// Token: 0x06000353 RID: 851 RVA: 0x01038F04 File Offset: 0x01037104
private static void smethod_7(GClass8 gclass8_0, IntPtr intptr_7, IntPtr intptr_8)
{
foreach (GStruct14 gstruct in gclass8_0.method_9())
{
byte[] array = new byte[gstruct.SizeOfRawData];
if (!gclass8_0.method_2((long)((ulong)gstruct.PointerToRawData), SeekOrigin.Begin, array))
{
throw gclass8_0.vmethod_1();
}
if ((gstruct.Characteristics & 33554432u) == 0u)
{
uint num;
GClass5.WriteProcessMemory(intptr_7, intptr_8.smethod_0((long)((ulong)gstruct.VirtualAddress)), array, array.Length, out num);
IntPtr intPtr = intptr_8.smethod_0((long)((ulong)gstruct.VirtualAddress));
GClass5.VirtualProtectEx(intptr_7, intPtr, gstruct.SizeOfRawData, gstruct.Characteristics & 16777215u, out num);
}
}
}
// Token: 0x06000356 RID: 854 RVA: 0x0103930C File Offset: 0x0103750C
public override bool \u200E\u206C\u202E\u202D\u200C\u202E\u206B\u202C\u206D\u202E\u206C\u202B\u206E\u200B\u202C\u206D\u200D\u200D\u202C\u206F\u202D\u200D\u202C\u202C\u206D\u200E\u200B\u206A\u200E\u206B\u200E\u200B\u206A\u206A\u202D\u202C\u200E\u202E\u202A\u200E\u202E(IntPtr intptr_7, IntPtr intptr_8)
{
this.vmethod_0();
if (intptr_7.smethod_4())
{
throw new ArgumentNullException("hModule", "Invalid module handle");
}
if (!intptr_8.smethod_4() && !intptr_8.smethod_2(-1L))
{
IntPtr intPtr = IntPtr.Zero;
uint num = 0u;
try
{
uint num2 = Class7.smethod_2(intptr_8, intptr_7);
if (num2 == 0u)
{
return(GClass5.VirtualFreeEx(intptr_8, intptr_7, 0, 32768));
}
byte[] array = (byte[])Class7.byte_0.Clone();
BitConverter.GetBytes(intptr_7.ToInt32()).CopyTo(array, 11);
BitConverter.GetBytes(0u).CopyTo(array, 6);
BitConverter.GetBytes(1000u).CopyTo(array, 1);
intPtr = GClass5.VirtualAllocEx(intptr_8, IntPtr.Zero, (uint)Class7.byte_0.Length, 12288, 64);
if (intPtr.smethod_4() || !GClass5.WriteProcessMemory(intptr_8, intPtr, array, array.Length, out num) || (ulong)num != (ulong)((long)array.Length))
{
throw new InvalidOperationException("Unable to write stub to the remote process.");
}
IntPtr intPtr2 = GClass5.CreateRemoteThread(intptr_8, 0, 0, intPtr, (uint)intptr_7.smethod_0((long)((ulong)num2)).ToInt32(), 0, 0);
if ((ulong)GClass5.WaitForSingleObject(intPtr2, 5000) == 0UL)
{
GClass5.VirtualFreeEx(intptr_8, intPtr, 0, 32768);
GClass5.CloseHandle(intPtr2);
return(GClass5.VirtualFreeEx(intptr_8, intptr_7, 0, 32768));
}
return(false);
}
catch (Exception exception_)
{
this.vmethod_2(exception_);
return(false);
}
}
throw new ArgumentException("Invalid process handle.", "hProcess");
}
// Token: 0x06000270 RID: 624 RVA: 0x01036860 File Offset: 0x01034A60
public static IntPtr smethod_0(IntPtr intptr_0, byte[] byte_0, int int_0)
{
IntPtr intPtr = IntPtr.Zero;
if (byte_0 != null && intptr_0 != IntPtr.Zero)
{
intPtr = GClass5.VirtualAllocEx(intptr_0, IntPtr.Zero, (uint)byte_0.Length, 12288, int_0);
uint num = 0u;
if (intPtr != IntPtr.Zero && GClass5.WriteProcessMemory(intptr_0, intPtr, byte_0, byte_0.Length, out num) && (ulong)num == (ulong)((long)byte_0.Length))
{
return(intPtr);
}
if (intPtr != IntPtr.Zero)
{
GClass5.VirtualFreeEx(intptr_0, intPtr, 0, 32768);
intPtr = IntPtr.Zero;
}
}
return(intPtr);
}
// Token: 0x0600009E RID: 158 RVA: 0x0000AAB8 File Offset: 0x00008CB8
public void method_11(IntPtr intptr_2, byte[] byte_0)
{
if (this.intptr_0 == IntPtr.Zero)
{
throw new InvalidOperationException("Cannot write process memory at " + intptr_2.ToString() + ". No process loaded.");
}
if (intptr_2 == IntPtr.Zero)
{
throw new ArgumentOutOfRangeException("Cannot write process memory. Invalid memory address.");
}
if (byte_0.Length < 1)
{
throw new ArgumentOutOfRangeException("Cannot write process memory of size " + byte_0.Length.ToString() + ".");
}
int num;
if (!GClass5.WriteProcessMemory(this.intptr_0, intptr_2, byte_0, byte_0.Length, out num))
{
throw new Exception("Failed to write process memory at " + intptr_2.ToString() + ". Error code: " + Marshal.GetLastWin32Error().ToString());
}
}
// Token: 0x06000380 RID: 896 RVA: 0x01039644 File Offset: 0x01037844
protected virtual IntPtr vmethod_10(string[] string_0, IntPtr intptr_0, out IntPtr intptr_1, uint uint_0 = 0u)
{
intptr_1 = IntPtr.Zero;
IntPtr intPtr = IntPtr.Zero;
IntPtr result;
try
{
IntPtr moduleHandleA = GClass5.GetModuleHandleA("kernel32.dll");
IntPtr procAddress = GClass5.GetProcAddress(moduleHandleA, "LoadLibraryA");
IntPtr procAddress2 = GClass5.GetProcAddress(moduleHandleA, "GetModuleHandleA");
if (!procAddress.smethod_4() && !procAddress2.smethod_4())
{
intptr_1 = GClass5.VirtualAllocEx(intptr_0, IntPtr.Zero, (uint)((uint)string_0.Length << 2), 12288, 4);
IntPtr intPtr2 = GClass5.smethod_0(intptr_0, Encoding.ASCII.GetBytes(string.Join("\0", string_0) + "\0"), 4);
if (!intptr_1.smethod_4() && !intPtr2.smethod_4())
{
try
{
uint num = 0u;
byte[] array = new byte[string_0.Length << 2];
for (int i = 0; i < array.Length >> 2; i++)
{
BitConverter.GetBytes(uint_0).CopyTo(array, i << 2);
}
GClass5.WriteProcessMemory(intptr_0, intptr_1, array, array.Length, out num);
byte[] array2 = (byte[])Class8.byte_0.Clone();
intPtr = GClass5.VirtualAllocEx(intptr_0, IntPtr.Zero, (uint)array2.Length, 12288, 64);
if (intPtr.smethod_4())
{
throw new InvalidOperationException("Unable to allocate memory in the remote process");
}
BitConverter.GetBytes(intPtr2.ToInt32()).CopyTo(array2, 7);
BitConverter.GetBytes(string_0.Length).CopyTo(array2, 15);
BitConverter.GetBytes(intptr_1.ToInt32()).CopyTo(array2, 24);
BitConverter.GetBytes(procAddress2.smethod_7(intPtr.smethod_0(56L)).ToInt32()).CopyTo(array2, 52);
BitConverter.GetBytes(procAddress.smethod_7(intPtr.smethod_0(69L)).ToInt32()).CopyTo(array2, 65);
if (GClass5.WriteProcessMemory(intptr_0, intPtr, array2, array2.Length, out num) && (ulong)num == (ulong)((long)array2.Length))
{
result = intPtr;
goto IL_231;
}
throw new Exception("Error creating the remote function stub.");
}
finally
{
GClass5.VirtualFreeEx(intptr_0, intptr_1, 0, 32768);
GClass5.VirtualFreeEx(intptr_0, intPtr2, 0, 32768);
if (!intPtr.smethod_4())
{
GClass5.VirtualFreeEx(intptr_0, intPtr, 0, 32768);
}
intptr_1 = IntPtr.Zero;
}
goto IL_21B;
IL_231:
return(result);
}
IL_21B:
throw new InvalidOperationException("Unable to allocate memory in the remote process");
}
throw new Exception("Unable to find necessary function entry points in the remote process");
}
catch (Exception exception_)
{
this.vmethod_2(exception_);
result = IntPtr.Zero;
}
return(result);
}
// Token: 0x06000384 RID: 900 RVA: 0x010399F8 File Offset: 0x01037BF8
public override bool[] \u202B\u200E\u206C\u200C\u202C\u200F\u202C\u206C\u202D\u200F\u206B\u200B\u200B\u206E\u200D\u200C\u206C\u200C\u206F\u206E\u206D\u200C\u200B\u202C\u200B\u202D\u202C\u206B\u206B\u206D\u202E\u202B\u202D\u200C\u206D\u206D\u206D\u202A\u202D\u206C\u202E(IntPtr[] intptr_0, IntPtr intptr_1)
{
this.vmethod_0();
IntPtr intPtr = IntPtr.Zero;
IntPtr intPtr2 = IntPtr.Zero;
IntPtr intPtr3 = IntPtr.Zero;
bool[] result;
try
{
uint num = 0u;
IntPtr procAddress = GClass5.GetProcAddress(GClass5.GetModuleHandleA("kernel32.dll"), "FreeLibrary");
if (procAddress.smethod_4())
{
throw new Exception("Unable to find necessary function entry points in the remote process");
}
intPtr = GClass5.VirtualAllocEx(intptr_1, IntPtr.Zero, (uint)((uint)intptr_0.Length << 2), 12288, 4);
intPtr2 = GClass5.VirtualAllocEx(intptr_1, IntPtr.Zero, (uint)((uint)(intptr_0.Length + 1) << 2), 12288, 4);
intPtr3 = GClass5.VirtualAllocEx(intptr_1, IntPtr.Zero, (uint)Class8.byte_1.Length, 12288, 64);
if (!intPtr.smethod_4() && !intPtr2.smethod_4() && !intPtr3.smethod_4())
{
byte[] array = new byte[intptr_0.Length + 1 << 2];
for (int i = 0; i < intptr_0.Length; i++)
{
BitConverter.GetBytes(intptr_0[i].ToInt32()).CopyTo(array, i << 2);
}
GClass5.WriteProcessMemory(intptr_1, intPtr2, array, array.Length, out num);
byte[] array2 = (byte[])Class8.byte_1.Clone();
BitConverter.GetBytes(intPtr2.ToInt32()).CopyTo(array2, 7);
BitConverter.GetBytes(intPtr.ToInt32()).CopyTo(array2, 15);
BitConverter.GetBytes(procAddress.smethod_7(intPtr3.smethod_0(56L)).ToInt32()).CopyTo(array2, 52);
if (GClass5.WriteProcessMemory(intptr_1, intPtr3, array2, array2.Length, out num))
{
if ((ulong)num == (ulong)((long)array2.Length))
{
if (GClass5.smethod_7(intptr_1, intPtr3, 0u, 1000) == 4294967295u)
{
throw new InvalidOperationException("Error occurred when running remote function stub.");
}
byte[] array3 = GClass5.smethod_4(intptr_1, intPtr, (uint)((uint)intptr_0.Length << 2));
if (array3 == null)
{
throw new Exception("Unable to read results from the remote process.");
}
bool[] array4 = new bool[intptr_0.Length];
for (int i = 0; i < array4.Length; i++)
{
array4[i] = (BitConverter.ToInt32(array3, i << 2) != 0);
}
return(array4);
}
}
throw new InvalidOperationException("Unable to write the function stub to the remote process.");
}
throw new InvalidOperationException("Unable to allocate memory in the remote process");
}
catch (Exception exception_)
{
this.vmethod_2(exception_);
result = null;
}
finally
{
GClass5.VirtualFreeEx(intptr_1, intPtr3, 0, 32768);
GClass5.VirtualFreeEx(intptr_1, intPtr, 0, 32768);
GClass5.VirtualFreeEx(intptr_1, intPtr2, 0, 32768);
}
return(result);
}
// Token: 0x06000352 RID: 850 RVA: 0x01038C54 File Offset: 0x01036E54
private static IntPtr smethod_6(GClass8 gclass8_0, IntPtr intptr_7, bool bool_0 = false)
{
if (intptr_7.smethod_4() || intptr_7.smethod_2(-1L))
{
throw new ArgumentException("Invalid process handle.", "hProcess");
}
if (gclass8_0 == null)
{
throw new ArgumentException("Cannot map a non-existant PE Image.", "image");
}
int processId = GClass5.GetProcessId(intptr_7);
if (processId == 0)
{
throw new ArgumentException("Provided handle doesn't have sufficient permissions to inject", "hProcess");
}
IntPtr intPtr = IntPtr.Zero;
IntPtr intPtr2 = IntPtr.Zero;
uint num = 0u;
try
{
intPtr = GClass5.VirtualAllocEx(intptr_7, IntPtr.Zero, gclass8_0.GStruct9_0.OptionalHeader.SizeOfImage, 12288, 4);
if (intPtr.smethod_4())
{
throw new InvalidOperationException("Unable to allocate memory in the remote process.");
}
Class7.smethod_9(gclass8_0, intPtr);
Class7.smethod_5(gclass8_0, intptr_7, processId);
Class7.smethod_8(gclass8_0, intptr_7, processId);
if (bool_0)
{
byte[] array = new byte[(ulong)gclass8_0.GStruct6_0.e_lfanew + (ulong)((long)Marshal.SizeOf(typeof(GStruct7))) + 4UL + (ulong)gclass8_0.GStruct9_0.FileHeader.SizeOfOptionalHeader];
if (gclass8_0.method_2(0L, SeekOrigin.Begin, array))
{
GClass5.WriteProcessMemory(intptr_7, intPtr, array, array.Length, out num);
}
}
Class7.smethod_7(gclass8_0, intptr_7, intPtr);
if (gclass8_0.GStruct9_0.OptionalHeader.AddressOfEntryPoint <= 0u)
{
return(intPtr);
}
byte[] array2 = (byte[])Class7.byte_0.Clone();
BitConverter.GetBytes(intPtr.ToInt32()).CopyTo(array2, 11);
intPtr2 = GClass5.VirtualAllocEx(intptr_7, IntPtr.Zero, (uint)Class7.byte_0.Length, 12288, 64);
if (!intPtr2.smethod_4() && GClass5.WriteProcessMemory(intptr_7, intPtr2, array2, array2.Length, out num))
{
if ((ulong)num == (ulong)((long)array2.Length))
{
IntPtr intPtr3 = GClass5.CreateRemoteThread(intptr_7, 0, 0, intPtr2, (uint)intPtr.smethod_0((long)((ulong)gclass8_0.GStruct9_0.OptionalHeader.AddressOfEntryPoint)).ToInt32(), 0, 0);
if ((ulong)GClass5.WaitForSingleObject(intPtr3, 5000) != 0UL)
{
return(intPtr);
}
GClass5.GetExitCodeThread(intPtr3, out num);
if (num == 0u)
{
GClass5.VirtualFreeEx(intptr_7, intPtr, 0, 32768);
throw new Exception("Entry method of module reported a failure " + Marshal.GetLastWin32Error().ToString());
}
GClass5.VirtualFreeEx(intptr_7, intPtr2, 0, 32768);
GClass5.CloseHandle(intPtr3);
return(intPtr);
}
}
throw new InvalidOperationException("Unable to write stub to the remote process.");
}
catch (Exception ex)
{
if (!intPtr.smethod_4())
{
GClass5.VirtualFreeEx(intptr_7, intPtr, 0, 32768);
}
if (!intPtr2.smethod_4())
{
GClass5.VirtualFreeEx(intptr_7, intPtr, 0, 32768);
}
intPtr = IntPtr.Zero;
throw ex;
}
return(intPtr);
}
// Token: 0x06000351 RID: 849 RVA: 0x0103888C File Offset: 0x01036A8C
private static bool smethod_5(GClass8 gclass8_0, IntPtr intptr_7, int int_0)
{
List <string> list = new List <string>();
string empty = string.Empty;
bool result = false;
foreach (GStruct8 gstruct in gclass8_0.method_8())
{
if (gclass8_0.method_4((long)((ulong)gclass8_0.method_11(gstruct.Name)), SeekOrigin.Begin, out empty, -1, null) && !string.IsNullOrEmpty(empty) && Class7.smethod_3(empty, int_0).smethod_4())
{
list.Add(empty);
}
}
if (list.Count > 0)
{
byte[] array = Class7.smethod_1(gclass8_0);
string text = string.Empty;
if (array != null)
{
text = GClass11.smethod_2(array);
}
else
{
if (string.IsNullOrEmpty(gclass8_0.String_0) || !File.Exists(Path.Combine(Path.GetDirectoryName(gclass8_0.String_0), Path.GetFileName(gclass8_0.String_0) + ".manifest")))
{
IntPtr[] array2 = GClass10.smethod_0(GEnum7.Standard).GClass10.\u200E\u206B\u200D\u202B\u200F\u206A\u206D\u200E\u200E\u206B\u206F\u202E\u200F\u200B\u206E\u202B\u206A\u200E\u206B\u206A\u206C\u202A\u206C\u202B\u206B\u206F\u206A\u200F\u206A\u200E\u202B\u200F\u200F\u200E\u200E\u200B\u200E\u202B\u206D\u202A\u202E(list.ToArray(), intptr_7);
for (int i = 0; i < array2.Length; i++)
{
if (array2[i].smethod_4())
{
return(false);
}
}
return(true);
}
text = Path.Combine(Path.GetDirectoryName(gclass8_0.String_0), Path.GetFileName(gclass8_0.String_0) + ".manifest");
}
if (string.IsNullOrEmpty(text))
{
return(false);
}
IntPtr intPtr = GClass5.VirtualAllocEx(intptr_7, IntPtr.Zero, (uint)Class7.byte_1.Length, 12288, 64);
IntPtr intPtr2 = GClass5.smethod_0(intptr_7, Encoding.ASCII.GetBytes(text + "\0"), 4);
IntPtr intPtr3 = GClass5.smethod_0(intptr_7, Encoding.ASCII.GetBytes(string.Join("\0", list.ToArray()) + "\0"), 4);
if (!intPtr.smethod_4())
{
byte[] array3 = (byte[])Class7.byte_1.Clone();
uint num = 0u;
BitConverter.GetBytes(Class7.intptr_1.smethod_7(intPtr.smethod_0(63L)).ToInt32()).CopyTo(array3, 59);
BitConverter.GetBytes(Class7.intptr_0.smethod_7(intPtr.smethod_0(88L)).ToInt32()).CopyTo(array3, 84);
BitConverter.GetBytes(Class7.intptr_3.smethod_7(intPtr.smethod_0(132L)).ToInt32()).CopyTo(array3, 128);
BitConverter.GetBytes(Class7.intptr_4.smethod_7(intPtr.smethod_0(146L)).ToInt32()).CopyTo(array3, 142);
BitConverter.GetBytes(Class7.intptr_2.smethod_7(intPtr.smethod_0(200L)).ToInt32()).CopyTo(array3, 196);
BitConverter.GetBytes(Class7.intptr_5.smethod_7(intPtr.smethod_0(209L)).ToInt32()).CopyTo(array3, 205);
BitConverter.GetBytes(intPtr2.ToInt32()).CopyTo(array3, 31);
BitConverter.GetBytes(list.Count).CopyTo(array3, 40);
BitConverter.GetBytes(intPtr3.ToInt32()).CopyTo(array3, 49);
if (GClass5.WriteProcessMemory(intptr_7, intPtr, array3, array3.Length, out num) && (ulong)num == (ulong)((long)array3.Length))
{
uint num2 = GClass5.smethod_7(intptr_7, intPtr, 0u, 5000);
result = (num2 != uint.MaxValue && num2 > 0u);
}
GClass5.VirtualFreeEx(intptr_7, intPtr3, 0, 32768);
GClass5.VirtualFreeEx(intptr_7, intPtr2, 0, 32768);
GClass5.VirtualFreeEx(intptr_7, intPtr, 0, 32768);
}
}
return(result);
}
