private static IEnumerable <RpcOffset> FindRpcServerInterfaces(ImageSection sect, bool return_clients)
{
byte[] rdata = sect.ToArray();
foreach (int ofs in FindBytes(rdata, TransferSyntax.ToByteArray()).Concat(FindBytes(rdata, TransferSyntax64.ToByteArray())))
{
if (ofs < 24)
{
continue;
}
int expected_size = Environment.Is64BitProcess ? 0x60 : 0x44;
if (expected_size != BitConverter.ToInt32(rdata, ofs - 24))
{
continue;
}
long ptr;
if (Environment.Is64BitProcess)
{
ptr = BitConverter.ToInt64(rdata, ofs + 20);
}
else
{
ptr = BitConverter.ToInt32(rdata, ofs + 20);
}
// No dispatch table, likely to be a RPC_CLIENT_INTERFACE.
if (ptr == 0 && !return_clients)
{
continue;
}
yield return(new RpcOffset(ofs + sect.RelativeVirtualAddress - 24, ptr == 0));
}
}
private void SetupValues()
{
if (_loaded_values)
{
return;
}
_loaded_values = true;
_image_sections = new List <ImageSection>();
IntPtr base_ptr = GetBasePointer();
if (base_ptr == IntPtr.Zero)
{
return;
}
IntPtr header_ptr = GetHeaderPointer(base_ptr);
if (header_ptr == IntPtr.Zero)
{
return;
}
ImageNtHeaders header = (ImageNtHeaders)Marshal.PtrToStructure(header_ptr, typeof(ImageNtHeaders));
var buffer = header_ptr + Marshal.SizeOf(header) + header.FileHeader.SizeOfOptionalHeader;
int header_size = Marshal.SizeOf(typeof(ImageSectionHeader));
for (int i = 0; i < header.FileHeader.NumberOfSections; ++i)
{
ImageSectionHeader section = (ImageSectionHeader)Marshal.PtrToStructure(buffer + i * header_size, typeof(ImageSectionHeader));
ImageSection sect = new ImageSection(section, MappedAsImage, base_ptr);
_image_sections.Add(sect);
}
IImageOptionalHeader optional_header = GetOptionalHeader(header_ptr);
if (optional_header == null)
{
return;
}
_image_base_address = optional_header.GetImageBase();
_image_entry_point = optional_header.GetAddressOfEntryPoint();
_is_64bit = optional_header.GetMagic() == IMAGE_NT_OPTIONAL_HDR_MAGIC.HDR64;
_dll_characteristics = optional_header.GetDllCharacteristics();
}
