (!image_NT_HEADERS.isValid) { return(IntPtr.Zero); } uint virtualAddress = image_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress; if (virtualAddress > 0U) { uint size = image_NT_HEADERS.OptionalHeader.ExportTable.Size; PIMAGE_EXPORT_DIRECTORY pimage_EXPORT_DIRECTORY = (PIMAGE_EXPORT_DIRECTORY)this.AllocateMemory(size); Imports.ReadProcessMemory(this._hProcess, moduleBase + (int)virtualAddress, pimage_EXPORT_DIRECTORY.Address, (int)size, out uintPtr); PWORD pword = (PWORD)(pimage_EXPORT_DIRECTORY.Address + (int)pimage_EXPORT_DIRECTORY.Value.AddressOfNameOrdinals - (int)virtualAddress); PDWORD pdword = (PDWORD)(pimage_EXPORT_DIRECTORY.Address + (int)pimage_EXPORT_DIRECTORY.Value.AddressOfNames - (int)virtualAddress); PDWORD pdword2 = (PDWORD)(pimage_EXPORT_DIRECTORY.Address + (int)pimage_EXPORT_DIRECTORY.Value.AddressOfFunctions - (int)virtualAddress); uint num = 0U; while (num < pimage_EXPORT_DIRECTORY.Value.NumberOfFunctions) { PCHAR pchar = null; ushort num2; if (new PDWORD(procName.Address).Value <= 65535U) { num2 = (ushort)num; } else { if (new PDWORD(procName.Address).Value <= 65535U || num >= pimage_EXPORT_DIRECTORY.Value.NumberOfNames) { return(IntPtr.Zero); } pchar = (PCHAR) new IntPtr((long)((ulong)pdword[num] + (ulong)((long)pimage_EXPORT_DIRECTORY.Address.ToInt32()) - (ulong)virtualAddress)); num2 = pword[num]; } if ((new PDWORD(procName.Address).Value <= 65535U && new PDWORD(procName.Address).Value == (uint)num2 + pimage_EXPORT_DIRECTORY.Value.Base) || (new PDWORD(procName.Address).Value > 65535U && pchar.ToString() == procName.ToString())) { intPtr = moduleBase + (int)pdword2[(uint)num2]; if (intPtr.ToInt64() < (moduleBase + (int)virtualAddress).ToInt64() || intPtr.ToInt64() > (moduleBase + (int)virtualAddress + (int)size).ToInt64()) { break; } byte[] array = new byte[255]; Imports.ReadProcessMemory(this._hProcess, intPtr, array, out uintPtr); string text = Helpers.ToStringAnsi(array); string text2 = text.Substring(0, text.IndexOf(".")) + ".dll"; string text3 = text.Substring(text.IndexOf(".") + 1); IntPtr remoteModuleHandleA = this.GetRemoteModuleHandleA(text2); if (remoteModuleHandleA == IntPtr.Zero) { this.InjectDependency(text2); } if (text3.StartsWith("#")) { intPtr = this.GetDependencyProcAddressA(remoteModuleHandleA, new PCHAR(text3) + 1); break; } intPtr = this.GetDependencyProcAddressA(remoteModuleHandleA, new PCHAR(text3)); break; } else { num += 1U; } } Imports.VirtualFree(pimage_EXPORT_DIRECTORY.Address, 0, Imports.FreeType.Release); } return(intPtr); }