/// <summary> /// Constructor for the ModuleInfo object. Takes (string)modules filepath (IntPtr)module handle (Process)Process from which the module is loaded /// </summary> /// <param name="module">Filepath of the module</param> /// <param name="ptr">Handle to the module</param> /// <param name="process">Process where the module is loaded</param> /// <param name="core">An ErcCore object</param> internal unsafe ModuleInfo(string module, IntPtr ptr, Process process, ErcCore core) { try { ModuleCore = core; ModuleProcess = process; ModuleName = FileVersionInfo.GetVersionInfo(module).InternalName; ModulePath = FileVersionInfo.GetVersionInfo(module).FileName; ModuleBase = ptr; FileInfo fileInfo = new FileInfo(ModulePath); FileStream file = fileInfo.Open(FileMode.Open, FileAccess.Read, FileShare.Read); PopulateHeaderStructs(file); if (!string.IsNullOrEmpty(FileVersionInfo.GetVersionInfo(module).FileVersion)) { ModuleVersion = FileVersionInfo.GetVersionInfo(module).FileVersion.Split(' ')[0]; } else { ModuleVersion = ""; } ModuleProduct = FileVersionInfo.GetVersionInfo(module).ProductName; if (ModuleMachineType == MachineType.I386) { ModuleEntry = (IntPtr)ImageOptionalHeader32.AddressOfEntryPoint; ModuleSize = (int)ImageOptionalHeader32.SizeOfImage; ModuleImageBase = (IntPtr)ImageOptionalHeader32.ImageBase; byte[] dllByte = BitConverter.GetBytes(ImageOptionalHeader32.DllCharacteristics); BitArray bits = new BitArray(dllByte); for (int i = 0; i < bits.Count; i++) { if (bits[i] == true && i == 6) { ModuleASLR = true; } else { ModuleASLR = false; } if (bits[i] == true && i == 8) { ModuleNXCompat = true; } else { ModuleNXCompat = false; } } if (ModuleMachineType == MachineType.I386) { PopulateConfigStruct(); if (ImageConfigDir32.SEHandlerCount == 0 && ImageConfigDir32.SEHandlerTable == 0) { ModuleSafeSEH = false; } else { ModuleSafeSEH = true; } } else { ModuleSafeSEH = true; } } else if (ModuleMachineType == MachineType.x64) { ModuleEntry = (IntPtr)ImageOptionalHeader64.AddressOfEntryPoint; ModuleSize = (int)ImageOptionalHeader64.SizeOfImage; ModuleImageBase = (IntPtr)ImageOptionalHeader64.ImageBase; byte[] dllByte = BitConverter.GetBytes(ImageOptionalHeader64.DllCharacteristics); BitArray bits = new BitArray(dllByte); for (int i = 0; i < bits.Count; i++) { if (bits[i] == true && i == 6) { ModuleASLR = true; } else if (bits[i] == false && i == 6) { ModuleASLR = false; } if (bits[i] == true && i == 8) { ModuleNXCompat = true; } else if (bits[i] == false && i == 8) { ModuleNXCompat = false; } } PopulateConfigStruct(); if (ImageConfigDir64.SEHandlerCount == 0 && ImageConfigDir64.SEHandlerTable == 0) { ModuleSafeSEH = false; } else { ModuleSafeSEH = true; } } else { ModuleFailed = true; throw new ERCException("Unsupported machine type: " + ModuleMachineType.ToString()); } if (ModuleProduct == "Microsoft® Windows® Operating System") { ModuleOsDll = true; } else { ModuleOsDll = false; } if (ModuleImageBase != ptr) { ModuleRebase = true; } else { ModuleRebase = false; } } catch (Exception e) { ErcResult <Exception> ExceptionLogger = new ErcResult <Exception>(ModuleCore); ExceptionLogger.Error = e; ExceptionLogger.LogEvent(); ModuleFailed = true; } }
/// <summary> /// Constructor for the ModuleInfo object. Takes (string)modules filepath (IntPtr)module handle (Process)Process from which the module is loaded /// </summary> /// <param name="module">Filepath of the module</param> /// <param name="ptr">Handle to the module</param> /// <param name="process">Process where the module is loaded</param> /// <param name="core">An ErcCore object</param> internal unsafe ModuleInfo(string module, IntPtr ptr, Process process, ErcCore core) { try { ModuleCore = core; ModuleProcess = process; ModuleName = FileVersionInfo.GetVersionInfo(module).InternalName; ModulePath = FileVersionInfo.GetVersionInfo(module).FileName; ModuleBase = ptr; FileInfo fileInfo = new FileInfo(ModulePath); FileStream file = fileInfo.Open(FileMode.Open, FileAccess.Read, FileShare.Read); PopulateHeaderStructs(file); if (!string.IsNullOrEmpty(FileVersionInfo.GetVersionInfo(module).FileVersion)) { ModuleVersion = FileVersionInfo.GetVersionInfo(module).FileVersion.Split(' ')[0]; } else { ModuleVersion = ""; } ModuleProduct = FileVersionInfo.GetVersionInfo(module).ProductName; if (ModuleMachineType == MachineType.I386) { ModuleEntry = (IntPtr)ImageOptionalHeader32.AddressOfEntryPoint; ModuleSize = (int)ImageOptionalHeader32.SizeOfImage; ModuleImageBase = (IntPtr)ImageOptionalHeader32.ImageBase; byte[] dllByte = BitConverter.GetBytes(ImageOptionalHeader32.DllCharacteristics); BitArray bits = new BitArray(dllByte); for (int i = 0; i < bits.Count; i++) { if (bits[i] == true && i == 6) { ModuleASLR = true; } else { ModuleASLR = false; } if (bits[i] == true && i == 8) { ModuleNXCompat = true; } else { ModuleNXCompat = false; } } if (ModuleMachineType == MachineType.I386) { PopulateConfigStruct(); if (ImageConfigDir32.SEHandlerCount == 0 && ImageConfigDir32.SEHandlerTable == 0) { ModuleSafeSEH = false; } else { ModuleSafeSEH = true; } } else { ModuleSafeSEH = true; } } else if (ModuleMachineType == MachineType.x64) { ModuleEntry = (IntPtr)ImageOptionalHeader64.AddressOfEntryPoint; ModuleSize = (int)ImageOptionalHeader64.SizeOfImage; ModuleImageBase = (IntPtr)ImageOptionalHeader64.ImageBase; byte[] dllByte = BitConverter.GetBytes(ImageOptionalHeader64.DllCharacteristics); BitArray bits = new BitArray(dllByte); for (int i = 0; i < bits.Count; i++) { if (bits[i] == true && i == 6) { ModuleASLR = true; } else if (bits[i] == false && i == 6) { ModuleASLR = false; } if (bits[i] == true && i == 8) { ModuleNXCompat = true; } else if (bits[i] == false && i == 8) { ModuleNXCompat = false; } } PopulateConfigStruct(); if (ImageConfigDir64.SEHandlerCount == 0 && ImageConfigDir64.SEHandlerTable == 0) { ModuleSafeSEH = false; } else { ModuleSafeSEH = true; } } else { ModuleFailed = true; throw new ERCException("Unsupported machine type: " + ModuleMachineType.ToString()); } if (ModuleProduct == "Microsoft® Windows® Operating System") { ModuleOsDll = true; } else { ModuleOsDll = false; } if (ModuleImageBase != ptr) { ModuleRebase = true; } else { ModuleRebase = false; } long MaxAddress = 0x7fffffff; long address = (long)ModuleBase; if (!ProcessInfo.Is64Bit(process)) { List <ERC.Structures.MEMORY_BASIC_INFORMATION32> ProcessMemoryBasicInfo32 = new List <ERC.Structures.MEMORY_BASIC_INFORMATION32>(); long oldAddress = 0; do { ERC.Structures.MEMORY_BASIC_INFORMATION32 m; int result = ErcCore.VirtualQueryEx32(ModuleProcess.Handle, (IntPtr)address, out m, (uint)Marshal.SizeOf(typeof(MEMORY_BASIC_INFORMATION32))); if (address == (long)m.BaseAddress + (long)m.RegionSize) { break; } address = (long)m.BaseAddress + (long)m.RegionSize; if (oldAddress > address) { address = long.MaxValue; } oldAddress = address; ModuleProtection = m.AllocationProtect; } while (address <= MaxAddress); } else { List <ERC.Structures.MEMORY_BASIC_INFORMATION64> ProcessMemoryBasicInfo64 = new List <ERC.Structures.MEMORY_BASIC_INFORMATION64>(); long oldAddress = 0; do { ERC.Structures.MEMORY_BASIC_INFORMATION64 m; int result = ErcCore.VirtualQueryEx64(ModuleProcess.Handle, (IntPtr)address, out m, (uint)Marshal.SizeOf(typeof(MEMORY_BASIC_INFORMATION64))); if (address == (long)m.BaseAddress + (long)m.RegionSize) { break; } address = (long)m.BaseAddress + (long)m.RegionSize; if (oldAddress > address) { address = long.MaxValue; } oldAddress = address; ModuleProtection = m.AllocationProtect; } while (address <= MaxAddress); } } catch (Exception e) { ErcResult <Exception> ExceptionLogger = new ErcResult <Exception>(ModuleCore); ExceptionLogger.Error = e; ExceptionLogger.LogEvent(); ModuleFailed = true; } }