public static SModuleEntry32[] ListModule(IntPtr hModule) { FObjects <SModuleEntry32> mes = new FObjects <SModuleEntry32>(); Nullable <SImageNtHeaders> ntHeaders = GetNtHeaders(hModule); SImageDataDirectory idd = ntHeaders.Value.OptionalHeader.DataDirectory[(int)EImageDirectoryEntry.Import]; if (idd.VirtualAddress == 0) { return(mes.ToArray()); } // Import uint maddress = (uint)hModule.ToInt32(); IntPtr pIdHeader = (IntPtr)(maddress + idd.VirtualAddress); int idSize = Marshal.SizeOf(typeof(SImageImportDescriptor)); while (true) { SImageImportDescriptor impDesc = (SImageImportDescriptor)Marshal.PtrToStructure(pIdHeader, typeof(SImageImportDescriptor)); if (impDesc.Name == 0) { break; } IntPtr namePtr = (IntPtr)(maddress + impDesc.Name); SModuleEntry32 me = new SModuleEntry32(); me.modBaseAddr = impDesc.FirstThunk; me.szModule = Marshal.PtrToStringAnsi(namePtr, 260); mes.Push(me); pIdHeader = (IntPtr)(pIdHeader.ToInt32() + idSize); } return(mes.ToArray()); }
protected bool ReadOptionalImport(FByteFile file) { FModuleInfoCollection modules = _import.Modules; modules.Clear(); SImageDataDirectory idd = _ntHeader.OptionalHeader.DataDirectory[(int)EImageDirectoryEntry.Import]; if (idd.VirtualAddress == 0) { return(false); } // Read modules int vaddress = ConvertRva(idd.VirtualAddress); int size = Marshal.SizeOf(typeof(SImageImportDescriptor)); while (true) { SImageImportDescriptor impDesc = (SImageImportDescriptor)file.GetStruct(vaddress, typeof(SImageImportDescriptor)); if (impDesc.Name == 0) { break; } FModuleInfo module = new FModuleInfo(); module.NameAddress = impDesc.Name; module.Name = file.GetString(ConvertRva(impDesc.Name)); module.FirstThunk = impDesc.FirstThunk; module.OriginalFirstThunk = impDesc.OriginalFirstThunk; ReadTrunks(file, module); modules.Push(module); vaddress += size; } return(true); }
protected void ReadOptionalExport(FByteFile file) { _export.Clear(); FFunctionInfos functions = _export.Functions; SImageDataDirectory idd = _ntHeader.OptionalHeader.DataDirectory[(int)EImageDirectoryEntry.Export]; if (idd.VirtualAddress != 0) { SImageExportDirectory imgExp = (SImageExportDirectory)file.GetStruct(ConvertRva(idd.VirtualAddress), typeof(SImageExportDirectory)); _export.Data = imgExp; _export.Name = file.GetString(ConvertRva(imgExp.Name)); // Read function int funcCount = imgExp.NumberOfFunctions; int funcAddr = ConvertRva(imgExp.AddressOfFunctions); for (int n = 0; n < funcCount; n++, funcAddr += RInt.BYTE_SIZE) { FFunctionInfo function = new FFunctionInfo(); function.FunctionIndex = (int)(n + imgExp.Base); function.FunctionAddress = file.GetUint32(funcAddr); function.FunctionAddressRva = ConvertRva(function.FunctionAddress); functions.Push(function); } // Read function names int nameCount = imgExp.NumberOfNames; int nameAddr = ConvertRva(imgExp.AddressOfNames); int nameOrdAddr = ConvertRva(imgExp.AddressOfNameOrdinals); for (int n = 0; n < nameCount; n++, nameAddr += RInt.BYTE_SIZE, nameOrdAddr += RShort.BYTE_SIZE) { int funcIndex = file.GetUint16(nameOrdAddr); FFunctionInfo function = functions[funcIndex]; function.NameAddress = file.GetUint32(nameAddr); function.NameAddressRva = ConvertRva(function.NameAddress); function.Name = file.GetString(function.NameAddressRva); } } }
public static FTrunkInfo[] FetchTrunks(IntPtr hModule) { Nullable <SImageNtHeaders> ntHeaders = GetNtHeaders(hModule); SImageDataDirectory idd = ntHeaders.Value.OptionalHeader.DataDirectory[(int)EImageDirectoryEntry.Import]; if (idd.VirtualAddress == 0) { return(null); } // Import uint maddress = (uint)hModule.ToInt32(); IntPtr pIdHeader = (IntPtr)(maddress + idd.VirtualAddress); SImageImportDescriptor impDesc = (SImageImportDescriptor)Marshal.PtrToStructure(pIdHeader, typeof(SImageImportDescriptor)); if (impDesc.Name == 0) { return(null); } // Get module Name // IntPtr moduleNamePtr = (IntPtr)(maddress + impDesc.Name); // Trunk IntPtr pOrgFt = (IntPtr)(maddress + impDesc.OriginalFirstThunk); IntPtr pFt = (IntPtr)(maddress + impDesc.FirstThunk); int ftSize = Marshal.SizeOf(typeof(SImageThunkData32)); int miSize = Marshal.SizeOf(typeof(SMemoryBasicInformation)); FObjects <FTrunkInfo> infos = new FObjects <FTrunkInfo>(); while (true) { SImageThunkData32 origThunk = (SImageThunkData32)Marshal.PtrToStructure(pOrgFt, typeof(SImageThunkData32)); SImageThunkData32 realThunk = (SImageThunkData32)Marshal.PtrToStructure(pFt, typeof(SImageThunkData32)); if (origThunk.Function == 0) { break; } if ((origThunk.Ordinal & 0x80000000) == 0x80000000) { break; } /*uint arrd = (uint)(maddress + origThunk.AddressOfData); * if ((arrd & 0x80000000) == 0x80000000) { * break; * }*/ // Read name IntPtr pName = (IntPtr)(maddress + origThunk.AddressOfData); SImageImportByName byName = (SImageImportByName)Marshal.PtrToStructure(pName, typeof(SImageImportByName)); if (byName.Name[0] == 0) { break; } // Read memory state SMemoryBasicInformation mbi = new SMemoryBasicInformation(); //RKernel32.VirtualQuery((uint)pFt.ToInt32(), ref mbi, miSize); RKernel32.VirtualQuery(realThunk.Function, ref mbi, miSize); // TrunkInfo FTrunkInfo info = new FTrunkInfo(); info.Name = RAscii.GetString(byName.Name); info.Address = origThunk.Function; //info.Entry = (IntPtr)(maddress + origThunk.Function); info.Entry = (IntPtr)realThunk.Function; info.Hint = byName.Hint; info.MemAllocationBase = mbi.AllocationBase; info.MemAllocationProtect = mbi.AllocationProtect; info.MemBaseAddress = mbi.BaseAddress; info.MemProtect = mbi.Protect; info.MemRegionSize = mbi.RegionSize; info.MemState = mbi.State; info.MemType = mbi.Type; infos.Push(info); // Loop pOrgFt = (IntPtr)(pOrgFt.ToInt32() + ftSize); pFt = (IntPtr)(pFt.ToInt32() + ftSize); } return(infos.ToArray()); }
public bool Open() { // Dos header SImageDosHeader dosHeader = _process.ReadStructure <SImageDosHeader>(_handle); if (dosHeader.e_magic != (uint)EImageSignature.Dos) { return(false); } _dosHeader = dosHeader; // Nt header IntPtr pNtHeader = (IntPtr)(_handle.ToInt32() + dosHeader.e_lfanew); SImageNtHeaders ntHeaders = _process.ReadStructure <SImageNtHeaders>(pNtHeader); if (ntHeaders.Signature != (uint)EImageSignature.Nt) { return(false); } _ntHeaders = ntHeaders; // Fetch trunks SImageDataDirectory idd = ntHeaders.OptionalHeader.DataDirectory[(int)EImageDirectoryEntry.Import]; if (idd.VirtualAddress == 0) { return(false); } // Import uint maddress = (uint)_handle.ToInt32(); IntPtr pIdHeader = (IntPtr)(maddress + idd.VirtualAddress); SImageImportDescriptor impDesc = _process.ReadStructure <SImageImportDescriptor>(pIdHeader); if (impDesc.Name == 0) { return(false); } // Get module Name // IntPtr moduleNamePtr = (IntPtr)(maddress + impDesc.Name); // Trunk IntPtr pOrgFt = (IntPtr)(maddress + impDesc.OriginalFirstThunk); IntPtr pFt = (IntPtr)(maddress + impDesc.FirstThunk); int ftSize = Marshal.SizeOf(typeof(SImageThunkData32)); int miSize = Marshal.SizeOf(typeof(SMemoryBasicInformation)); _trunks = new FTrunkInfoCollection(); while (true) { SImageThunkData32 origThunk = _process.ReadStructure <SImageThunkData32>(pOrgFt); SImageThunkData32 realThunk = _process.ReadStructure <SImageThunkData32>(pFt); if (origThunk.Function == 0) { break; } if ((origThunk.Ordinal & 0x80000000) == 0x80000000) { break; } // Read name IntPtr pName = (IntPtr)(maddress + origThunk.AddressOfData); SImageImportByName byName = _process.ReadStructure <SImageImportByName>(pName); if (byName.Name[0] == 0) { break; } // Read memory state SMemoryBasicInformation mbi = new SMemoryBasicInformation(); //RKernel32.VirtualQuery((uint)pFt.ToInt32(), ref mbi, miSize); RKernel32.VirtualQueryEx(_process.Handle, realThunk.Function, ref mbi, miSize); // TrunkInfo FTrunkInfo trunk = new FTrunkInfo(); trunk.Name = RAscii.GetString(byName.Name); trunk.Address = origThunk.Function; //info.Entry = (IntPtr)(maddress + origThunk.Function); trunk.Entry = (IntPtr)realThunk.Function; trunk.EntryPtr = pFt; trunk.Hint = byName.Hint; trunk.MemAllocationBase = mbi.AllocationBase; trunk.MemAllocationProtect = mbi.AllocationProtect; trunk.MemBaseAddress = mbi.BaseAddress; trunk.MemProtect = mbi.Protect; trunk.MemRegionSize = mbi.RegionSize; trunk.MemState = mbi.State; trunk.MemType = mbi.Type; _trunks.Push(trunk); // Loop pOrgFt = (IntPtr)(pOrgFt.ToInt32() + ftSize); pFt = (IntPtr)(pFt.ToInt32() + ftSize); } return(true); }