Пример #1
0
        public static ulong GetModuleByName(this Process process, string moduleName)
        {
            ulong[] moduleHandleArray = new ulong[1000];

            fixed(ulong *hMods = moduleHandleArray)
            {
                if (NT.EnumProcessModules(process.Handle, (ulong)hMods, (uint)(sizeof(ulong) * moduleHandleArray.Length), out uint cbNeeded) > 0)
                {
                    for (int moduleIndex = 0; moduleIndex < cbNeeded / sizeof(ulong); moduleIndex++)
                    {
                        string name = NTM.GetModuleBaseName(process.Handle, moduleHandleArray[moduleIndex]);

                        if (String.Equals(name, moduleName, StringComparison.InvariantCultureIgnoreCase))
                        {
                            return(moduleHandleArray[moduleIndex]);
                        }
                    }
                }
            }

            return(0);
        }
Пример #2
0
        public static Dictionary <string, ulong> GetModules(this Process process)
        {
            var result = new Dictionary <string, ulong>();

            ulong[] moduleHandleArray = new ulong[1000];

            fixed(ulong *hMods = moduleHandleArray)
            {
                if (NT.EnumProcessModules(process.Handle, (ulong)hMods, (uint)(sizeof(ulong) * moduleHandleArray.Length), out uint cbNeeded) > 0)
                {
                    for (int moduleIndex = 0; moduleIndex < cbNeeded / sizeof(ulong); moduleIndex++)
                    {
                        string name = NTM.GetModuleBaseName(process.Handle, moduleHandleArray[moduleIndex]);

                        result[name.ToLower()] = moduleHandleArray[moduleIndex];

                        //if (String.Equals(name, moduleName, StringComparison.InvariantCultureIgnoreCase))
                        //    return moduleHandleArray[moduleIndex];
                    }
                }
            }

            return(result);
        }
Пример #3
0
        public void FixImportTable(UInt32 localImage, NT.IMAGE_OPTIONAL_HEADER64 optionalHeader)
        {
            NT.IMAGE_IMPORT_DESCRIPTOR *importDescriptor = (NT.IMAGE_IMPORT_DESCRIPTOR *)(localImage + optionalHeader.ImportTable.VirtualAddress);
            for (; importDescriptor->FirstThunk > 0; ++importDescriptor)
            {
                string libraryName = Marshal.PtrToStringAnsi((IntPtr)(localImage + importDescriptor->Name));

                // RECODE THIS, THIS IS STUPID & DANGEROUS
                // I AM ONLY DOING THIS BECAUSE OF API-SET DLLS
                // I COULDNT BE ARSED TO MAKE A PINVOKE FOR ApiSetResolveToHost
                ulong localLibraryHandle = NT.LoadLibrary(libraryName);
                libraryName = NTM.GetModuleBaseName(Process.GetCurrentProcess().Handle, localLibraryHandle).ToLower();

                // IF WE MAPPED DEPENDENCY EARLIER, WE SHOULD USE RVA
                // INSTEAD OF STATIC MEMORY ADDRESS
                bool mappedDependency = MappedModules.TryGetValue(libraryName, out ulong remoteLibraryHandle);
                bool linkedInProcess  = LinkedModules.TryGetValue(libraryName, out remoteLibraryHandle);

                if (!mappedDependency && !linkedInProcess) // DEPENDENCY NOT FOUND, MAP IT!
                {
                    string dependencyPath = Tools.FindDll(libraryName);

                    // SKIP IF DEPENDENCY COULDN'T BE FOUND
                    if (dependencyPath == null)
                    {
                        continue;
                    }

                    // [8:44 PM] markhc: i had something similar
                    // [8:44 PM] markhc: it was deep inside CRT initialization(edited)
                    // [8:45 PM] Ch40zz: how did you fix it?
                    // [8:46 PM] markhc: i didnt fix it
                    // [8:46 PM] markhc: i thought it was something wrong with my manual mapper code, but i couldnt figure out what was it
                    // [8:46 PM] markhc: so i threw it all away
                    if (libraryName == "msvcp140.dll")
                    {
                        var tempOptions = Options;
                        tempOptions.EraseHeaders = false;

                        new LoadLibraryInjection(TargetProcess, TypeOfExecution, tempOptions).InjectImage(dependencyPath);
                        --importDescriptor;
                        continue;
                    }

                    remoteLibraryHandle = MapImage(libraryName, File.ReadAllBytes(dependencyPath));
                    mappedDependency    = true;
                }

                UInt32 *functionAddress = (UInt32 *)(localImage + importDescriptor->FirstThunk);
                UInt32 *importEntry     = (UInt32 *)(localImage + importDescriptor->OriginalFirstThunk);

                do
                {
                    ulong procNamePointer = *importEntry < 0x8000000000000000 /*IMAGE_ORDINAL_FLAG64*/ ? // IS ORDINAL?
                                            localImage + *importEntry + sizeof(ushort) /*SKIP HINT*/ :   // FUNCTION BY NAME
                                            *importEntry & 0xFFFF;                                       // ORDINAL

                    var localFunctionPointer = NT.GetProcAddress(localLibraryHandle, procNamePointer);
                    var rva = localFunctionPointer - localLibraryHandle;

                    // SET NEW FUNCTION POINTER
                    *functionAddress = (UInt32)(mappedDependency ? remoteLibraryHandle + rva : localFunctionPointer);

                    // GET NEXT ENTRY
                    ++functionAddress;
                    ++importEntry;
                } while (*importEntry > 0);
            }
        }