private IEnumerable <PEImport> GetImports(int lpOffsetTable, int lpThunkTable) { var importIndex = 0; bool is32bit = Headers.PEHeader.Magic == PEMagic.PE32; do { // Read the import thunk var functionOffset = lpOffsetTable + (is32bit ? sizeof(int) : sizeof(long)) * importIndex; var importThunkOffset = lpThunkTable + (is32bit ? sizeof(int) : sizeof(long)) * importIndex; PointerEx importThunk = is32bit ? MemoryMarshal.Read <int>(ImageData.Span.Slice(importThunkOffset)) : MemoryMarshal.Read <long>(ImageData.Span.Slice(importThunkOffset)); if (!importThunk) { break; } int importOrdinal; // Check if the function is imported via ordinal if ((importThunk & int.MinValue) != 0) { importOrdinal = importThunk & (long)ushort.MaxValue; yield return(new PEImport(null, functionOffset, importOrdinal)); continue; } // Read the import ordinal and name var lpImportOrdinal = RelativeToOffset(importThunk); importOrdinal = MemoryMarshal.Read <short>(ImageData.Span.Slice(lpImportOrdinal)); var lpImportName = lpImportOrdinal + sizeof(short); var importNameLength = ImageData.Span.Slice(lpImportName).IndexOf(byte.MinValue); var importName = Encoding.UTF8.GetString(ImageData.Span.Slice(lpImportName, importNameLength).ToArray()); yield return(new PEImport(importName, functionOffset, importOrdinal)); }while ((importIndex += 1) > 0); }
public bool GetContext(PointerEx thread) { Marshal.StructureToPtr(ContextStruct, hAlignedMemory, false); bool result = GetContext(thread, hAlignedMemory); ContextStruct = Marshal.PtrToStructure(hAlignedMemory, ContextStruct.GetType()); return(result); }
internal int GetPtrFromRVA(int rva, PointerEx imageBase) { PointerEx delta; var sectionHeader = Headers.SectionHeaders[Headers.GetContainingSectionIndex(rva)]; delta = (sectionHeader.VirtualAddress - sectionHeader.PointerToRawData); return(imageBase + rva - delta); }
/// <summary> /// Manually map module into current process. /// </summary> /// <author>Ruben Boonen (@FuzzySec)</author> (modified for external) /// <param name="modulePath">Full path to the module on disk.</param> /// <param name="noCache">If true, will ignore any previous mappings cached locally</param> /// <returns>PE_MANUAL_MAP object</returns> public static PE_MANUAL_MAP MapModuleToMemory(string modulePath, bool noCache = false) { if (modulePath == null) { throw new Exception(DSTR(DSTR_DINVOKE_MOD_CANNOT_BE_NULL)); } modulePath = modulePath.ToLower(); if (!noCache && MappedModulesCache.ContainsKey(modulePath)) { return(MappedModulesCache[modulePath]); } // Alloc module into memory for parsing PointerEx pModule = File.ReadAllBytes(modulePath).Unmanaged(); var result = MapModuleToMemory(pModule); MappedModulesCache[modulePath] = result; return(result); }
/// <summary> /// Manually map module into current process. /// </summary> /// <author>Ruben Boonen (@FuzzySec)</author> (modified for external) /// <param name="pModule">Pointer to the module base.</param> /// <returns>PE_MANUAL_MAP object</returns> private static PE_MANUAL_MAP MapModuleToMemory(PointerEx pModule) { // Fetch PE meta data PE_META_DATA PEINFO = GetPeMetaData(pModule); // Check module matches the process architecture if ((PEINFO.Is32Bit && IntPtr.Size == 8) || (!PEINFO.Is32Bit && IntPtr.Size == 4)) { Marshal.FreeHGlobal(pModule); throw new Exception(DSTR(DSTR_MOD_ARCHITECTURE_WRONG)); } // Alloc PE image memory -> RW IntPtr BaseAddress = IntPtr.Zero; IntPtr RegionSize = PEINFO.Is32Bit ? (IntPtr)PEINFO.OptHeader32.SizeOfImage : (IntPtr)PEINFO.OptHeader64.SizeOfImage; IntPtr pImage = Native.NtAllocateVirtualMemoryD( (IntPtr)(-1), ref BaseAddress, IntPtr.Zero, ref RegionSize, Native.AllocationType.Commit | Native.AllocationType.Reserve, Native.PAGE_READWRITE ); return(MapModuleToMemory(pModule, pImage, PEINFO)); }
protected abstract bool GetContext(PointerEx thread, PointerEx context);
public bool SetContext(PointerEx thread) { Marshal.StructureToPtr(ContextStruct, hAlignedMemory, false); return(SetContext(thread, hAlignedMemory)); }
public ThreadContextEx() { //Get/SetThreadContext needs to be 16 byte aligned memory offset on x64 hInternalMemory = Marshal.AllocHGlobal(Marshal.SizeOf(ContextStruct) + 1024); hAlignedMemory = (long)hInternalMemory & ~0xF; }