public static PE.PE_MANUAL_MAP MapModuleToMemory(IntPtr pModule, IntPtr pImage, PE.PE_META_DATA PEINFO)
{
if ((PEINFO.Is32Bit && IntPtr.Size == 8) || (!PEINFO.Is32Bit && IntPtr.Size == 4))
{
Marshal.FreeHGlobal(pModule);
throw new InvalidOperationException("The module architecture does not match the process architecture.");
}
UInt32 SizeOfHeaders = PEINFO.Is32Bit ? PEINFO.OptHeader32.SizeOfHeaders : PEINFO.OptHeader64.SizeOfHeaders;
UInt32 BytesWritten = SpDi2.Native.NtWriteVirtualMemory((IntPtr)(-1), pImage, pModule, SizeOfHeaders);
foreach (PE.IMAGE_SECTION_HEADER ish in PEINFO.Sections)
{
IntPtr pVirtualSectionBase = (IntPtr)((UInt64)pImage + ish.VirtualAddress);
IntPtr pRawSectionBase = (IntPtr)((UInt64)pModule + ish.PointerToRawData);
BytesWritten = SpDi2.Native.NtWriteVirtualMemory((IntPtr)(-1), pVirtualSectionBase, pRawSectionBase, ish.SizeOfRawData);
if (BytesWritten != ish.SizeOfRawData)
{
throw new InvalidOperationException("Failed to write to memory.");
}
}
RelocateModule(PEINFO, pImage);
RewriteModuleIAT(PEINFO, pImage);
SetModuleSectionPermissions(PEINFO, pImage);
Marshal.FreeHGlobal(pModule);
PE.PE_MANUAL_MAP ManMapObject = new PE.PE_MANUAL_MAP
{
ModuleBase = pImage,
PEINFO = PEINFO
};
return(ManMapObject);
}
public static PE.PE_MANUAL_MAP MapModuleFromDisk(string DLLPath)
{
if (!File.Exists(DLLPath))
{
throw new InvalidOperationException("Filepath not found.");
}
SpDi.Native.UNICODE_STRING ObjectName = new SpDi.Native.UNICODE_STRING();
SpDi2.Native.RtlInitUnicodeString(ref ObjectName, (@"\??\" + DLLPath));
IntPtr pObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(ObjectName));
Marshal.StructureToPtr(ObjectName, pObjectName, true);
SpDi.Native.OBJECT_ATTRIBUTES objectAttributes = new SpDi.Native.OBJECT_ATTRIBUTES();
objectAttributes.Length = Marshal.SizeOf(objectAttributes);
objectAttributes.ObjectName = pObjectName;
objectAttributes.Attributes = 0x40;
SpDi.Native.IO_STATUS_BLOCK ioStatusBlock = new SpDi.Native.IO_STATUS_BLOCK();
IntPtr hFile = IntPtr.Zero;
SpDi2.Native.NtOpenFile(
ref hFile,
SpDi.Win32.Kernel32.FileAccessFlags.FILE_READ_DATA |
SpDi.Win32.Kernel32.FileAccessFlags.FILE_EXECUTE |
SpDi.Win32.Kernel32.FileAccessFlags.FILE_READ_ATTRIBUTES |
SpDi.Win32.Kernel32.FileAccessFlags.SYNCHRONIZE,
ref objectAttributes, ref ioStatusBlock,
SpDi.Win32.Kernel32.FileShareFlags.FILE_SHARE_READ |
SpDi.Win32.Kernel32.FileShareFlags.FILE_SHARE_DELETE,
SpDi.Win32.Kernel32.FileOpenFlags.FILE_SYNCHRONOUS_IO_NONALERT |
SpDi.Win32.Kernel32.FileOpenFlags.FILE_NON_DIRECTORY_FILE
);
IntPtr hSection = IntPtr.Zero;
ulong MaxSize = 0;
SpDi.Native.NTSTATUS ret = SpDi2.Native.NtCreateSection(
ref hSection,
(UInt32)SpDi.Win32.WinNT.ACCESS_MASK.SECTION_ALL_ACCESS,
IntPtr.Zero,
ref MaxSize,
SpDi.Win32.WinNT.PAGE_READONLY,
SpDi.Win32.WinNT.SEC_IMAGE,
hFile
);
IntPtr pBaseAddress = IntPtr.Zero;
SpDi2.Native.NtMapViewOfSection(
hSection, (IntPtr)(-1), ref pBaseAddress,
IntPtr.Zero, IntPtr.Zero, IntPtr.Zero,
ref MaxSize, 0x2, 0x0,
SpDi.Win32.WinNT.PAGE_READWRITE
);
PE.PE_MANUAL_MAP SecMapObject = new PE.PE_MANUAL_MAP
{
PEINFO = SpDi2.Generic.GetPeMetaData(pBaseAddress),
ModuleBase = pBaseAddress
};
return(SecMapObject);
}
