unsafe void RelocateImageByDelta(ulong localImage, ulong remoteImage, WinAPI.IMAGE_OPTIONAL_HEADER64 optionalHeader, WinAPI.IMAGE_NT_HEADERS64 *ntHeaders)
{
unsafe
{
// https://github.com/DarthTon/Blackbone/blob/master/src/BlackBone/ManualMap/MMap.cpp#L691
WinAPI.IMAGE_DATA_DIRECTORY *directory =
WinAPI.GET_HEADER_DIRECTORY(ntHeaders, WinAPI.IMAGE_DIRECTORY_ENTRY_BASERELOC);
WinAPI.IMAGE_BASE_RELOCATION *baseRelocation =
(WinAPI.IMAGE_BASE_RELOCATION *)(localImage + directory->VirtualAddress);
var memoryDelta = remoteImage - (ulong)optionalHeader.ImageBase;
int relocBaseSize = Marshal.SizeOf <WinAPI.IMAGE_BASE_RELOCATION>();
while (baseRelocation->SizeOfBlock > 0)
{
// START OF RELOCATION
ulong relocStartAddress = localImage + baseRelocation->VirtualAddress;
// AMOUNT OF RELOCATIONS IN THIS BLOCK
int relocationAmount =
((int)baseRelocation->SizeOfBlock - relocBaseSize /*DONT COUNT THE MEMBERS*/) /
sizeof(ushort) /*SIZE OF DATA*/;
// ITERATE ALL RELOCATIONS AND FIX THE HIGHLOWS
for (int i = 0; i < relocationAmount; i++)
{
// GET RELOCATION DATA
var data = GetRelocationData(i);
// WORD Offset : 12;
// WORD Type : 4;
var fixOffset = data & 0x0FFF;
var fixType = data & 0xF000;
// THIS IS A HIGHLOW ACCORDING TO MY GHETTO MASK
// ¯\_(ツ)_/¯
if (fixType == 40960)
{
*(ulong *)(relocStartAddress + (uint)fixOffset) +=
memoryDelta; // ADD MEMORY DELTA TO SPECIFIED ADDRESS
}
}
// GET THE NEXT BLOCK
baseRelocation = (WinAPI.IMAGE_BASE_RELOCATION *)((ulong)baseRelocation + baseRelocation->SizeOfBlock);
}
ushort GetRelocationData(int index) =>
*(ushort *)((long)baseRelocation + Marshal.SizeOf <WinAPI.IMAGE_BASE_RELOCATION>() +
sizeof(ushort) * index);
}
}
unsafe void FixImportTable(ulong localImage, WinAPI.IMAGE_OPTIONAL_HEADER64 optionalHeader, WinAPI.IMAGE_NT_HEADERS64 *ntHeaders)
{
unsafe
{
WinAPI.IMAGE_DATA_DIRECTORY *directory =
WinAPI.GET_HEADER_DIRECTORY(ntHeaders, WinAPI.IMAGE_DIRECTORY_ENTRY_IMPORT);
WinAPI.IMAGE_IMPORT_DESCRIPTOR *importDescriptor =
(WinAPI.IMAGE_IMPORT_DESCRIPTOR *)(localImage + directory->VirtualAddress);
for (; importDescriptor->FirstThunk > 0; ++importDescriptor)
{
string libraryName = Marshal.PtrToStringAnsi((IntPtr)(localImage + importDescriptor->Name));
// RECODE THIS, THIS IS STUPID & DANGEROUS
// I AM ONLY DOING THIS BECAUSE OF API-SET DLLS
// I COULDNT BE ARSED TO MAKE A PINVOKE FOR ApiSetResolveToHost
ulong localLibraryHandle = (ulong)WinAPI.LoadLibrary(libraryName);
libraryName = GetModuleBaseName(WinAPI.GetCurrentProcess(), localLibraryHandle)
.ToLower();
// IF WE MAPPED DEPENDENCY EARLIER, WE SHOULD USE RVA
// INSTEAD OF STATIC MEMORY ADDRESS
bool mappedDependency = MappedModules.TryGetValue(libraryName, out ulong remoteLibraryHandle);
bool linkedInProcess = LinkedModules.TryGetValue(libraryName, out remoteLibraryHandle);
if (!mappedDependency && !linkedInProcess) // DEPENDENCY NOT FOUND, MAP IT!
{
string dependencyPath = Exts.FindDll(libraryName);
// SKIP IF DEPENDENCY COULDN'T BE FOUND
if (dependencyPath == null)
{
continue;
}
// [8:44 PM] markhc: i had something similar
// [8:44 PM] markhc: it was deep inside CRT initialization(edited)
// [8:45 PM] Ch40zz: how did you fix it?
// [8:46 PM] markhc: i didnt fix it
// [8:46 PM] markhc: i thought it was something wrong with my manual mapper code, but i couldnt figure out what was it
// [8:46 PM] markhc: so i threw it all away
if (libraryName == "msvcp140.dll")
{
//var tempOptions = Options;
//tempOptions.EraseHeaders = false;
//new LoadLibraryInjection(TargetProcess, TypeOfExecution, tempOptions).InjectImage(
// dependencyPath);
InjectDependency(dependencyPath);
--importDescriptor;
continue;
}
remoteLibraryHandle = MapImage(libraryName, File.ReadAllBytes(dependencyPath));
mappedDependency = true;
}
ulong *functionAddress = (ulong *)(localImage + importDescriptor->FirstThunk);
ulong *importEntry = (ulong *)(localImage + importDescriptor->Characteristics);
do
{
ulong procNamePointer = *importEntry < 0x8000000000000000 /*IMAGE_ORDINAL_FLAG64*/
? // IS ORDINAL?
localImage + *importEntry + sizeof(ushort) /*SKIP HINT*/
: // FUNCTION BY NAME
*importEntry & 0xFFFF; // ORDINAL
var localFunctionPointer = (ulong)WinAPI.GetProcAddress((IntPtr)localLibraryHandle, (uint)procNamePointer);
var rva = localFunctionPointer - localLibraryHandle;
// SET NEW FUNCTION POINTER
*functionAddress = mappedDependency ? remoteLibraryHandle + rva : localFunctionPointer;
// GET NEXT ENTRY
++functionAddress;
++importEntry;
} while (*importEntry > 0);
}
}
}