Пример #1
0
        private IntPtr GetDependencyProcAddressA(IntPtr moduleBase, PCHAR procName)
        {
            IntPtr pFunc = IntPtr.Zero;
            IMAGE_DOS_HEADER hdrDos;
            IMAGE_NT_HEADERS32 hdrNt32;

            UIntPtr dwRead;
            Imports.ReadProcessMemory(_hProcess, moduleBase, out hdrDos, out dwRead);

            if (!hdrDos.isValid)
            {
                return IntPtr.Zero;
            }

            Imports.ReadProcessMemory(_hProcess, moduleBase + hdrDos.e_lfanew, out hdrNt32, out dwRead);

            if (!hdrNt32.isValid)
            {
                return IntPtr.Zero;
            }

            var expBase = hdrNt32.OptionalHeader.ExportTable.VirtualAddress;
            if (expBase > 0)
            {
                var expSize = hdrNt32.OptionalHeader.ExportTable.Size;
                var expData = (PIMAGE_EXPORT_DIRECTORY)AllocateMemory(expSize);
                Imports.ReadProcessMemory(_hProcess, moduleBase + (int)expBase, expData.Address, (int)expSize, out dwRead);

                var pAddressOfOrds = (PWORD)(expData.Address + (int)expData.Value.AddressOfNameOrdinals - (int)expBase);
                var pAddressOfNames = (PDWORD)(expData.Address + (int)expData.Value.AddressOfNames - (int)expBase);
                var pAddressOfFuncs = (PDWORD)(expData.Address + (int)expData.Value.AddressOfFunctions - (int)expBase);


                for (uint i = 0; i < expData.Value.NumberOfFunctions; i++)
                {
                    ushort ordIndex;
                    PCHAR pName = null;

                    if (new PDWORD(procName.Address).Value <= 0xFFFF)
                    {
                        ordIndex = unchecked((ushort)i);
                    }
                    else if (new PDWORD(procName.Address).Value > 0xFFFF && i < expData.Value.NumberOfNames)
                    {
                        pName = (PCHAR)new IntPtr(pAddressOfNames[i] + expData.Address.ToInt32() - expBase);
                        ordIndex = pAddressOfOrds[i];
                    }
                    else
                    {
                        return IntPtr.Zero;
                    }

                    if ((new PDWORD(procName.Address).Value <= 0xFFFF && new PDWORD(procName.Address).Value == ordIndex + expData.Value.Base) || (new PDWORD(procName.Address).Value > 0xFFFF && pName.ToString() == procName.ToString()))
                    {
                        pFunc = moduleBase + (int)pAddressOfFuncs[ordIndex];

                        if (pFunc.ToInt64() >= (moduleBase + (int)expBase).ToInt64() && pFunc.ToInt64() <= (moduleBase + (int)expBase + (int)expSize).ToInt64())
                        {
                            var forwardStr = new byte[255];
                            Imports.ReadProcessMemory(_hProcess, pFunc, forwardStr, out dwRead);

                            var chainExp = Helpers.ToStringAnsi(forwardStr);

                            var strDll = chainExp.Substring(0, chainExp.IndexOf(".")) + ".dll";
                            var strName = chainExp.Substring(chainExp.IndexOf(".") + 1);

                            var hChainMod = GetRemoteModuleHandleA(strDll);
                            if (hChainMod == IntPtr.Zero)
                            {
                                // todo
                                //hChainMod = LoadDependencyA(strDll.c_str());
                                InjectDependency(strDll);
                            }

                            if (strName.StartsWith("#"))
                            {
                                pFunc = GetDependencyProcAddressA(hChainMod, new PCHAR(strName) + 1);
                            }
                            else
                            {
                                pFunc = GetDependencyProcAddressA(hChainMod, new PCHAR(strName));
                            }
                        }

                        break;
                    }
                }

                Imports.VirtualFree(expData.Address, 0, Imports.FreeType.Release);
            }

            return pFunc;
        }