private static void LoadExports(uint hLib, bool mappedAsImage)
{
unsafe
{
void *hMod = (void *)hLib;
uint BaseAddress = (uint)hMod;
// var hMod = (void*)loadedImage.MappedAddress;
if (hMod != null)
{
uint size;
IMAGE_EXPORT_DIRECTORY *pExportDir = (IMAGE_EXPORT_DIRECTORY *)Interop.ImageDirectoryEntryToData((void *)hLib, true, Interop.IMAGE_DIRECTORY_ENTRY_EXPORT, out size);
if (pExportDir != null)
{
Console.WriteLine("Got Image Export Descriptor");
uint *pFuncNames = (uint *)(BaseAddress + pExportDir->AddressOfNames);
for (uint i = 0; i < pExportDir->NumberOfNames; i++)
{
uint funcNameRva = pFuncNames[i];
if (funcNameRva != 0)
{
char *funcName = (char *)(BaseAddress + funcNameRva);
var name = Marshal.PtrToStringAnsi((IntPtr)funcName);
Console.WriteLine("Exported functionName: {0}", name);
// exports.Add(name);
}
}
}
}
}
}
private ExportDictionaries GetExportDictionaries(Image image)
{
Dictionary <string, HarmonyExport> exportsByName = new Dictionary <string, HarmonyExport>();
Dictionary <ushort, HarmonyExport> exportsByOrdinal = new Dictionary <ushort, HarmonyExport>();
IMAGE_DATA_DIRECTORY directory = Environment.Is64BitProcess
? image.OptionalHeader64->ExportTable : image.OptionalHeader32->ExportTable;
if (directory.VirtualAddress == 0)
{
return(new ExportDictionaries(exportsByName, exportsByOrdinal));
}
IMAGE_EXPORT_DIRECTORY *exportDirectory = (IMAGE_EXPORT_DIRECTORY *)(image.BasePtr + directory.VirtualAddress);
UIntPtr nameRef = (UIntPtr)(image.BasePtr + exportDirectory->AddressOfNames);
UIntPtr ordinalRef = (UIntPtr)(image.BasePtr + exportDirectory->AddressOfNameOrdinals);
ushort ordinalBase = (ushort)exportDirectory->Base;
for (int i = 0; i < exportDirectory->NumberOfNames; i++, nameRef += sizeof(UInt32), ordinalRef += sizeof(UInt16))
{
byte * namePtr = image.BasePtr + (int)*(UInt32 *)nameRef;
string name = StringOperations.NulTerminatedBytesToString(namePtr, image.BasePtr, image.Size);
ushort ordinal = *(UInt16 *)ordinalRef;
IntPtr exportAddress = (IntPtr)(image.BasePtr + (int)*(UInt32 *)(image.BasePtr + exportDirectory->AddressOfFunctions + ordinal * sizeof(UInt32)));
ushort displayOrdinal = (ushort)(ordinal + ordinalBase);
HarmonyExport export = new HarmonyExport(name, displayOrdinal, exportAddress);
exportsByName[name] = export;
exportsByOrdinal[displayOrdinal] = export;
}
return(new ExportDictionaries(exportsByName, exportsByOrdinal));
}
public static void Main()
{
if (!Native.GetModuleHandleEx(ModuleHandleFlags.UnchangedRefCount, "Inkjet.dll", out ThisModule))
{
ThisModule = IntPtr.Zero;
}
IntPtr ExeHandle;
List <string> ExportNames = new List <string>();
if (Native.GetModuleHandleEx(ModuleHandleFlags.UnchangedRefCount, null, out ExeHandle))
{
IMAGE_DOS_HEADER * DosHeader = (IMAGE_DOS_HEADER *)ExeHandle;
IMAGE_NT_HEADERS * Header = (IMAGE_NT_HEADERS *)(ExeHandle + (int)DosHeader->LFaNew);
IMAGE_EXPORT_DIRECTORY *Exports = (IMAGE_EXPORT_DIRECTORY *)(ExeHandle +
Header->OptionalHeader.ExportTable.VirtualAddress);
IntPtr Names = ExeHandle + Exports->AddressOfNames;
for (int i = 0; i < Exports->NumberOfNames; i++)
{
string Name = Marshal.PtrToStringAnsi(ExeHandle + ((int *)Names)[i]);
if (Name.Trim().Length == 0)
{
continue;
}
ExportNames.Add(Name);
}
}
File.WriteAllText("E:\\Projects\\Hackery\\bin\\HAAX.txt", string.Join("\n", ExportNames));
Process Cur = Process.GetCurrentProcess();
MessageBox.Show("Magic!", string.Format("{0} ({1})", Cur.ProcessName, Cur.Id));
}
/// <summary>
/// return the exported function from the selected file
/// </summary>
/// <param name="filePath"></param>
/// <param name="mappedAsImage"></param>
/// <returns></returns>
private void LoadExports(string filePath, bool mappedAsImage, List <FunctionObject> ExportedFunctions)
{
var hLib = LoadLibraryEx(filePath, 0,
DONT_RESOLVE_DLL_REFERENCES | LOAD_IGNORE_CODE_AUTHZ_LEVEL);
unsafe
{
void *hMod = (void *)hLib;
uint BaseAddress = (uint)hMod;
if (hMod != null)
{
uint size;
IMAGE_EXPORT_DIRECTORY *pExportDir = (IMAGE_EXPORT_DIRECTORY *)Interop.ImageDirectoryEntryToData((void *)hLib, true, Interop.IMAGE_DIRECTORY_ENTRY_EXPORT, out size);
if (pExportDir != null)
{
uint *pFuncNames = (uint *)(BaseAddress + pExportDir->AddressOfNames);
for (uint i = 0; i < pExportDir->NumberOfNames; i++)
{
uint funcNameRva = pFuncNames[i];
if (funcNameRva != 0)
{
char *funcName = (char *)(BaseAddress + funcNameRva);
var name = Marshal.PtrToStringAnsi((IntPtr)funcName);
ExportedFunctions.Add(new FunctionObject(name));
}
}
}
}
//else
//{
// smartSuggestionEngine.readErrorCode("basic error 3", 8);
//}
}
return;
}
public static unsafe Dictionary <string, UInt32> dumpSymbolsFromFile(byte *pBin)
{
Dictionary <string, UInt32> ExportTable = new Dictionary <string, UInt32>();
NTHeaders *ntHeaders = GetNtHeaders(pBin);
IMAGE_EXPORT_DIRECTORY *exportDir = (IMAGE_EXPORT_DIRECTORY *)(pBin +
RVAtoOffset(ntHeaders->optnHeader.exportTable.VirtualAddress, ntHeaders, pBin));
if (ntHeaders->optnHeader.numberOfRvaAndSizes <= 0)
{
throw new ArgumentException("Error, This file has no exports.");
}
for (UInt32 i = 0; i < exportDir->NumberOfNames; i++)
{
UInt32 offset = (UInt32)RVAtoOffset((*(UInt32 *)(pBin + RVAtoOffset(exportDir->AddressOfFunctions, ntHeaders, pBin) + (i * sizeof(UInt32)))), ntHeaders, pBin);
UInt32 nameOffset = (UInt32)RVAtoOffset((UInt32)exportDir->AddressOfNames, ntHeaders, pBin) + (i * sizeof(UInt32));
string methodName = Marshal.PtrToStringAnsi((IntPtr)
(pBin + RVAtoOffset((*(UInt32 *)(pBin + nameOffset)), ntHeaders, pBin)));
ExportTable.Add(methodName, offset);
}
return(ExportTable);
}
private void LoadExports(LOADED_IMAGE loadedImage)
{
var hMod = (void *)loadedImage.MappedAddress;
if (hMod != null)
{
uint size;
IMAGE_EXPORT_DIRECTORY *pExportDir = (IMAGE_EXPORT_DIRECTORY *)ImageDirectoryEntryToData((void *)loadedImage.MappedAddress, false, IMAGE_DIRECTORY_ENTRY_EXPORT, out size);
if (pExportDir != null)
{
uint *pFuncNames = (uint *)RvaToVa(loadedImage, pExportDir->AddressOfNames);
for (uint i = 0; i < pExportDir->NumberOfNames; i++)
{
uint funcNameRva = pFuncNames[i];
if (funcNameRva != 0)
{
char * funcName = (char *)RvaToVa(loadedImage, funcNameRva);
string name = Marshal.PtrToStringAnsi((IntPtr)funcName);
Exports.Add(name);
}
}
}
}
}
static unsafe USysCall64()
{
UNICODE_STRING szNtdll = new UNICODE_STRING("ntdll");
UIntPtr ptrNtdll = UIntPtr.Zero;
long ntstatus = LdrGetDllHandle(IntPtr.Zero, IntPtr.Zero, ref szNtdll, ref ptrNtdll);
if (ntstatus != 0)
{
Debugger.Break();
}
byte * lpNtdll = (byte *)ptrNtdll;
IMAGE_DOS_HEADER * piDH = (IMAGE_DOS_HEADER *)lpNtdll;
IMAGE_OPTIONAL_HEADER64 *piOH = (IMAGE_OPTIONAL_HEADER64 *)(lpNtdll + piDH->e_lfanew + 0x18);
IMAGE_EXPORT_DIRECTORY * exportDir = (IMAGE_EXPORT_DIRECTORY *)(lpNtdll + piOH->ExportTable.VirtualAddress);
uint * names = (uint *)(lpNtdll + exportDir->AddressOfNames);
uint * functions = (uint *)(lpNtdll + exportDir->AddressOfFunctions);
ushort *ordinals = (ushort *)(lpNtdll + exportDir->AddressOfNameOrdinals);
var listOfNames = new List <string>();
var dictOfZwFunctions = new Dictionary <string, ulong>();
for (int i = 0; i < exportDir->NumberOfNames; i++)
{
var name = Marshal.PtrToStringAnsi(new IntPtr(lpNtdll + names[i]));
if (!name.StartsWith("Zw"))
{
continue;
}
var fnAddr = new UIntPtr(lpNtdll + functions[ordinals[i]]);
dictOfZwFunctions.Add(name, fnAddr.ToUInt64());
}
var sortedByAddr = dictOfZwFunctions
.OrderBy(x => x.Value)
.ToDictionary(x => "Nt" + x.Key.Substring(2, x.Key.Length - 2), x => x.Value);
var sysCallLookup = new Dictionary <string, uint>();
uint sysNo = 0;
foreach (var entry in sortedByAddr)
{
sysCallLookup.Add(entry.Key, sysNo);
sysNo++;
}
SysCallTable = sysCallLookup;
}
public ExportResolver(ProcessModule module)
{
lib = (IMAGE_DOS_HEADER *)module.BaseAddress;
if (lib->e_magic != IMAGE_DOS_SIGNATURE)
{
throw new Exception("Invalid IMAGE_DOS_HEADER signature");
}
header = (IMAGE_NT_HEADERS *)((byte *)lib + lib->e_lfanew);
if (header->Signature != IMAGE_NT_SIGNATURE)
{
throw new Exception("Invalid IMAGE_NT_HEADERS signature");
}
if (header->OptionalHeader.NumberOfRvaAndSizes == 0)
{
throw new Exception("Invalid NumberOfRvaAndSizes");
}
exports = (IMAGE_EXPORT_DIRECTORY *)((byte *)lib + header->OptionalHeader.ExportTable.VirtualAddress);
}
public static Symbol[] GetExports(IntPtr Handle)
{
List <Symbol> Exports = new List <Symbol>();
IMAGE_DOS_HEADER * DOS = (IMAGE_DOS_HEADER *)Handle;
IMAGE_NT_HEADERS * NT = (IMAGE_NT_HEADERS *)((byte *)DOS + DOS->LFaNew);
IMAGE_OPTIONAL_HEADER * Optional = &NT->OptionalHeader;
IMAGE_EXPORT_DIRECTORY *ExportsDir = (IMAGE_EXPORT_DIRECTORY *)((byte *)Handle + Optional->ExportTable.VirtualAddress);
uint *AddrOfNames = (uint *)((byte *)Handle + ExportsDir->AddressOfNames);
uint *AddrOfFuncs = (uint *)((byte *)Handle + ExportsDir->AddressOfNames);
for (int j = 0; j < ExportsDir->NumberOfNames; j++)
{
string Name = Marshal.PtrToStringAnsi((IntPtr)((uint)Handle + AddrOfNames[j]));
long Func = AddrOfFuncs[j];
Exports.Add(new Symbol(Name, (ulong)Func, 0));
}
return(Exports.ToArray());
}
public ExportObject Load64Exports(ExportObject myObject, string filePath, bool mappedAsImage)
{
List <FunctionObject> exportList = myObject.ExportFunctionObjectList;
//var hLib = LoadLibraryEx(filePath, 0,
// DONT_RESOLVE_DLL_REFERENCES | LOAD_IGNORE_CODE_AUTHZ_LEVEL);
var hLib = LoadLibrary(filePath);
unsafe
{
void *hMod = (void *)hLib;
ulong BaseAddress = (ulong)hMod;
if (hMod != null)
{
ulong size;
IMAGE_EXPORT_DIRECTORY *pExportDir = (IMAGE_EXPORT_DIRECTORY *)Interop.ImageDirectoryEntryToData((void *)hLib, true, Interop.IMAGE_DIRECTORY_ENTRY_EXPORT, out size);
if (pExportDir != null)
{
ulong *pFuncNames = (ulong *)(BaseAddress + pExportDir->AddressOfNames);
for (uint i = 0; i < pExportDir->NumberOfNames; i++)
{
ulong funcNameRva = pFuncNames[i];
// ulong funcNameRva = pFuncNames[i];
if (funcNameRva != 0)
{
char *funcName = (char *)(BaseAddress + funcNameRva);
var name = Marshal.PtrToStringAnsi((IntPtr)funcName);
exportList.Add(new FunctionObject(name));
}
}
}
}
}
return(myObject);
}
/// <summary>
/// 获取API函数地址
/// </summary>
/// <param name="sProcName"></param>
/// <returns></returns>
private unsafe IntPtr GetProcAddress(String sProcName)
{
if (this.mModuleHandle == IntPtr.Zero)
{
return(IntPtr.Zero);
}
if (String.IsNullOrEmpty(sProcName))
{
return(IntPtr.Zero);
}
IMAGE_DOS_HEADER *pDosHeader = (IMAGE_DOS_HEADER *)this.mModuleHandle;
IMAGE_NT_HEADERS *pPEHeader = (IMAGE_NT_HEADERS *)(this.mModuleHandle + pDosHeader->e_lfanew);
var exportDirectoryEntry = pPEHeader->OptionalHeader.GetDirectory(IMAGE_DIRECTORY_ENTRY.IMAGE_DIRECTORY_ENTRY_EXPORT);
var iOffsetStart = exportDirectoryEntry.VirtualAddress;
var iSize = exportDirectoryEntry.Size;
if (iOffsetStart == 0 || iSize == 0)
{
return(IntPtr.Zero);
}
#if _WIN64
IMAGE_EXPORT_DIRECTORY *pExportDirectory = (IMAGE_EXPORT_DIRECTORY *)((IntPtr)((Int64)this.mModuleHandle + (Int64)iOffsetStart));
UInt32 *pAddressOfFunctions = (UInt32 *)((IntPtr)((Int64)this.mModuleHandle + (Int64)pExportDirectory->AddressOfFunctions));
UInt16 *pAddressOfNameOrdinals = (UInt16 *)((IntPtr)((Int64)this.mModuleHandle + (Int64)pExportDirectory->AddressOfNameOrdinals));
UInt32 *pAddressOfNames = (UInt32 *)((IntPtr)((Int64)this.mModuleHandle + (Int64)pExportDirectory->AddressOfNames));
#else
IMAGE_EXPORT_DIRECTORY *pExportDirectory = (IMAGE_EXPORT_DIRECTORY *)(this.mModuleHandle + (Int32)iOffsetStart);
UInt32 *pAddressOfFunctions = (UInt32 *)(this.mModuleHandle + (Int32)pExportDirectory->AddressOfFunctions);
UInt16 *pAddressOfNameOrdinals = (UInt16 *)(this.mModuleHandle + (Int32)pExportDirectory->AddressOfNameOrdinals);
UInt32 *pAddressOfNames = (UInt32 *)(this.mModuleHandle + (Int32)pExportDirectory->AddressOfNames);
#endif
UInt16 iOrdinal = 0;
if (UInt16.TryParse(sProcName, out iOrdinal))
{
if (iOrdinal >= pExportDirectory->Base)
{
iOrdinal = (UInt16)(iOrdinal - pExportDirectory->Base);
if (iOrdinal >= 0 && iOrdinal < pExportDirectory->NumberOfFunctions)
{
var iFunctionOffset = pAddressOfFunctions[iOrdinal];
if (iFunctionOffset > iOffsetStart && iFunctionOffset < (iOffsetStart + iSize)) // maybe Export Forwarding
{
return(IntPtr.Zero);
}
else
{
#if _WIN64
return((IntPtr)((Int64)this.mModuleHandle + iFunctionOffset));
#else
return((IntPtr)((Int32)this.mModuleHandle + iFunctionOffset));
#endif
}
}
}
}
else
{
for (Int32 i = 0; i < pExportDirectory->NumberOfNames; i++)
{
#if _WIN64
var sFuncName = Marshal.PtrToStringAnsi((IntPtr)((Int64)this.mModuleHandle + (Int64)pAddressOfNames[i]));
#else
var sFuncName = Marshal.PtrToStringAnsi(this.mModuleHandle + (Int32)pAddressOfNames[i]);
#endif
if (sProcName.Equals(sFuncName))
{
iOrdinal = pAddressOfNameOrdinals[i];
if (iOrdinal >= 0 && iOrdinal < pExportDirectory->NumberOfFunctions)
{
var iFunctionOffset = pAddressOfFunctions[iOrdinal];
if (iFunctionOffset > iOffsetStart && iFunctionOffset < (iOffsetStart + iSize)) // maybe Export Forwarding
{
return(IntPtr.Zero);
}
else
{
#if _WIN64
return((IntPtr)((Int64)this.mModuleHandle + iFunctionOffset));
#else
return((IntPtr)((Int32)this.mModuleHandle + iFunctionOffset));
#endif
}
}
}
}
}
return(IntPtr.Zero);
}
