private void LoadExports(LOADED_IMAGE loadedImage)
{
var hMod = (void *)loadedImage.MappedAddress;
if (hMod != null)
{
uint size;
IMAGE_EXPORT_DIRECTORY *pExportDir = (IMAGE_EXPORT_DIRECTORY *)ImageDirectoryEntryToData((void *)loadedImage.MappedAddress, false, IMAGE_DIRECTORY_ENTRY_EXPORT, out size);
if (pExportDir != null)
{
uint *pFuncNames = (uint *)RvaToVa(loadedImage, pExportDir->AddressOfNames);
for (uint i = 0; i < pExportDir->NumberOfNames; i++)
{
uint funcNameRva = pFuncNames[i];
if (funcNameRva != 0)
{
char * funcName = (char *)RvaToVa(loadedImage, funcNameRva);
string name = Marshal.PtrToStringAnsi((IntPtr)funcName);
Exports.Add(name);
}
}
}
}
}
private void LoadImports(LOADED_IMAGE loadedImage)
{
var hMod = (void *)loadedImage.MappedAddress;
if (hMod != null)
{
Console.WriteLine("Got handle");
uint size;
var pImportDir =
(IMAGE_IMPORT_DESCRIPTOR *)
ImageDirectoryEntryToData(hMod, false, IMAGE_DIRECTORY_ENTRY_IMPORT, out size);
if (pImportDir != null)
{
while (pImportDir->OriginalFirstThunk != 0)
{
try
{
var szName = (char *)RvaToVa(loadedImage, pImportDir->Name);
string name = Marshal.PtrToStringAnsi((IntPtr)szName);
Imports.Add(name, new SortedList <string, IntPtr>());
var pThunkOrg = (THUNK_DATA *)RvaToVa(loadedImage, pImportDir->OriginalFirstThunk);
while (pThunkOrg->AddressOfData != IntPtr.Zero)
{
uint ord;
if ((pThunkOrg->Ordinal & 0x80000000) > 0)
{
ord = pThunkOrg->Ordinal & 0xffff;
}
else
{
IMAGE_IMPORT_BY_NAME *pImageByName = (IMAGE_IMPORT_BY_NAME *)RvaToVa(loadedImage, pThunkOrg->AddressOfData);
if (!IsBadReadPtr(pImageByName, (uint)sizeof(IMAGE_IMPORT_BY_NAME)))
{
ord = pImageByName->Hint;
var szImportName = pImageByName->Name;
string sImportName = Marshal.PtrToStringAnsi((IntPtr)szImportName);
string logzor = String.Format("imports ({0}).{1}@{2} - Address: {3}", name, sImportName, ord, pThunkOrg->Function);
IntPtr ModuleHandle = GetModuleHandle(name);
UIntPtr addr = GetProcAddress(ModuleHandle, sImportName);
Imports[name].Add(sImportName, new IntPtr(pThunkOrg->Function + 0x400000));
}
else
{
break;
}
}
pThunkOrg++;
}
}
catch (AccessViolationException e)
{
}
pImportDir++;
}
}
}
}
private static IntPtr RvaToVa(LOADED_IMAGE loadedImage, IntPtr rva)
{
return(RvaToVa(loadedImage, (uint)(rva.ToInt32())));
}
private static IntPtr RvaToVa(LOADED_IMAGE loadedImage, uint rva)
{
return(ImageRvaToVa(loadedImage.FileHeader, loadedImage.MappedAddress, rva, IntPtr.Zero));
}
public static extern bool MapAndLoad(string imageName, string dllPath, out LOADED_IMAGE loadedImage, bool dotDll, bool readOnly);