private IntPtr GetDependencyProcAddressA(IntPtr moduleBase, PCHAR procName)
{
IntPtr pFunc = IntPtr.Zero;
IMAGE_DOS_HEADER hdrDos;
IMAGE_NT_HEADERS32 hdrNt32;
UIntPtr dwRead;
Imports.ReadProcessMemory(_hProcess, moduleBase, out hdrDos, out dwRead);
if (!hdrDos.isValid)
{
return(IntPtr.Zero);
}
Imports.ReadProcessMemory(_hProcess, moduleBase + hdrDos.e_lfanew, out hdrNt32, out dwRead);
if (!hdrNt32.isValid)
{
return(IntPtr.Zero);
}
var expBase = hdrNt32.OptionalHeader.ExportTable.VirtualAddress;
if (expBase > 0)
{
var expSize = hdrNt32.OptionalHeader.ExportTable.Size;
var expData = (PIMAGE_EXPORT_DIRECTORY)AllocateMemory(expSize);
Imports.ReadProcessMemory(_hProcess, moduleBase + (int)expBase, expData.Address, (int)expSize, out dwRead);
var pAddressOfOrds = (PWORD)(expData.Address + (int)expData.Value.AddressOfNameOrdinals - (int)expBase);
var pAddressOfNames = (PDWORD)(expData.Address + (int)expData.Value.AddressOfNames - (int)expBase);
var pAddressOfFuncs = (PDWORD)(expData.Address + (int)expData.Value.AddressOfFunctions - (int)expBase);
for (uint i = 0; i < expData.Value.NumberOfFunctions; i++)
{
ushort ordIndex;
PCHAR pName = null;
if (new PDWORD(procName.Address).Value <= 0xFFFF)
{
ordIndex = unchecked ((ushort)i);
}
else if (new PDWORD(procName.Address).Value > 0xFFFF && i < expData.Value.NumberOfNames)
{
pName = (PCHAR) new IntPtr(pAddressOfNames[i] + expData.Address.ToInt32() - expBase);
ordIndex = pAddressOfOrds[i];
}
else
{
return(IntPtr.Zero);
}
if ((new PDWORD(procName.Address).Value <= 0xFFFF && new PDWORD(procName.Address).Value == ordIndex + expData.Value.Base) || (new PDWORD(procName.Address).Value > 0xFFFF && pName.ToString() == procName.ToString()))
{
pFunc = moduleBase + (int)pAddressOfFuncs[ordIndex];
if (pFunc.ToInt64() >= (moduleBase + (int)expBase).ToInt64() && pFunc.ToInt64() <= (moduleBase + (int)expBase + (int)expSize).ToInt64())
{
var forwardStr = new byte[255];
Imports.ReadProcessMemory(_hProcess, pFunc, forwardStr, out dwRead);
var chainExp = Helpers.ToStringAnsi(forwardStr);
var strDll = chainExp.Substring(0, chainExp.IndexOf(".")) + ".dll";
var strName = chainExp.Substring(chainExp.IndexOf(".") + 1);
var hChainMod = GetRemoteModuleHandleA(strDll);
if (hChainMod == IntPtr.Zero)
{
// todo
//hChainMod = LoadDependencyA(strDll.c_str());
InjectDependency(strDll);
}
if (strName.StartsWith("#"))
{
pFunc = GetDependencyProcAddressA(hChainMod, new PCHAR(strName) + 1);
}
else
{
pFunc = GetDependencyProcAddressA(hChainMod, new PCHAR(strName));
}
}
break;
}
}
Imports.VirtualFree(expData.Address, 0, Imports.FreeType.Release);
}
return(pFunc);
}