public void CopySections(byte[] data, IMAGE_NT_HEADERS oldHeaders, IntPtr headers, IMAGE_DOS_HEADER dosHeader) { int i; IntPtr codebase = module.codeBase; var section = PointerHelpers.ToStruct <IMAGE_SECTION_HEADER>(headers, (uint)(24 + dosHeader.e_lfanew + oldHeaders.FileHeader.SizeOfOptionalHeader)); for (i = 0; i < module.headers.FileHeader.NumberOfSections; i++) { IntPtr dest; if (section.SizeOfRawData == 0) { uint size = oldHeaders.OptionalHeader.SectionAlignment; if (size > 0) { dest = new IntPtr((Win32Imports.VirtualAlloc((uint)(codebase.ToInt32() + (int)section.VirtualAddress), size, Win32Constants.MEM_COMMIT, Win32Constants.PAGE_READWRITE))); section.PhysicalAddress = (uint)dest; var write = new IntPtr(headers.ToInt32() + (32 + dosHeader.e_lfanew + oldHeaders.FileHeader.SizeOfOptionalHeader) + (Marshal.SizeOf(typeof(IMAGE_SECTION_HEADER)) * (i))); Marshal.WriteInt32(write, (int)dest); var datazz = new byte[size + 1]; Marshal.Copy(datazz, 0, dest, (int)size); } section = PointerHelpers.ToStruct <IMAGE_SECTION_HEADER>(headers, (uint)((24 + dosHeader.e_lfanew + oldHeaders.FileHeader.SizeOfOptionalHeader) + (Marshal.SizeOf(typeof(IMAGE_SECTION_HEADER)) * (i + 1)))); continue; } dest = new IntPtr((Win32Imports.VirtualAlloc((uint)(codebase.ToInt32() + (int)section.VirtualAddress), section.SizeOfRawData, Win32Constants.MEM_COMMIT, Win32Constants.PAGE_READWRITE))); Marshal.Copy(data, (int)section.PointerToRawData, dest, (int)section.SizeOfRawData); section.PhysicalAddress = (uint)dest; var write2 = new IntPtr(headers.ToInt32() + (32 + dosHeader.e_lfanew + oldHeaders.FileHeader.SizeOfOptionalHeader) + (Marshal.SizeOf(typeof(IMAGE_SECTION_HEADER)) * (i))); Marshal.WriteInt32(write2, (int)dest); section = PointerHelpers.ToStruct <IMAGE_SECTION_HEADER>(headers, (uint)((24 + dosHeader.e_lfanew + oldHeaders.FileHeader.SizeOfOptionalHeader) + (Marshal.SizeOf(typeof(IMAGE_SECTION_HEADER)) * (i + 1)))); } }
public void FinalizeSections(IntPtr headers, IMAGE_DOS_HEADER dosHeader, IMAGE_NT_HEADERS oldHeaders) { ProtectionFlags[0] = new int[2][]; ProtectionFlags[1] = new int[2][]; ProtectionFlags[0][0] = new int[2]; ProtectionFlags[0][1] = new int[2]; ProtectionFlags[1][0] = new int[2]; ProtectionFlags[1][1] = new int[2]; ProtectionFlags[0][0][0] = 0x01; ProtectionFlags[0][0][1] = 0x08; ProtectionFlags[0][1][0] = 0x02; ProtectionFlags[0][1][1] = 0x04; ProtectionFlags[1][0][0] = 0x10; ProtectionFlags[1][0][1] = 0x80; ProtectionFlags[1][1][0] = 0x20; ProtectionFlags[1][1][1] = 0x40; var section = PointerHelpers.ToStruct <IMAGE_SECTION_HEADER>(headers, (uint)(24 + dosHeader.e_lfanew + oldHeaders.FileHeader.SizeOfOptionalHeader)); for (int i = 0; i < module.headers.FileHeader.NumberOfSections; i++) { //Console.WriteLine("Finalizing " + Encoding.UTF8.GetString(section.Name)); int executable = (section.Characteristics & 0x20000000) != 0 ? 1 : 0; int readable = (section.Characteristics & 0x40000000) != 0 ? 1 : 0; int writeable = (section.Characteristics & 0x80000000) != 0 ? 1 : 0; if ((section.Characteristics & 0x02000000) > 0) { bool aa = Win32Imports.VirtualFree(new IntPtr(section.PhysicalAddress), (UIntPtr)section.SizeOfRawData, 0x4000); continue; } var protect = (uint)ProtectionFlags[executable][readable][writeable]; if ((section.Characteristics & 0x04000000) > 0) { protect |= 0x200; } var size = (int)section.SizeOfRawData; if (size == 0) { if ((section.Characteristics & 0x00000040) > 0) { size = (int)module.headers.OptionalHeader.SizeOfInitializedData; } else if ((section.Characteristics & 0x00000080) > 0) { size = (int)module.headers.OptionalHeader.SizeOfUninitializedData; } } if (size > 0) { uint oldProtect; if (!Win32Imports.VirtualProtect(new IntPtr(section.PhysicalAddress), section.SizeOfRawData, protect, out oldProtect)) { } } section = PointerHelpers.ToStruct <IMAGE_SECTION_HEADER>(headers, (uint)((24 + dosHeader.e_lfanew + oldHeaders.FileHeader.SizeOfOptionalHeader) + (Marshal.SizeOf(typeof(IMAGE_SECTION_HEADER)) * (i + 1)))); } }