private void LoadSectionTable() { int index; int numOfDirectories; int numOfSections; byte[] arr = new byte[40]; if (_b32 == true) { numOfDirectories = Convert.ToInt32(_NT_HEADERS32.OptionalHeader.NumberOfRvaAndSizes); index = Convert.ToInt32(_DOS_HEADER.e_lfanew) + 120 + numOfDirectories * 8; numOfSections = _NT_HEADERS32.FileHeader.NumberOfSections; } else { numOfDirectories = Convert.ToInt32(_NT_HEADERS64.OptionalHeader.NumberOfRvaAndSizes); index = Convert.ToInt32(_DOS_HEADER.e_lfanew) + 136 + numOfDirectories * 8; numOfSections = _NT_HEADERS64.FileHeader.NumberOfSections; } _HeaderLength = index; File.Seek(index, 0); IMAGE_SECTION_HEADER tmp = new IMAGE_SECTION_HEADER(); for (int i = 0; i < numOfSections; i++) { File.Read(arr, 0, 40); ByteToType <IMAGE_SECTION_HEADER>(ref tmp, arr); _SECTION_TABLE.Add(tmp); } }
public void StaticDLLInjectionByAddingSection(string DllName, string FuncName) { AddNewSection(".Patch", 1024); IMAGE_SECTION_HEADER LastSecHeader = _SECTION_TABLE.Last(); File = new FileStream(this.Name, System.IO.FileMode.Open); UInt32 RAW = LastSecHeader.PointerToRawData; int index; UInt32 offsetOfOriginalFirstThunk = RAW; UInt32 offsetOfFirstThunk = RAW + 8; UInt32 offsetOfDLLName = offsetOfFirstThunk + 8; UInt32 offsetOfIMAGE_IMPORT_BY_NAME = offsetOfDLLName + Convert.ToUInt32(DllName.Length) + 2; UInt32 offsetOfNew_IID = offsetOfIMAGE_IMPORT_BY_NAME + Convert.ToUInt32(FuncName.Length) + 6; UInt32 OriginalFirstThunk = offsetOfIMAGE_IMPORT_BY_NAME; UInt32 FirstThunk = OriginalFirstThunk; UInt32 RVAOfOffsetOriginalFirstThunk = RAWToRVA(offsetOfOriginalFirstThunk); UInt32 RVOffsetOfFirstThunk = RAWToRVA(offsetOfFirstThunk); UInt32 RVAOffsetOfDllName = RAWToRVA(offsetOfDLLName); UInt32 RVAOfOrignalFirstThunk = RAWToRVA(OriginalFirstThunk); UInt32 RVAOfFirstThunk = RAWToRVA(OriginalFirstThunk); UInt32 RVAOfOffsetOfNew_IID = RAWToRVA(offsetOfNew_IID); _IMPORT_DIRECTORY.Size += 0x14; _IMPORT_DIRECTORY.VirtualAddress = RVAOfOffsetOfNew_IID; if (_b32 == true) { index = Convert.ToInt32(_DOS_HEADER.e_lfanew) + 128; } else { index = Convert.ToInt32(_DOS_HEADER.e_lfanew) + 144; } File.Seek(index, 0); WriteType <IMAGE_DATA_DIRECTORY>(ref _IMPORT_DIRECTORY); File.Seek(offsetOfOriginalFirstThunk, 0); WriteType <UInt32>(ref RVAOfOrignalFirstThunk); File.Seek(offsetOfFirstThunk, 0); WriteType <UInt32>(ref RVAOfFirstThunk); File.Seek(offsetOfDLLName, 0); byte[] bytes = Encoding.ASCII.GetBytes(DllName); File.Write(bytes); File.Seek(offsetOfIMAGE_IMPORT_BY_NAME + 2, 0); bytes = Encoding.ASCII.GetBytes(FuncName); File.Write(bytes); IMAGE_IMPORT_DESCRIPTOR IID; File.Seek(offsetOfNew_IID, 0); IID.OriginalFirstThunk = RVAOfOffsetOriginalFirstThunk; IID.FirstThunk = RVOffsetOfFirstThunk; IID.Name = RVAOffsetOfDllName; IID.ForwarderChain = 0; IID.TimeDateStamp = 0; _IMPORT_TABLE.Add(IID); IMAGE_IMPORT_DESCRIPTOR tmp; for (int i = 0; i < _IMPORT_TABLE.Count; i++) { tmp = _IMPORT_TABLE[i]; if (tmp.FirstThunk == 0 && tmp.OriginalFirstThunk == 0) { continue; } WriteType <IMAGE_IMPORT_DESCRIPTOR>(ref tmp); } File.Close(); }
public void AddNewSection(string SectionName, UInt32 SectionSize) { File = new FileStream(this.Name, System.IO.FileMode.Open); UInt32 SecHeadindex; UInt32 NumberOfRvaAndSizes; UInt32 NumberOfSections; UInt32 FileAlignment, SectionAlignment, AlignedSecSize; if (_b32) { FileAlignment = _NT_HEADERS32.OptionalHeader.FileAlignment; SectionAlignment = _NT_HEADERS32.OptionalHeader.SectionAlignment; NumberOfRvaAndSizes = _NT_HEADERS32.OptionalHeader.NumberOfRvaAndSizes; NumberOfSections = _NT_HEADERS32.FileHeader.NumberOfSections; } else { FileAlignment = _NT_HEADERS64.OptionalHeader.FileAlignment; SectionAlignment = _NT_HEADERS64.OptionalHeader.SectionAlignment; NumberOfRvaAndSizes = _NT_HEADERS64.OptionalHeader.NumberOfRvaAndSizes; NumberOfSections = _NT_HEADERS64.FileHeader.NumberOfSections; } UInt32 SectionVA = _SECTION_TABLE.Last().VirtualAddress + GetAlignedSize(_SECTION_TABLE.Last().VirtualSize, SectionAlignment); UInt32 SectionRawOffset = _SECTION_TABLE.Last().PointerToRawData + GetAlignedSize(_SECTION_TABLE.Last().SizeOfRawData, FileAlignment); AlignedSecSize = GetAlignedSize(SectionSize, FileAlignment); SecHeadindex = _DOS_HEADER.e_lfanew + Convert.ToUInt32(Marshal.SizeOf <IMAGE_NT_HEADERS32>() + NumberOfRvaAndSizes * Marshal.SizeOf <IMAGE_DATA_DIRECTORY>() + NumberOfSections * Marshal.SizeOf <IMAGE_SECTION_HEADER>()); File.Seek(_DOS_HEADER.e_lfanew, 0); if (_b32) { _NT_HEADERS32.FileHeader.NumberOfSections += 1; _NT_HEADERS32.OptionalHeader.SizeOfImage += AlignedSecSize; WriteType <IMAGE_NT_HEADERS32>(ref _NT_HEADERS32); } else { _NT_HEADERS64.FileHeader.NumberOfSections += 1; _NT_HEADERS64.OptionalHeader.SizeOfImage += AlignedSecSize; WriteType <IMAGE_NT_HEADERS64>(ref _NT_HEADERS64); } IMAGE_SECTION_HEADER newSecHeader = new IMAGE_SECTION_HEADER(); byte[] tmp = Encoding.ASCII.GetBytes(SectionName); UInt64 _Name = 0; ByteToType <UInt64>(ref _Name, tmp); newSecHeader.Name = _Name; newSecHeader.VirtualSize = AlignedSecSize; newSecHeader.VirtualAddress = SectionVA; newSecHeader.PointerToRawData = SectionRawOffset; newSecHeader.SizeOfRawData = AlignedSecSize; newSecHeader.Characteristics = 0x00000040 | 0x40000000 | 0x80000000 | 0x20000000; _SECTION_TABLE.Add(newSecHeader); File.Seek(SecHeadindex, 0); WriteType <IMAGE_SECTION_HEADER>(ref newSecHeader); byte[] filling = new byte[AlignedSecSize]; File.Seek(SectionRawOffset, 0); File.Write(filling); File.Close(); }