public static bool GetImageNTHeaders(
IntPtr PEBaseAddr,
out IntPtr ImageNTHeadersAddr,
out _IMAGE_NT_HEADERS ImageNTHeaders)
{
ImageNTHeaders = new _IMAGE_NT_HEADERS();
ImageNTHeadersAddr = IntPtr.Zero;
_IMAGE_DOS_HEADER ImageDOSHeader = (_IMAGE_DOS_HEADER)Marshal.PtrToStructure(PEBaseAddr, typeof(_IMAGE_DOS_HEADER));
ImageNTHeadersAddr = new IntPtr(PEBaseAddr.ToInt32() + ImageDOSHeader._lfanew);
if (IsBadReadPtr(
ImageNTHeadersAddr,
(uint)Marshal.SizeOf(typeof(_IMAGE_NT_HEADERS))))
{
return(false);
}
ImageNTHeaders = (_IMAGE_NT_HEADERS)Marshal.PtrToStructure(
ImageNTHeadersAddr,
typeof(_IMAGE_NT_HEADERS));
return(ImageNTHeaders.Signature == IMAGE_NT_SIGNATURE ? true : false);
}
public static bool GetCor20Header(
IntPtr PEBaseAddr,
IntPtr ImageNTHeadersAddr,
_IMAGE_NT_HEADERS ImageNTHeaders,
out _IMAGE_COR20_HEADER ImageCor20Header)
{
ImageCor20Header = new _IMAGE_COR20_HEADER();
IntPtr LastRvaSection = IntPtr.Zero;
IntPtr ImageCor20HeaderPtr = ImageRvaToVa(
ImageNTHeadersAddr,
PEBaseAddr,
ImageNTHeaders.OptionalHeader.ComDescriptorDirectory.VirtualAddress,
LastRvaSection);
if (IsBadReadPtr(
ImageCor20HeaderPtr,
(uint)Marshal.SizeOf(typeof(_IMAGE_COR20_HEADER))))
{
return(false);
}
ImageCor20Header = (_IMAGE_COR20_HEADER)Marshal.PtrToStructure(
ImageCor20HeaderPtr,
typeof(_IMAGE_COR20_HEADER));
return(true);
}
public static bool GetExportDirectory(
IntPtr PEBaseAddr,
IntPtr ImageNTHeadersAddr,
_IMAGE_NT_HEADERS ImageNTHeaders,
out _IMAGE_EXPORT_DIRECTORY ImageExportDir)
{
ImageExportDir = new _IMAGE_EXPORT_DIRECTORY();
IntPtr LastRvaSection = IntPtr.Zero;
IntPtr ImageExportDirPtr = ImageRvaToVa(
ImageNTHeadersAddr,
PEBaseAddr,
ImageNTHeaders.OptionalHeader.ExportDirectory.VirtualAddress,
LastRvaSection);
if (IsBadReadPtr(
ImageExportDirPtr,
(uint)Marshal.SizeOf(typeof(_IMAGE_EXPORT_DIRECTORY))))
{
return(false);
}
ImageExportDir = (_IMAGE_EXPORT_DIRECTORY)Marshal.PtrToStructure(
ImageExportDirPtr,
typeof(_IMAGE_EXPORT_DIRECTORY));
return(true);
}
public static bool GetExportedMethodsNames(
IntPtr PEBaseAddr,
IntPtr ImageNTHeadersAddr,
_IMAGE_NT_HEADERS ImageNTHeaders,
out string[] ExportedMethodsNames)
{
ExportedMethodsNames = new string[] {};
_IMAGE_EXPORT_DIRECTORY ImageExportDir = new _IMAGE_EXPORT_DIRECTORY();
IntPtr LastRvaSection = IntPtr.Zero;
IntPtr ImageExportDirPtr = ImageRvaToVa(
ImageNTHeadersAddr,
PEBaseAddr,
ImageNTHeaders.OptionalHeader.ExportDirectory.VirtualAddress,
LastRvaSection);
if (IsBadReadPtr(
ImageExportDirPtr,
(uint)Marshal.SizeOf(typeof(_IMAGE_EXPORT_DIRECTORY))))
{
return(false);
}
ImageExportDir = (_IMAGE_EXPORT_DIRECTORY)Marshal.PtrToStructure(
ImageExportDirPtr,
typeof(_IMAGE_EXPORT_DIRECTORY));
IntPtr TempPtr = ImageRvaToVa(
ImageNTHeadersAddr,
PEBaseAddr,
(uint)ImageExportDir.AddressOfNames,
LastRvaSection);
if (TempPtr == IntPtr.Zero)
{
return(false);
}
ArrayList oMethodsNames = new ArrayList();
IntPtr StringPtr;
string sMethodName;
for (int i = 0; i < ImageExportDir.NumberOfNames; i++)
{
if (TempPtr == IntPtr.Zero)
{
continue;
}
StringPtr = ImageRvaToVa(
ImageNTHeadersAddr,
PEBaseAddr,
(uint)Marshal.ReadInt32(TempPtr),
LastRvaSection);
sMethodName = Marshal.PtrToStringAnsi(StringPtr);
if (sMethodName != String.Empty)
{
oMethodsNames.Add(sMethodName);
}
TempPtr = new IntPtr(TempPtr.ToInt32() + Marshal.SizeOf(typeof(IntPtr)));
}
ExportedMethodsNames = (string[])oMethodsNames.ToArray(typeof(string));
return(true);
}