bool ProcessTlsEntries(IntPtr baseAddress, IntPtr remoteAddress)
{
UIntPtr dwRead;
var imageNtHeaders = GetNtHeader(baseAddress);
if (imageNtHeaders == null)
{
return(false);
}
if (imageNtHeaders.Value.OptionalHeader.TLSTable.Size == 0)
{
return(true);
}
var tlsDirectory =
(PIMAGE_TLS_DIRECTORY32)RvaToPointer(imageNtHeaders.Value.OptionalHeader.TLSTable.VirtualAddress,
baseAddress);
if (tlsDirectory == null)
{
return(true);
}
if (tlsDirectory.Value.AddressOfCallBacks == 0)
{
return(true);
}
var buffer = new byte[0xFF * 4];
if (!Imports.ReadProcessMemory(hProcess, new IntPtr(tlsDirectory.Value.AddressOfCallBacks), buffer,
out dwRead))
{
return(false);
}
var tLSCallbacks = new PDWORD(buffer);
var result = true;
for (uint i = 0; tLSCallbacks[i] > 0; i++)
{
result = CallEntryPoint(remoteAddress, tLSCallbacks[i], false);
if (!result)
{
break;
}
}
return(result);
}
private bool process_tls_entries(IntPtr base_address, IntPtr remoteAddress)
{
UIntPtr dwRead;
var image_nt_headers = get_nt_header(base_address);
if (image_nt_headers == null)
{
return(false);
}
if (image_nt_headers.Value.OptionalHeader.TLSTable.Size == 0)
{
return(true);
}
var tls_directory = (PIMAGE_TLS_DIRECTORY32)rva_to_pointer(image_nt_headers.Value.OptionalHeader.TLSTable.VirtualAddress, base_address);
if (tls_directory == null)
{
return(true);
}
if (tls_directory.Value.AddressOfCallBacks == 0)
{
return(true);
}
var buffer = new byte[0xFF * 4];
if (!Imports.ReadProcessMemory(_hProcess, new IntPtr(tls_directory.Value.AddressOfCallBacks), buffer, out dwRead))
{
return(false);
}
var tls_callbacks = new PDWORD(buffer);
var result = true;
for (uint i = 0; tls_callbacks[i] > 0; i++)
{
result = call_entry_point(remoteAddress, tls_callbacks[i], false);
if (!result)
{
break;
}
}
return(result);
}
// Token: 0x06000019 RID: 25 RVA: 0x000032CC File Offset: 0x000014CC
private bool ProcessTlsEntries(IntPtr baseAddress, IntPtr remoteAddress)
{
PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress);
if (ntHeader == null)
{
return(false);
}
if (ntHeader.Value.OptionalHeader.TLSTable.Size == 0U)
{
return(true);
}
PIMAGE_TLS_DIRECTORY32 pimage_TLS_DIRECTORY = (PIMAGE_TLS_DIRECTORY32)this.RvaToPointer(ntHeader.Value.OptionalHeader.TLSTable.VirtualAddress, baseAddress);
if (pimage_TLS_DIRECTORY == null)
{
return(true);
}
if (pimage_TLS_DIRECTORY.Value.AddressOfCallBacks == 0U)
{
return(true);
}
byte[] array = new byte[1020];
UIntPtr uintPtr;
if (!Imports.ReadProcessMemory(this._hProcess, new IntPtr((long)((ulong)pimage_TLS_DIRECTORY.Value.AddressOfCallBacks)), array, out uintPtr))
{
return(false);
}
PDWORD pdword = new PDWORD(array);
bool flag = true;
uint num = 0U;
while (pdword[num] > 0U)
{
flag = this.CallEntryPoint(remoteAddress, pdword[num], false);
if (!flag)
{
break;
}
num += 1U;
}
return(flag);
}
// Token: 0x06000012 RID: 18 RVA: 0x00002C28 File Offset: 0x00000E28
private bool ProcessRelocation(uint imageBaseDelta, ushort data, PBYTE relocationBase)
{
bool result = true;
switch (data >> 12 & 15)
{
case 0:
case 4:
return(result);
case 1:
{
PSHORT pshort = (PSHORT)(relocationBase + (int)(data & 4095)).Address;
Marshal.WriteInt16(pshort.Address, (short)((long)pshort.Value + (long)((ulong)((ushort)(imageBaseDelta >> 16 & 65535U)))));
return(result);
}
case 2:
{
PSHORT pshort = (PSHORT)(relocationBase + (int)(data & 4095)).Address;
Marshal.WriteInt16(pshort.Address, (short)((long)pshort.Value + (long)((ulong)((ushort)(imageBaseDelta & 65535U)))));
return(result);
}
case 3:
{
PDWORD pdword = (PDWORD)(relocationBase + (int)(data & 4095)).Address;
Marshal.WriteInt32(pdword.Address, (int)(pdword.Value + imageBaseDelta));
return(result);
}
case 10:
{
PDWORD pdword = (PDWORD)(relocationBase + (int)(data & 4095)).Address;
Marshal.WriteInt32(pdword.Address, (int)(pdword.Value + imageBaseDelta));
return(result);
}
}
result = false;
return(result);
}
// Token: 0x0600000F RID: 15 RVA: 0x00002478 File Offset: 0x00000678
private IntPtr GetDependencyProcAddressA(IntPtr moduleBase, PCHAR procName)
{
IntPtr intPtr = IntPtr.Zero;
IMAGE_DOS_HEADER image_DOS_HEADER;
UIntPtr uintPtr;
Imports.ReadProcessMemory <IMAGE_DOS_HEADER>(this._hProcess, moduleBase, out image_DOS_HEADER, out uintPtr);
if (!image_DOS_HEADER.isValid)
{
return(IntPtr.Zero);
}
IMAGE_NT_HEADERS32 image_NT_HEADERS;
Imports.ReadProcessMemory <IMAGE_NT_HEADERS32>(this._hProcess, moduleBase + image_DOS_HEADER.e_lfanew, out image_NT_HEADERS, out uintPtr);
if (!image_NT_HEADERS.isValid)
{
return(IntPtr.Zero);
}
uint virtualAddress = image_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress;
if (virtualAddress > 0U)
{
uint size = image_NT_HEADERS.OptionalHeader.ExportTable.Size;
PIMAGE_EXPORT_DIRECTORY pimage_EXPORT_DIRECTORY = (PIMAGE_EXPORT_DIRECTORY)this.AllocateMemory(size);
Imports.ReadProcessMemory(this._hProcess, moduleBase + (int)virtualAddress, pimage_EXPORT_DIRECTORY.Address, (int)size, out uintPtr);
PWORD pword = (PWORD)(pimage_EXPORT_DIRECTORY.Address + (int)pimage_EXPORT_DIRECTORY.Value.AddressOfNameOrdinals - (int)virtualAddress);
PDWORD pdword = (PDWORD)(pimage_EXPORT_DIRECTORY.Address + (int)pimage_EXPORT_DIRECTORY.Value.AddressOfNames - (int)virtualAddress);
PDWORD pdword2 = (PDWORD)(pimage_EXPORT_DIRECTORY.Address + (int)pimage_EXPORT_DIRECTORY.Value.AddressOfFunctions - (int)virtualAddress);
uint num = 0U;
while (num < pimage_EXPORT_DIRECTORY.Value.NumberOfFunctions)
{
PCHAR pchar = null;
ushort num2;
if (new PDWORD(procName.Address).Value <= 65535U)
{
num2 = (ushort)num;
}
else
{
if (new PDWORD(procName.Address).Value <= 65535U || num >= pimage_EXPORT_DIRECTORY.Value.NumberOfNames)
{
return(IntPtr.Zero);
}
pchar = (PCHAR) new IntPtr((long)((ulong)pdword[num] + (ulong)((long)pimage_EXPORT_DIRECTORY.Address.ToInt32()) - (ulong)virtualAddress));
num2 = pword[num];
}
if ((new PDWORD(procName.Address).Value <= 65535U && new PDWORD(procName.Address).Value == (uint)num2 + pimage_EXPORT_DIRECTORY.Value.Base) || (new PDWORD(procName.Address).Value > 65535U && pchar.ToString() == procName.ToString()))
{
intPtr = moduleBase + (int)pdword2[(uint)num2];
if (intPtr.ToInt64() < (moduleBase + (int)virtualAddress).ToInt64() || intPtr.ToInt64() > (moduleBase + (int)virtualAddress + (int)size).ToInt64())
{
break;
}
byte[] array = new byte[255];
Imports.ReadProcessMemory(this._hProcess, intPtr, array, out uintPtr);
string text = Helpers.ToStringAnsi(array);
string text2 = text.Substring(0, text.IndexOf(".")) + ".dll";
string text3 = text.Substring(text.IndexOf(".") + 1);
IntPtr remoteModuleHandleA = this.GetRemoteModuleHandleA(text2);
if (remoteModuleHandleA == IntPtr.Zero)
{
this.InjectDependency(text2);
}
if (text3.StartsWith("#"))
{
intPtr = this.GetDependencyProcAddressA(remoteModuleHandleA, new PCHAR(text3) + 1);
break;
}
intPtr = this.GetDependencyProcAddressA(remoteModuleHandleA, new PCHAR(text3));
break;
}
else
{
num += 1U;
}
}
Imports.VirtualFree(pimage_EXPORT_DIRECTORY.Address, 0, Imports.FreeType.Release);
}
return(intPtr);
}
