private IntPtr GetDependencyProcAddressA(IntPtr moduleBase, PCHAR procName)
{
IntPtr pFunc = IntPtr.Zero;
IMAGE_DOS_HEADER hdrDos;
IMAGE_NT_HEADERS32 hdrNt32;
UIntPtr dwRead;
Imports.ReadProcessMemory(_hProcess, moduleBase, out hdrDos, out dwRead);
if (!hdrDos.isValid)
{
return(IntPtr.Zero);
}
Imports.ReadProcessMemory(_hProcess, moduleBase + hdrDos.e_lfanew, out hdrNt32, out dwRead);
if (!hdrNt32.isValid)
{
return(IntPtr.Zero);
}
var expBase = hdrNt32.OptionalHeader.ExportTable.VirtualAddress;
if (expBase > 0)
{
var expSize = hdrNt32.OptionalHeader.ExportTable.Size;
var expData = (PIMAGE_EXPORT_DIRECTORY)AllocateMemory(expSize);
Imports.ReadProcessMemory(_hProcess, moduleBase + (int)expBase, expData.Address, (int)expSize, out dwRead);
var pAddressOfOrds = (PWORD)(expData.Address + (int)expData.Value.AddressOfNameOrdinals - (int)expBase);
var pAddressOfNames = (PDWORD)(expData.Address + (int)expData.Value.AddressOfNames - (int)expBase);
var pAddressOfFuncs = (PDWORD)(expData.Address + (int)expData.Value.AddressOfFunctions - (int)expBase);
for (uint i = 0; i < expData.Value.NumberOfFunctions; i++)
{
ushort ordIndex;
PCHAR pName = null;
if (new PDWORD(procName.Address).Value <= 0xFFFF)
{
ordIndex = unchecked ((ushort)i);
}
else if (new PDWORD(procName.Address).Value > 0xFFFF && i < expData.Value.NumberOfNames)
{
pName = (PCHAR) new IntPtr(pAddressOfNames[i] + expData.Address.ToInt32() - expBase);
ordIndex = pAddressOfOrds[i];
}
else
{
return(IntPtr.Zero);
}
if ((new PDWORD(procName.Address).Value <= 0xFFFF && new PDWORD(procName.Address).Value == ordIndex + expData.Value.Base) || (new PDWORD(procName.Address).Value > 0xFFFF && pName.ToString() == procName.ToString()))
{
pFunc = moduleBase + (int)pAddressOfFuncs[ordIndex];
if (pFunc.ToInt64() >= (moduleBase + (int)expBase).ToInt64() && pFunc.ToInt64() <= (moduleBase + (int)expBase + (int)expSize).ToInt64())
{
var forwardStr = new byte[255];
Imports.ReadProcessMemory(_hProcess, pFunc, forwardStr, out dwRead);
var chainExp = Helpers.ToStringAnsi(forwardStr);
var strDll = chainExp.Substring(0, chainExp.IndexOf(".")) + ".dll";
var strName = chainExp.Substring(chainExp.IndexOf(".") + 1);
var hChainMod = GetRemoteModuleHandleA(strDll);
if (hChainMod == IntPtr.Zero)
{
// todo
//hChainMod = LoadDependencyA(strDll.c_str());
InjectDependency(strDll);
}
if (strName.StartsWith("#"))
{
pFunc = GetDependencyProcAddressA(hChainMod, new PCHAR(strName) + 1);
}
else
{
pFunc = GetDependencyProcAddressA(hChainMod, new PCHAR(strName));
}
}
break;
}
}
Imports.VirtualFree(expData.Address, 0, Imports.FreeType.Release);
}
return(pFunc);
}
// Token: 0x0600000F RID: 15 RVA: 0x00002478 File Offset: 0x00000678
private IntPtr GetDependencyProcAddressA(IntPtr moduleBase, PCHAR procName)
{
IntPtr intPtr = IntPtr.Zero;
IMAGE_DOS_HEADER image_DOS_HEADER;
UIntPtr uintPtr;
Imports.ReadProcessMemory <IMAGE_DOS_HEADER>(this._hProcess, moduleBase, out image_DOS_HEADER, out uintPtr);
if (!image_DOS_HEADER.isValid)
{
return(IntPtr.Zero);
}
IMAGE_NT_HEADERS32 image_NT_HEADERS;
Imports.ReadProcessMemory <IMAGE_NT_HEADERS32>(this._hProcess, moduleBase + image_DOS_HEADER.e_lfanew, out image_NT_HEADERS, out uintPtr);
if (!image_NT_HEADERS.isValid)
{
return(IntPtr.Zero);
}
uint virtualAddress = image_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress;
if (virtualAddress > 0U)
{
uint size = image_NT_HEADERS.OptionalHeader.ExportTable.Size;
PIMAGE_EXPORT_DIRECTORY pimage_EXPORT_DIRECTORY = (PIMAGE_EXPORT_DIRECTORY)this.AllocateMemory(size);
Imports.ReadProcessMemory(this._hProcess, moduleBase + (int)virtualAddress, pimage_EXPORT_DIRECTORY.Address, (int)size, out uintPtr);
PWORD pword = (PWORD)(pimage_EXPORT_DIRECTORY.Address + (int)pimage_EXPORT_DIRECTORY.Value.AddressOfNameOrdinals - (int)virtualAddress);
PDWORD pdword = (PDWORD)(pimage_EXPORT_DIRECTORY.Address + (int)pimage_EXPORT_DIRECTORY.Value.AddressOfNames - (int)virtualAddress);
PDWORD pdword2 = (PDWORD)(pimage_EXPORT_DIRECTORY.Address + (int)pimage_EXPORT_DIRECTORY.Value.AddressOfFunctions - (int)virtualAddress);
uint num = 0U;
while (num < pimage_EXPORT_DIRECTORY.Value.NumberOfFunctions)
{
PCHAR pchar = null;
ushort num2;
if (new PDWORD(procName.Address).Value <= 65535U)
{
num2 = (ushort)num;
}
else
{
if (new PDWORD(procName.Address).Value <= 65535U || num >= pimage_EXPORT_DIRECTORY.Value.NumberOfNames)
{
return(IntPtr.Zero);
}
pchar = (PCHAR) new IntPtr((long)((ulong)pdword[num] + (ulong)((long)pimage_EXPORT_DIRECTORY.Address.ToInt32()) - (ulong)virtualAddress));
num2 = pword[num];
}
if ((new PDWORD(procName.Address).Value <= 65535U && new PDWORD(procName.Address).Value == (uint)num2 + pimage_EXPORT_DIRECTORY.Value.Base) || (new PDWORD(procName.Address).Value > 65535U && pchar.ToString() == procName.ToString()))
{
intPtr = moduleBase + (int)pdword2[(uint)num2];
if (intPtr.ToInt64() < (moduleBase + (int)virtualAddress).ToInt64() || intPtr.ToInt64() > (moduleBase + (int)virtualAddress + (int)size).ToInt64())
{
break;
}
byte[] array = new byte[255];
Imports.ReadProcessMemory(this._hProcess, intPtr, array, out uintPtr);
string text = Helpers.ToStringAnsi(array);
string text2 = text.Substring(0, text.IndexOf(".")) + ".dll";
string text3 = text.Substring(text.IndexOf(".") + 1);
IntPtr remoteModuleHandleA = this.GetRemoteModuleHandleA(text2);
if (remoteModuleHandleA == IntPtr.Zero)
{
this.InjectDependency(text2);
}
if (text3.StartsWith("#"))
{
intPtr = this.GetDependencyProcAddressA(remoteModuleHandleA, new PCHAR(text3) + 1);
break;
}
intPtr = this.GetDependencyProcAddressA(remoteModuleHandleA, new PCHAR(text3));
break;
}
else
{
num += 1U;
}
}
Imports.VirtualFree(pimage_EXPORT_DIRECTORY.Address, 0, Imports.FreeType.Release);
}
return(intPtr);
}
// Token: 0x06000011 RID: 17 RVA: 0x00002A08 File Offset: 0x00000C08
private bool ProcessDelayedImportTable(IntPtr baseAddress, IntPtr remoteAddress)
{
PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress);
if (ntHeader == null)
{
return(false);
}
if (ntHeader.Value.OptionalHeader.DelayImportDescriptor.Size <= 0U)
{
return(true);
}
PIMAGE_IMPORT_DESCRIPTOR pimage_IMPORT_DESCRIPTOR = (PIMAGE_IMPORT_DESCRIPTOR)this.RvaToPointer(ntHeader.Value.OptionalHeader.DelayImportDescriptor.VirtualAddress, baseAddress);
if (pimage_IMPORT_DESCRIPTOR != null)
{
while (pimage_IMPORT_DESCRIPTOR.Value.Name > 0U)
{
PCHAR pchar = (PCHAR)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.Name, baseAddress);
if (pchar != null)
{
IntPtr remoteModuleHandleA = this.GetRemoteModuleHandleA(pchar.ToString());
if (remoteModuleHandleA == IntPtr.Zero)
{
this.InjectDependency(pchar.ToString());
remoteModuleHandleA = this.GetRemoteModuleHandleA(pchar.ToString());
if (remoteModuleHandleA == IntPtr.Zero)
{
goto IL_1F6;
}
}
PIMAGE_THUNK_DATA pimage_THUNK_DATA;
PIMAGE_THUNK_DATA pimage_THUNK_DATA2;
if (pimage_IMPORT_DESCRIPTOR.Value.OriginalFirstThunk > 0U)
{
pimage_THUNK_DATA = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.OriginalFirstThunk, baseAddress);
pimage_THUNK_DATA2 = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.FirstThunk, baseAddress);
}
else
{
pimage_THUNK_DATA = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.FirstThunk, baseAddress);
pimage_THUNK_DATA2 = (PIMAGE_THUNK_DATA)this.RvaToPointer(pimage_IMPORT_DESCRIPTOR.Value.FirstThunk, baseAddress);
}
while (pimage_THUNK_DATA.Value.AddressOfData > 0U)
{
IntPtr dependencyProcAddressA;
if ((pimage_THUNK_DATA.Value.Ordinal & 2147483648U) > 0U)
{
short num = (short)(pimage_THUNK_DATA.Value.Ordinal & 65535U);
dependencyProcAddressA = this.GetDependencyProcAddressA(remoteModuleHandleA, new PCHAR(num));
if (dependencyProcAddressA == IntPtr.Zero)
{
return(false);
}
}
else
{
PCHAR procName = (PCHAR)((PIMAGE_IMPORT_BY_NAME)this.RvaToPointer(pimage_THUNK_DATA2.Value.Ordinal, baseAddress)).Address + 2;
dependencyProcAddressA = this.GetDependencyProcAddressA(remoteModuleHandleA, procName);
}
Marshal.WriteInt32(pimage_THUNK_DATA2.Address, dependencyProcAddressA.ToInt32());
pimage_THUNK_DATA = ++pimage_THUNK_DATA;
pimage_THUNK_DATA2 = ++pimage_THUNK_DATA2;
}
}
IL_1F6:
pimage_IMPORT_DESCRIPTOR = ++pimage_IMPORT_DESCRIPTOR;
}
return(true);
}
return(false);
}
private IntPtr get_dep_proc_address_a(IntPtr module_base, PCHAR procName)
{
IntPtr func = IntPtr.Zero;
IMAGE_DOS_HEADER hdr_dos;
IMAGE_NT_HEADERS32 hdr_nt32;
UIntPtr read;
Imports.ReadProcessMemory(_hProcess, module_base, out hdr_dos, out read);
if (!hdr_dos.is_valid)
{
return(IntPtr.Zero);
}
Imports.ReadProcessMemory(_hProcess, module_base + hdr_dos.e_lfanew, out hdr_nt32, out read);
if (!hdr_nt32.is_valid)
{
return(IntPtr.Zero);
}
var exp_base = hdr_nt32.OptionalHeader.ExportTable.VirtualAddress;
if (exp_base > 0)
{
var exp_size = hdr_nt32.OptionalHeader.ExportTable.Size;
var exp_data = (PIMAGE_EXPORT_DIRECTORY)allocate_memory(exp_size);
Imports.ReadProcessMemory(_hProcess, module_base + (int)exp_base, exp_data.Address, (int)exp_size, out read);
var address_of_ords = (PWORD)(exp_data.Address + (int)exp_data.Value.AddressOfNameOrdinals - (int)exp_base);
var address_of_names = (PDWORD)(exp_data.Address + (int)exp_data.Value.AddressOfNames - (int)exp_base);
var address_of_funcs = (PDWORD)(exp_data.Address + (int)exp_data.Value.AddressOfFunctions - (int)exp_base);
for (uint i = 0; i < exp_data.Value.NumberOfFunctions; i++)
{
ushort ord_index;
PCHAR name = null;
if (new PDWORD(procName.Address).Value <= 0xFFFF)
{
ord_index = unchecked ((ushort)i);
}
else if (new PDWORD(procName.Address).Value > 0xFFFF && i < exp_data.Value.NumberOfNames)
{
name = (PCHAR) new IntPtr(address_of_names[i] + exp_data.Address.ToInt32() - exp_base);
ord_index = address_of_ords[i];
}
else
{
return(IntPtr.Zero);
}
if ((new PDWORD(procName.Address).Value <= 0xFFFF && new PDWORD(procName.Address).Value == ord_index + exp_data.Value.Base) || (new PDWORD(procName.Address).Value > 0xFFFF && name.ToString() == procName.ToString()))
{
func = module_base + (int)address_of_funcs[ord_index];
if (func.ToInt64() >= (module_base + (int)exp_base).ToInt64() && func.ToInt64() <= (module_base + (int)exp_base + (int)exp_size).ToInt64())
{
var forward_str = new byte[255];
Imports.ReadProcessMemory(_hProcess, func, forward_str, out read);
var chain_exp = Helpers.to_string_ansi(forward_str);
var str_dll = chain_exp.Substring(0, chain_exp.IndexOf(".")) + ".dll";
var str_name = chain_exp.Substring(chain_exp.IndexOf(".") + 1);
var chain_mod = get_remote_module_handle_a(str_dll);
if (chain_mod == IntPtr.Zero)
{
inject_dependency(str_dll);
}
if (str_name.StartsWith("#"))
{
func = get_dep_proc_address_a(chain_mod, new PCHAR(str_name) + 1);
}
else
{
func = get_dep_proc_address_a(chain_mod, new PCHAR(str_name));
}
}
break;
}
}
Imports.VirtualFree(exp_data.Address, 0, Imports.FreeType.Release);
}
return(func);
}
