/// <summary>
/// Constructor for the ModuleInfo object. Takes (string)modules filepath (IntPtr)module handle (Process)Process from which the module is loaded
/// </summary>
/// <param name="module">Filepath of the module</param>
/// <param name="ptr">Handle to the module</param>
/// <param name="process">Process where the module is loaded</param>
/// <param name="core">An ErcCore object</param>
internal unsafe ModuleInfo(string module, IntPtr ptr, Process process, ErcCore core)
{
try
{
ModuleCore = core;
ModuleProcess = process;
ModuleName = FileVersionInfo.GetVersionInfo(module).InternalName;
ModulePath = FileVersionInfo.GetVersionInfo(module).FileName;
ModuleBase = ptr;
FileInfo fileInfo = new FileInfo(ModulePath);
FileStream file = fileInfo.Open(FileMode.Open, FileAccess.Read, FileShare.Read);
PopulateHeaderStructs(file);
if (!string.IsNullOrEmpty(FileVersionInfo.GetVersionInfo(module).FileVersion))
{
ModuleVersion = FileVersionInfo.GetVersionInfo(module).FileVersion.Split(' ')[0];
}
else
{
ModuleVersion = "";
}
ModuleProduct = FileVersionInfo.GetVersionInfo(module).ProductName;
if (ModuleMachineType == MachineType.I386)
{
ModuleEntry = (IntPtr)ImageOptionalHeader32.AddressOfEntryPoint;
ModuleSize = (int)ImageOptionalHeader32.SizeOfImage;
ModuleImageBase = (IntPtr)ImageOptionalHeader32.ImageBase;
byte[] dllByte = BitConverter.GetBytes(ImageOptionalHeader32.DllCharacteristics);
BitArray bits = new BitArray(dllByte);
for (int i = 0; i < bits.Count; i++)
{
if (bits[i] == true && i == 6)
{
ModuleASLR = true;
}
else
{
ModuleASLR = false;
}
if (bits[i] == true && i == 8)
{
ModuleNXCompat = true;
}
else
{
ModuleNXCompat = false;
}
}
if (ModuleMachineType == MachineType.I386)
{
PopulateConfigStruct();
if (ImageConfigDir32.SEHandlerCount == 0 && ImageConfigDir32.SEHandlerTable == 0)
{
ModuleSafeSEH = false;
}
else
{
ModuleSafeSEH = true;
}
}
else
{
ModuleSafeSEH = true;
}
}
else if (ModuleMachineType == MachineType.x64)
{
ModuleEntry = (IntPtr)ImageOptionalHeader64.AddressOfEntryPoint;
ModuleSize = (int)ImageOptionalHeader64.SizeOfImage;
ModuleImageBase = (IntPtr)ImageOptionalHeader64.ImageBase;
byte[] dllByte = BitConverter.GetBytes(ImageOptionalHeader64.DllCharacteristics);
BitArray bits = new BitArray(dllByte);
for (int i = 0; i < bits.Count; i++)
{
if (bits[i] == true && i == 6)
{
ModuleASLR = true;
}
else if (bits[i] == false && i == 6)
{
ModuleASLR = false;
}
if (bits[i] == true && i == 8)
{
ModuleNXCompat = true;
}
else if (bits[i] == false && i == 8)
{
ModuleNXCompat = false;
}
}
PopulateConfigStruct();
if (ImageConfigDir64.SEHandlerCount == 0 && ImageConfigDir64.SEHandlerTable == 0)
{
ModuleSafeSEH = false;
}
else
{
ModuleSafeSEH = true;
}
}
else
{
ModuleFailed = true;
throw new ERCException("Unsupported machine type: " + ModuleMachineType.ToString());
}
if (ModuleProduct == "Microsoft® Windows® Operating System")
{
ModuleOsDll = true;
}
else
{
ModuleOsDll = false;
}
if (ModuleImageBase != ptr)
{
ModuleRebase = true;
}
else
{
ModuleRebase = false;
}
}
catch (Exception e)
{
ErcResult <Exception> ExceptionLogger = new ErcResult <Exception>(ModuleCore);
ExceptionLogger.Error = e;
ExceptionLogger.LogEvent();
ModuleFailed = true;
}
}
/// <summary>
/// Constructor for the ModuleInfo object. Takes (string)modules filepath (IntPtr)module handle (Process)Process from which the module is loaded
/// </summary>
/// <param name="module">Filepath of the module</param>
/// <param name="ptr">Handle to the module</param>
/// <param name="process">Process where the module is loaded</param>
/// <param name="core">An ErcCore object</param>
internal unsafe ModuleInfo(string module, IntPtr ptr, Process process, ErcCore core)
{
try
{
ModuleCore = core;
ModuleProcess = process;
ModuleName = FileVersionInfo.GetVersionInfo(module).InternalName;
ModulePath = FileVersionInfo.GetVersionInfo(module).FileName;
ModuleBase = ptr;
FileInfo fileInfo = new FileInfo(ModulePath);
FileStream file = fileInfo.Open(FileMode.Open, FileAccess.Read, FileShare.Read);
PopulateHeaderStructs(file);
if (!string.IsNullOrEmpty(FileVersionInfo.GetVersionInfo(module).FileVersion))
{
ModuleVersion = FileVersionInfo.GetVersionInfo(module).FileVersion.Split(' ')[0];
}
else
{
ModuleVersion = "";
}
ModuleProduct = FileVersionInfo.GetVersionInfo(module).ProductName;
if (ModuleMachineType == MachineType.I386)
{
ModuleEntry = (IntPtr)ImageOptionalHeader32.AddressOfEntryPoint;
ModuleSize = (int)ImageOptionalHeader32.SizeOfImage;
ModuleImageBase = (IntPtr)ImageOptionalHeader32.ImageBase;
byte[] dllByte = BitConverter.GetBytes(ImageOptionalHeader32.DllCharacteristics);
BitArray bits = new BitArray(dllByte);
for (int i = 0; i < bits.Count; i++)
{
if (bits[i] == true && i == 6)
{
ModuleASLR = true;
}
else
{
ModuleASLR = false;
}
if (bits[i] == true && i == 8)
{
ModuleNXCompat = true;
}
else
{
ModuleNXCompat = false;
}
}
if (ModuleMachineType == MachineType.I386)
{
PopulateConfigStruct();
if (ImageConfigDir32.SEHandlerCount == 0 && ImageConfigDir32.SEHandlerTable == 0)
{
ModuleSafeSEH = false;
}
else
{
ModuleSafeSEH = true;
}
}
else
{
ModuleSafeSEH = true;
}
}
else if (ModuleMachineType == MachineType.x64)
{
ModuleEntry = (IntPtr)ImageOptionalHeader64.AddressOfEntryPoint;
ModuleSize = (int)ImageOptionalHeader64.SizeOfImage;
ModuleImageBase = (IntPtr)ImageOptionalHeader64.ImageBase;
byte[] dllByte = BitConverter.GetBytes(ImageOptionalHeader64.DllCharacteristics);
BitArray bits = new BitArray(dllByte);
for (int i = 0; i < bits.Count; i++)
{
if (bits[i] == true && i == 6)
{
ModuleASLR = true;
}
else if (bits[i] == false && i == 6)
{
ModuleASLR = false;
}
if (bits[i] == true && i == 8)
{
ModuleNXCompat = true;
}
else if (bits[i] == false && i == 8)
{
ModuleNXCompat = false;
}
}
PopulateConfigStruct();
if (ImageConfigDir64.SEHandlerCount == 0 && ImageConfigDir64.SEHandlerTable == 0)
{
ModuleSafeSEH = false;
}
else
{
ModuleSafeSEH = true;
}
}
else
{
ModuleFailed = true;
throw new ERCException("Unsupported machine type: " + ModuleMachineType.ToString());
}
if (ModuleProduct == "Microsoft® Windows® Operating System")
{
ModuleOsDll = true;
}
else
{
ModuleOsDll = false;
}
if (ModuleImageBase != ptr)
{
ModuleRebase = true;
}
else
{
ModuleRebase = false;
}
long MaxAddress = 0x7fffffff;
long address = (long)ModuleBase;
if (!ProcessInfo.Is64Bit(process))
{
List <ERC.Structures.MEMORY_BASIC_INFORMATION32> ProcessMemoryBasicInfo32 = new List <ERC.Structures.MEMORY_BASIC_INFORMATION32>();
long oldAddress = 0;
do
{
ERC.Structures.MEMORY_BASIC_INFORMATION32 m;
int result = ErcCore.VirtualQueryEx32(ModuleProcess.Handle, (IntPtr)address, out m, (uint)Marshal.SizeOf(typeof(MEMORY_BASIC_INFORMATION32)));
if (address == (long)m.BaseAddress + (long)m.RegionSize)
{
break;
}
address = (long)m.BaseAddress + (long)m.RegionSize;
if (oldAddress > address)
{
address = long.MaxValue;
}
oldAddress = address;
ModuleProtection = m.AllocationProtect;
} while (address <= MaxAddress);
}
else
{
List <ERC.Structures.MEMORY_BASIC_INFORMATION64> ProcessMemoryBasicInfo64 = new List <ERC.Structures.MEMORY_BASIC_INFORMATION64>();
long oldAddress = 0;
do
{
ERC.Structures.MEMORY_BASIC_INFORMATION64 m;
int result = ErcCore.VirtualQueryEx64(ModuleProcess.Handle, (IntPtr)address, out m, (uint)Marshal.SizeOf(typeof(MEMORY_BASIC_INFORMATION64)));
if (address == (long)m.BaseAddress + (long)m.RegionSize)
{
break;
}
address = (long)m.BaseAddress + (long)m.RegionSize;
if (oldAddress > address)
{
address = long.MaxValue;
}
oldAddress = address;
ModuleProtection = m.AllocationProtect;
} while (address <= MaxAddress);
}
}
catch (Exception e)
{
ErcResult <Exception> ExceptionLogger = new ErcResult <Exception>(ModuleCore);
ExceptionLogger.Error = e;
ExceptionLogger.LogEvent();
ModuleFailed = true;
}
}
