internal PortableExecutableParser(string dllPath) { _dllBuffer = MemoryTools.StoreBytesInBuffer(File.ReadAllBytes(dllPath)); _peHeaders = new PeHeaders(); ReadHeaders(); }
internal PortableExecutableParser(byte[] dllBytes) { _dllBuffer = MemoryTools.StoreBytesInBuffer(dllBytes); _peHeaders = new PeHeaders(); ReadHeaders(); }
internal TStructure ReadVirtualMemory <TStructure>(IntPtr baseAddress) where TStructure : struct { // Read the bytes of the structure from the memory region var structureBytes = ReadVirtualMemory(baseAddress, Marshal.SizeOf <TStructure>()); // Marshal the bytes into a structure var structureBytesBuffer = MemoryTools.StoreBytesInBuffer(structureBytes); var structure = Marshal.PtrToStructure <TStructure>(structureBytesBuffer); MemoryTools.FreeMemoryForBuffer(structureBytesBuffer); return(structure); }
internal bool Call() { var localDllBaseAddress = MemoryTools.StoreBytesInBuffer(_propertyWrapper.DllBytes); var peHeaders = _propertyWrapper.PeParser.GetHeaders(); // Build the import table of the DLL in the local process BuildImportTable(localDllBaseAddress); // Allocate memory for the DLL in the target process var dllSize = _propertyWrapper.TargetProcess.IsWow64 ? peHeaders.NtHeaders32.OptionalHeader.SizeOfImage : peHeaders.NtHeaders64.OptionalHeader.SizeOfImage; var remoteDllAddress = _propertyWrapper.MemoryManager.AllocateVirtualMemory((int)dllSize, Enumerations.MemoryProtectionType.ExecuteReadWrite); // Perform the needed relocations in the local process PerformRelocations(localDllBaseAddress, remoteDllAddress); // Map the sections of the DLL into the target process MapSections(localDllBaseAddress, remoteDllAddress); // Call any TLS callbacks CallTlsCallbacks(remoteDllAddress); // Call the entry point of the DLL var dllEntryPointAddress = _propertyWrapper.TargetProcess.IsWow64 ? (uint)remoteDllAddress + peHeaders.NtHeaders32.OptionalHeader.AddressOfEntryPoint : (ulong)remoteDllAddress + peHeaders.NtHeaders64.OptionalHeader.AddressOfEntryPoint; if (dllEntryPointAddress != 0) { CallEntryPoint(remoteDllAddress, (IntPtr)dllEntryPointAddress); } MemoryTools.FreeMemoryForBuffer(localDllBaseAddress); return(true); }
internal void WriteVirtualMemory(IntPtr baseAddress, byte[] bytesToWrite) { // Store the bytes to write in a buffer var bytesBuffer = MemoryTools.StoreBytesInBuffer(bytesToWrite); // Adjust the protection of the memory region to ensure it has write privileges var oldProtectionType = ProtectVirtualMemory(baseAddress, bytesToWrite.Length, Enumerations.MemoryProtectionType.ReadWrite); // Write the bytes into the memory region _syscallManager.InvokeSyscall <NtWriteVirtualMemory>(_processHandle, baseAddress, bytesBuffer, bytesToWrite.Length); // Restore the protection of the memory region ProtectVirtualMemory(baseAddress, bytesToWrite.Length, oldProtectionType); MemoryTools.FreeMemoryForBuffer(bytesBuffer); }