public static bool IsGoogleTestExecutable(string executable, string customRegex, ILogger logger)
{
string googleTestIndicatorFile = $"{executable}{GoogleTestIndicator}";
if (File.Exists(googleTestIndicatorFile))
{
logger.DebugInfo(String.Format(Resources.FileFound, executable));
return(true);
}
if (string.IsNullOrWhiteSpace(customRegex))
{
if (PeParser.FindImport(executable, GoogleTestConstants.GoogleTestDllMarker, StringComparison.OrdinalIgnoreCase, logger) ||
Utils.BinaryFileContainsStrings(executable, Encoding.ASCII, GoogleTestConstants.GoogleTestExecutableMarkers))
{
logger.DebugInfo($"Google Test indicators found in executable {executable}");
return(true);
}
}
else
{
if (SafeMatches(executable, customRegex, logger))
{
logger.DebugInfo(String.Format(Resources.MatchesCustom, executable, customRegex));
return(true);
}
}
logger.DebugInfo(String.Format(Resources.FileNotFound, executable));
return(false);
}
public void TestCanGetMZHeader32()
{
const string kernel32dump = "..\\..\\..\\..\\basicwindow32_kernel32.bin";
Assert.True(File.Exists(kernel32dump));
var kernel32mem = File.ReadAllBytes(kernel32dump);
var dosHeader = Deserialize <PeParser.IMAGE_DOS_HEADER>(kernel32mem, 0);
Assert.Equal <ushort>(0x5A4D, dosHeader.e_magic);
var peHeaderOffset = dosHeader.e_lfanew;
var peHeader = Deserialize <PeParser.IMAGE_FILE_HEADER>(kernel32mem, peHeaderOffset);
Assert.Equal <uint>(0x00004550, peHeader.Signature);
var optionalHeaderOffset = peHeaderOffset + Marshal.SizeOf(typeof(PeParser.IMAGE_FILE_HEADER));
var optionalHeader = Deserialize <PeParser.IMAGE_OPTIONAL_HEADER32>(kernel32mem, optionalHeaderOffset);
// 0x020B for 64 bit, 0x010B for 32 bit
Assert.Equal <ushort>(0x010B, optionalHeader.Magic);
var exportDirectoryRefOffset = PeParser.GetExportDirectoryRefOffset32(dosHeader);
var exportDirectoryRef = Deserialize <PeParser.IMAGE_DATA_DIRECTORY>(kernel32mem, (int)exportDirectoryRefOffset);
Assert.Equal <uint>(0x170, exportDirectoryRefOffset);
Assert.Equal <uint>(0x10, optionalHeader.NumberOfRvaAndSizes);
Assert.Equal <uint>(0x972C0, exportDirectoryRef.VirtualAddress);
}
public static bool IsGoogleTestExecutable(string executable, string customRegex, ILogger logger)
{
string googleTestIndicatorFile = $"{executable}{GoogleTestIndicator}";
if (File.Exists(googleTestIndicatorFile))
{
logger.DebugInfo($"Google Test indicator file found for executable {executable} ({googleTestIndicatorFile})");
return(true);
}
if (string.IsNullOrWhiteSpace(customRegex))
{
if (PeParser.FindImport(executable, GoogleTestConstants.GoogleTestDllMarker, StringComparison.OrdinalIgnoreCase, logger) ||
Utils.BinaryFileContainsStrings(executable, Encoding.ASCII, GoogleTestConstants.GoogleTestExecutableMarkers))
{
logger.DebugInfo($"Google Test indicators found in executable {executable}");
return(true);
}
}
else
{
if (SafeMatches(executable, customRegex, logger))
{
logger.DebugInfo($"Custom regex '{customRegex}' matches executable '{executable}'");
return(true);
}
}
logger.DebugInfo($"File does not seem to be Google Test executable: '{executable}'");
return(false);
}
internal Dictionary <string, TestCaseLocation> ResolveAllTestCases(string executable, HashSet <string> testMethodSignatures, string symbolFilterString, string pathExtension)
{
var testCaseLocationsFound = FindTestCaseLocationsInBinary(executable, testMethodSignatures, symbolFilterString, pathExtension);
if (testCaseLocationsFound.Count == 0)
{
List <string> imports = PeParser.ParseImports(executable, _logger);
string moduleDirectory = Path.GetDirectoryName(executable);
foreach (string import in imports)
{
// ReSharper disable once AssignNullToNotNullAttribute
string importedBinary = Path.Combine(moduleDirectory, import);
if (File.Exists(importedBinary))
{
foreach (var testCaseLocation in FindTestCaseLocationsInBinary(importedBinary, testMethodSignatures, symbolFilterString, pathExtension))
{
testCaseLocationsFound.Add(testCaseLocation.Key, testCaseLocation.Value);
}
}
}
}
return(testCaseLocationsFound);
}
static void Main(string[] args)
{
var bytes = File.ReadAllBytes("Compiler-2.exe");
var peParser = new PeParser();
var peFile = peParser.Parse(bytes);
Console.ReadLine();
}
internal InjectionProperties(string targetProcessName, string dllPath)
{
DllPath = dllPath;
SyscallManager = new SyscallManager();
RemoteProcess = new ProcessInstance(targetProcessName, SyscallManager);
MemoryManager = new RemoteMemoryManager(RemoteProcess.Handle, SyscallManager);
PeParser = new PeParser(dllPath);
}
internal InjectionProperties(string targetProcessName, byte[] dllBytes)
{
DllBytes = dllBytes;
SyscallManager = new SyscallManager();
RemoteProcess = new ProcessInstance(targetProcessName, SyscallManager);
MemoryManager = new RemoteMemoryManager(RemoteProcess.Handle, SyscallManager);
PeParser = new PeParser(DllBytes);
}
internal InjectionWrapper(InjectionMethod injectionMethod, string processName, byte[] dllBytes)
{
ProcessManager = new ProcessManager(processName);
Assembler = new Assembler(ProcessManager.IsWow64);
DllBytes = dllBytes;
InjectionMethod = injectionMethod;
MemoryManager = new MemoryManager(ProcessManager.Process.SafeHandle);
PeParser = new PeParser(dllBytes);
}
internal InjectionWrapper(InjectionMethod injectionMethod, string processName, byte[] dllBytes)
{
MemoryManager = new MemoryManager(GetProcess(processName).SafeHandle);
RemoteProcess = new ProcessWrapper(GetProcess(processName), MemoryManager);
Assembler = new Assembler(RemoteProcess.IsWow64);
DllBytes = dllBytes;
InjectionMethod = injectionMethod;
PeParser = new PeParser(dllBytes);
}
private void LoadSymbolsFromImports()
{
List <string> imports = PeParser.ParseImports(_executable, _logger);
string moduleDirectory = Path.GetDirectoryName(_executable);
foreach (string import in imports)
{
// ReSharper disable once AssignNullToNotNullAttribute
string importedBinary = Path.Combine(moduleDirectory, import);
if (File.Exists(importedBinary))
{
AddSymbolsFromBinary(importedBinary);
}
}
}
internal InjectionWrapper(InjectionMethod injectionMethod, string processName, byte[] dllBytes)
{
RemoteProcess = new ProcessWrapper(processName);
Assembler = new Assembler(RemoteProcess.IsWow64);
DllBytes = dllBytes;
InjectionMethod = injectionMethod;
MemoryManager = new MemoryManager(RemoteProcess.Process.SafeHandle);
PdbParser = new Lazy <PdbParser>(() => new PdbParser(RemoteProcess.Modules.Find(module => module.Name == "ntdll.dll")));
PeParser = new PeParser(dllBytes);
}
internal InjectionWrapper(InjectionMethod injectionMethod, string processName, byte[] dllBytes)
{
RemoteProcess = new ProcessWrapper(processName, WindowsVersion);
Assembler = new Assembler(RemoteProcess.IsWow64);
DllBytes = dllBytes;
InjectionMethod = injectionMethod;
MemoryManager = new MemoryManager(RemoteProcess.Process.SafeHandle);
PeParser = new PeParser(dllBytes);
WindowsVersion = GetWindowsVersion();
}
internal InjectionWrapper(InjectionMethod injectionMethod, int processId, string dllPath)
{
MemoryManager = new MemoryManager(GetProcess(processId).SafeHandle);
RemoteProcess = new ProcessWrapper(GetProcess(processId), MemoryManager);
Assembler = new Assembler(RemoteProcess.IsWow64);
DllBytes = File.ReadAllBytes(dllPath);
DllPath = dllPath;
InjectionMethod = injectionMethod;
PeParser = new PeParser(dllPath);
}
internal InjectionWrapper(InjectionMethod injectionMethod, string processName, string dllPath)
{
ProcessManager = new ProcessManager(processName);
Assembler = new Assembler(ProcessManager.IsWow64);
DllBytes = File.ReadAllBytes(dllPath);
DllPath = dllPath;
InjectionMethod = injectionMethod;
MemoryManager = new MemoryManager(ProcessManager.Process.SafeHandle);
PeParser = new PeParser(DllBytes);
}
internal InjectionWrapper(InjectionMethod injectionMethod, int processId, string dllPath)
{
RemoteProcess = new ProcessWrapper(processId);
Assembler = new Assembler(RemoteProcess.IsWow64);
DllBytes = File.ReadAllBytes(dllPath);
DllPath = dllPath;
InjectionMethod = injectionMethod;
MemoryManager = new MemoryManager(RemoteProcess.Process.SafeHandle);
PdbParser = new Lazy <PdbParser>(() => new PdbParser(RemoteProcess.Modules.Find(module => module.Name == "ntdll.dll")));
PeParser = new PeParser(dllPath);
}
internal InjectionWrapper(InjectionMethod injectionMethod, int processId, string dllPath)
{
RemoteProcess = new ProcessWrapper(processId, WindowsVersion);
Assembler = new Assembler(RemoteProcess.IsWow64);
DllBytes = File.ReadAllBytes(dllPath);
DllPath = dllPath;
InjectionMethod = injectionMethod;
MemoryManager = new MemoryManager(RemoteProcess.Process.SafeHandle);
PeParser = new PeParser(dllPath);
WindowsVersion = GetWindowsVersion();
}
internal List <TestCaseLocation> ResolveAllTestCases(string executable, List <string> testMethodSignatures, string symbolFilterString, string pathExtension)
{
List <TestCaseLocation> testCaseLocationsFound =
FindTestCaseLocationsInBinary(executable, testMethodSignatures, symbolFilterString, pathExtension).ToList();
if (testCaseLocationsFound.Count == 0)
{
List <string> imports = PeParser.ParseImports(executable, _testEnvironment);
string moduleDirectory = Path.GetDirectoryName(executable);
foreach (string import in imports)
{
// ReSharper disable once AssignNullToNotNullAttribute
string importedBinary = Path.Combine(moduleDirectory, import);
if (File.Exists(importedBinary))
{
testCaseLocationsFound.AddRange(FindTestCaseLocationsInBinary(importedBinary, testMethodSignatures, symbolFilterString, pathExtension));
}
}
}
return(testCaseLocationsFound);
}
private void BuildImportTable(InjectionProperties injectionProperties, IntPtr localDllAddress)
{
var importedFunctions = injectionProperties.PeParser.GetImportedFunctions();
if (importedFunctions.Count == 0)
{
// The DLL has no imported functions
return;
}
// Group the imported functions by the DLL they reside in
var groupedFunctions = importedFunctions.GroupBy(importedFunction => importedFunction.DllName).ToList();
// Get the API set mappings
List <ApiSetMapping> apiSetMappings;
using (var peParser = new PeParser(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "apisetschema.dll")))
{
apiSetMappings = peParser.GetApiSetMappings();
}
var systemFolderPath = injectionProperties.RemoteProcess.IsWow64
? Environment.GetFolderPath(Environment.SpecialFolder.SystemX86)
: Environment.GetFolderPath(Environment.SpecialFolder.System);
foreach (var dll in groupedFunctions)
{
var dllName = dll.Key;
if (dllName.StartsWith("api-ms"))
{
dllName = apiSetMappings.Find(apiSetMapping => apiSetMapping.VirtualDll.Equals(dllName, StringComparison.OrdinalIgnoreCase)).MappedToDll;
}
// Ensure the DLL is loaded in the target process
if (!injectionProperties.RemoteProcess.Modules.Any(module => module.Name.Equals(dllName, StringComparison.OrdinalIgnoreCase)))
{
// Load the DLL into the target process
new Injector().CreateRemoteThread(injectionProperties.RemoteProcess.TargetProcess.Id, Path.Combine(systemFolderPath, dllName));
}
}
injectionProperties.RemoteProcess.Refresh();
foreach (var importedFunction in groupedFunctions.SelectMany(dll => dll.Select(importedFunction => importedFunction)))
{
var dllName = importedFunction.DllName;
if (dllName.StartsWith("api-ms"))
{
dllName = apiSetMappings.Find(apiSetMapping => apiSetMapping.VirtualDll.Equals(dllName, StringComparison.OrdinalIgnoreCase)).MappedToDll;
}
// Get the address of the imported function
var importedFunctionAddress = injectionProperties.RemoteProcess.GetFunctionAddress(dllName, importedFunction.Name);
// Write the imported function into the local process
Marshal.WriteInt64(localDllAddress.AddOffset(importedFunction.Offset), (long)importedFunctionAddress);
}
}
internal PeInstance(string modulePath)
{
PeParser = new PeParser(modulePath);
ExportedFunctions = PeParser.GetExportedFunctions();
}
