PageRenderTime 33ms CodeModel.GetById 23ms RepoModel.GetById 0ms app.codeStats 1ms

/PortableExecutable.cpp

https://bitbucket.org/BlackLuny/crysearch-memory-scanner
C++ | 2276 lines | 1559 code | 364 blank | 353 comment | 302 complexity | 38c298094121c242bcddc7a5039cd75d MD5 | raw file
    

  1. #include "PortableExecutable.h"
    2. 

  2. #include "BackendGlobalDef.h"
    3. 

  3. 

  4. // Defines seperately because the Windows SDK 7.1 headers do not yet include these two.
    5. 

  5. #define _WIN32_WINNT_WIN8                   0x0602
    6. 

  6. #define _WIN32_WINNT_WINBLUE                0x0603
    7. 

  7. 

  8. #include <Shlwapi.h>
    9. 

  9. 

  10. #pragma comment(lib, "shlwapi.lib")
    11. 

  11. 

  12. #define EAT_ADDRESS_NOT_FOUND				-1
    13. 

  13. #define THREAD_HIJACK_MAGIC_PROBE_THRESHOLD	12
    14. 

  14. 

  15. // Checks whether a RVA points inside a section of the executable. Returns true if so and false if not.
    16. 

  16. const bool RVAPointsInsideSection(const DWORD rva)
    17. 

  17. {
    18. 

  18. 	// Walk the sections in the target process.
    19. 

  19. 	for (auto const& section : LoadedProcessPEInformation.ImageSections)
    20. 

  20. 	{
    21. 

  21. 		// Check if the specified RVA is within the bounds of a section.
    22. 

  22. 		if (rva > section.BaseAddress && rva < (section.BaseAddress + section.RawSectionSize))
    23. 

  23. 		{
    24. 

  24. 			return true;
    25. 

  25. 		}
    26. 

  26. 	}
    27. 

  27. 	
    28. 

  28. 	return false;
    29. 

  29. }
    30. 

  30. 

  31. // -------------------------------------------------------------------------------------------------------------------------------
    32. 

  32. // Base class methods
    33. 

  33. // -------------------------------------------------------------------------------------------------------------------------------
    34. 

  34. 

  35. // Default PE class constructor.
    36. 

  36. PortableExecutable::PortableExecutable()
    37. 

  37. {
    38. 

  38. 	this->mProcessHandle = mMemoryScanner->GetHandle();
    39. 

  39. 	this->mBaseAddress = mModuleManager->GetBaseAddress();
    40. 

  40. }
    41. 

  41. 

  42. // Default PE class destructor. Virtual destructor, always use derived class' destructor to execute this one.
    43. 

  43. PortableExecutable::~PortableExecutable()
    44. 

  44. {
    45. 

  45. 	LoadedProcessPEInformation.PEFields.Clear();
    46. 

  46. 	LoadedProcessPEInformation.Reset();
    47. 

  47. 	LoadedProcessPEInformation.ClearImportTable();
    48. 

  48. }
    49. 

  49. 

  50. // Sets the base address.
    51. 

  51. void PortableExecutable::SetBaseAddress(const SIZE_T baseAddress)
    52. 

  52. {
    53. 

  53. 	this->mBaseAddress = baseAddress;
    54. 

  54. }
    55. 

  55. 

  56. // Gets the base address.
    57. 

  57. const SIZE_T PortableExecutable::GetBaseAddress() const
    58. 

  58. {
    59. 

  59. 	return this->mBaseAddress;
    60. 

  60. }
    61. 

  61. 

  62. // Retrieves the address of the Process Environment Block of the opened process.
    63. 

  63. // Returns the PEB base address or NULL if the address was not succesfully retrieved.
    64. 

  64. void* PortableExecutable::GetPebAddress() const
    65. 

  65. {
    66. 

  66. #ifdef WIN64
    67. 

  67. 	if (mMemoryScanner->IsX86Process())
    68. 

  68. 	{
    69. 

  69. 		// If we run CrySearch x64 and we target an x86 process, we use NtQueryInformationProcess with a ULONG_PTR parameter.
    70. 

  70. 		ULONG_PTR PebBaseAddress;
    71. 

  71. 		if (CrySearchRoutines.NtQueryInformationProcess(this->mProcessHandle, ProcessWow64Information, &PebBaseAddress, sizeof(ULONG_PTR), NULL) == STATUS_SUCCESS)
    72. 

  72. 		{
    73. 

  73. 			return (void*)PebBaseAddress;
    74. 

  74. 		}
    75. 

  75. 	}
    76. 

  76. 	else
    77. 

  77. 	{
    78. 

  78. 		// If we run CrySearch x64 and we target an x64 process, we use NtQueryInformationProcess with a PROCESS_BASIC_INFORMATION parameter.
    79. 

  79. 		PROCESS_BASIC_INFORMATION tInfo;
    80. 

  80. 		if (CrySearchRoutines.NtQueryInformationProcess(this->mProcessHandle, ProcessBasicInformation, &tInfo, sizeof(PROCESS_BASIC_INFORMATION), NULL) == STATUS_SUCCESS)
    81. 

  81. 		{
    82. 

  82. 			return tInfo.PebBaseAddress;
    83. 

  83. 		}
    84. 

  84. 	}
    85. 

  85. #else
    86. 

  86. 	// If we run CrySearch x86, we can only target an x86 process and we use NtQueryInformationProcess with a PROCESS_BASIC_INFORMATION parameter.
    87. 

  87. 	PROCESS_BASIC_INFORMATION tInfo;
    88. 

  88. 	if (CrySearchRoutines.NtQueryInformationProcess(this->mProcessHandle, ProcessBasicInformation, &tInfo, sizeof(PROCESS_BASIC_INFORMATION), NULL) == STATUS_SUCCESS)
    89. 

  89. 	{
    90. 

  90. 		return tInfo.PebBaseAddress;
    91. 

  91. 	}
    92. 

  92. #endif
    93. 

  93. 	
    94. 

  94. 	return NULL;
    95. 

  95. }
    96. 

  96. 

  97. // Parses input machine type and adds the parsed value to the global inventory for UI display.
    98. 

  98. void PortableExecutable::ParseMachineType(const DWORD machineType) const
    99. 

  99. {
    100. 

  100. 	switch (machineType)
    101. 

  101. 	{
    102. 

  102. 		case IMAGE_FILE_MACHINE_I386:
    103. 

  103. 			LoadedProcessPEInformation.PEFields.Add("Machine Type", "i386");
    104. 

  104. 			break;
    105. 

  105. 		case IMAGE_FILE_MACHINE_IA64:
    106. 

  106. 			LoadedProcessPEInformation.PEFields.Add("Machine Type", "ia64");
    107. 

  107. 			break;
    108. 

  108. 		case IMAGE_FILE_MACHINE_AMD64:
    109. 

  109. 			LoadedProcessPEInformation.PEFields.Add("Machine Type", "amd64");
    110. 

  110. 			break;
    111. 

  111. 	}
    112. 

  112. }
    113. 

  113. 

  114. // Parses input subsystem type and adds the parsed value to the global inventory for UI display.
    115. 

  115. void PortableExecutable::ParseSubsystemValue(const DWORD subSystem) const
    116. 

  116. {
    117. 

  117. 	switch (subSystem)
    118. 

  118. 	{
    119. 

  119. 		case IMAGE_SUBSYSTEM_UNKNOWN:
    120. 

  120. 			LoadedProcessPEInformation.PEFields.Add("Subsystem", "Unknown");
    121. 

  121. 			break;
    122. 

  122. 		case IMAGE_SUBSYSTEM_NATIVE:
    123. 

  123. 			LoadedProcessPEInformation.PEFields.Add("Subsystem", "Native");
    124. 

  124. 			break;
    125. 

  125. 		case IMAGE_SUBSYSTEM_WINDOWS_GUI:
    126. 

  126. 			LoadedProcessPEInformation.PEFields.Add("Subsystem", "Windows GUI");
    127. 

  127. 			break;
    128. 

  128. 		case IMAGE_SUBSYSTEM_WINDOWS_CUI:
    129. 

  129. 			LoadedProcessPEInformation.PEFields.Add("Subsystem", "Windows CUI");
    130. 

  130. 			break;
    131. 

  131. 		case IMAGE_SUBSYSTEM_OS2_CUI:
    132. 

  132. 			LoadedProcessPEInformation.PEFields.Add("Subsystem", "OS/2 CUI");
    133. 

  133. 			break;
    134. 

  134. 		case IMAGE_SUBSYSTEM_POSIX_CUI:
    135. 

  135. 			LoadedProcessPEInformation.PEFields.Add("Subsystem", "POSIX_CUI");
    136. 

  136. 			break;
    137. 

  137. 		case IMAGE_SUBSYSTEM_WINDOWS_CE_GUI:
    138. 

  138. 			LoadedProcessPEInformation.PEFields.Add("Subsystem", "Windows CE CUI");
    139. 

  139. 			break;
    140. 

  140. 		case IMAGE_SUBSYSTEM_EFI_APPLICATION:
    141. 

  141. 			LoadedProcessPEInformation.PEFields.Add("Subsystem", "EFI");
    142. 

  142. 			break;
    143. 

  143. 		case IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER:
    144. 

  144. 			LoadedProcessPEInformation.PEFields.Add("Subsystem", "EFI Boot Driver");
    145. 

  145. 			break;
    146. 

  146. 		case IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER:
    147. 

  147. 			LoadedProcessPEInformation.PEFields.Add("Subsystem", "EFI Runtime Driver");
    148. 

  148. 			break;
    149. 

  149. 		case IMAGE_SUBSYSTEM_EFI_ROM:
    150. 

  150. 			LoadedProcessPEInformation.PEFields.Add("Subsystem", "EFI ROM");
    151. 

  151. 			break;
    152. 

  152. 		case IMAGE_SUBSYSTEM_XBOX:
    153. 

  153. 			LoadedProcessPEInformation.PEFields.Add("Subsystem", "Xbox system");
    154. 

  154. 			break;
    155. 

  155. 		case IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION:
    156. 

  156. 			LoadedProcessPEInformation.PEFields.Add("Subsystem", "Boot application");
    157. 

  157. 			break;
    158. 

  158. 	}
    159. 

  159. }
    160. 

  160. 

  161. // This function retrieves all sections from a specified PE file. The NT header is provided to create flexibility.
    162. 

  162. // The input list is cleared before the retrieval is started.
    163. 

  163. void PortableExecutable::GetImageSectionsList(const IMAGE_SECTION_HEADER* pSecHeader, const DWORD numberOfSections, Vector<Win32PESectionInformation>& list) const
    164. 

  164. {
    165. 

  165. 	list.Clear();
    166. 

  166. 	
    167. 

  167. 	// Iterate through sections and save them for application use.
    168. 

  168. 	for (unsigned int i = 0; i < numberOfSections; ++i, ++pSecHeader)
    169. 

  169. 	{
    170. 

  170. 		// Sometimes PE files contain bogus sections at runtime due to packer activities. Remove bogus sections from the list.
    171. 

  171. 		if (!pSecHeader->VirtualAddress)
    172. 

  172. 		{
    173. 

  173. 			continue;
    174. 

  174. 		}
    175. 

  175. 		
    176. 

  176. 		// The name of a section can only be 8 characters long. A longer name has a different notation.
    177. 

  177. 		// This is not taken into account because the chance of it appearing in an executable is very small.
    178. 

  178. 		list.Add(Win32PESectionInformation((char*)pSecHeader->Name, pSecHeader->VirtualAddress, pSecHeader->Misc.VirtualSize == 0 ? pSecHeader->SizeOfRawData
    179. 

  179. 			: pSecHeader->Misc.VirtualSize, pSecHeader->SizeOfRawData));
    180. 

  180. 	}
    181. 

  181. }
    182. 

  182. 

  183. // This function is declared seperately to reduce code in a few functions spreaded over this file.
    184. 

  184. // This increases the code readability even though the function will probably be inlined by the compiler.
    185. 

  185. wchar* PortableExecutable::InlineResolveApiSetSchema(const WString& str) const
    186. 

  186. {
    187. 

  187. 	// Check which version of Windows is running. We need this to differentiate between ApiSetSchema versions.
    188. 

  188. 	Tuple2<int, int> winver;
    189. 

  189. 	if (GetInlineWindowsVersion(&winver))
    190. 

  190. 	{
    191. 

  191. 		// Call the correct ApiSetSchema parsing function.
    192. 

  192. 		if (winver.a == 6)
    193. 

  193. 		{
    194. 

  194. 			if (winver.b == 4)
    195. 

  195. 			{
    196. 

  196. 				// Call the Windows 10 version of the parser.
    197. 

  197. 				return this->ResolveApiSetSchemaMapping10(str, str.GetLength());
    198. 

  198. 			}
    199. 

  199. 			else if (winver.b > 2)
    200. 

  200. 			{
    201. 

  201. 				// Call the Windows 8(.1) version of the parser.
    202. 

  202. 				return this->ResolveApiSetSchemaMappingEx(str, str.GetLength());
    203. 

  203. 			}
    204. 

  204. 			else
    205. 

  205. 			{
    206. 

  206. 				// Call the Windows 7 version of the parser.
    207. 

  207. 				return this->ResolveApiSetSchemaMapping(str, str.GetLength());
    208. 

  208. 			}
    209. 

  209. 		}
    210. 

  210. 		else if (winver.a == 10)
    211. 

  211. 		{
    212. 

  212. 			// Call the Windows 10 version of the parser.
    213. 

  213. 			return this->ResolveApiSetSchemaMapping10(str, str.GetLength());
    214. 

  214. 		}
    215. 

  215. 	}
    216. 

  216. 	
    217. 

  217. 	return NULL;
    218. 

  218. }
    219. 

  219. 

  220. // Resolves Windows 6.x ApiSetSchema redirections found in the IAT. Usually they redirect to a common Windows DLL like advapi32.dll.
    221. 

  221. // Returns the name of the redirected library, or NULL if the function failed. Beware that you still need to delete the buffer assigned to the return value!
    222. 

  222. wchar* PortableExecutable::ResolveApiSetSchemaMapping(const wchar* ApiSetSchemaDll, const DWORD Length) const
    223. 

  223. {
    224. 

  224. 	// Retrieve PEB, the address of the map is there.
    225. 

  225. #ifdef _WIN64
    226. 

  226. 	APISETMAP* const apiSetSchemaBase = (APISETMAP*)((PPEB)__readgsqword(0x60))->ApiSetMap;
    227. 

  227. #else
    228. 

  228. 	APISETMAP* const apiSetSchemaBase = (APISETMAP*)((PPEB)__readfsdword(0x30))->ApiSetMap;
    229. 

  229. #endif
    230. 

  230. 	
    231. 

  231. 	Byte* const apiSetSchemaFileBuffer = (Byte*)apiSetSchemaBase;
    232. 

  232. 	DLLHOSTDESCRIPTOR* pDescriptor = apiSetSchemaBase->descriptors;
    233. 

  233. 	
    234. 

  234. 	// Iterate through the descriptor structs.
    235. 

  235. 	for (unsigned int i = 0; i < apiSetSchemaBase->NumberOfHosts; ++i, ++pDescriptor)
    236. 

  236. 	{
    237. 

  237. 		// Compare virtual API with input.
    238. 

  238. 		if (_wcsnicmp(ApiSetSchemaDll, (wchar*)(apiSetSchemaFileBuffer + pDescriptor->OffsetDllString), Length) == 0)
    239. 

  239. 		{
    240. 

  240. 			DLLREDIRECTOR* const directorStruct = (DLLREDIRECTOR*)(apiSetSchemaFileBuffer + pDescriptor->OffsetDllRedirector);
    241. 

  241. 

  242. 			// Iterate redirections for this api set.
    243. 

  243. 			REDIRECTION* pRedirectionDescriptor = directorStruct->Redirection;
    244. 

  244. 			const wchar* const redirectionString = (wchar*)(apiSetSchemaFileBuffer + pRedirectionDescriptor->OffsetRedirection2);
    245. 

  245. 

  246. 			// Redirection is found, create buffer to return to the caller and copy the logical dll name into it.
    247. 

  247. 			const DWORD wcsLength = pRedirectionDescriptor->RedirectionLength2 / 2;
    248. 

  248. 			wchar* const nameBuffer = new wchar[wcsLength + 1];
    249. 

  249. 			memcpy(nameBuffer, redirectionString, pRedirectionDescriptor->RedirectionLength2);
    250. 

  250. 

  251. 			// Set null terminator in the string, otherwise the result contains the redirected dll name but the rest is undefined.
    252. 

  252. 			nameBuffer[wcsLength] = NULL;
    253. 

  253. 

  254. 			return nameBuffer;
    255. 

  255. 		}
    256. 

  256. 	}
    257. 

  257. 	
    258. 

  258. 	return NULL;
    259. 

  259. }
    260. 

  260. 

  261. // Compatibility with Windows 8.1 ApiSetSchema v2 is implemented since v1.04 of CrySearch.
    262. 

  262. // Return value is the same as the PortableExecutable::ResolveApiSetSchemaMapping function.
    263. 

  263. wchar* PortableExecutable::ResolveApiSetSchemaMappingEx(const wchar* ApiSetSchemaDll, const DWORD Length) const
    264. 

  264. {
    265. 

  265. 	// Retrieve PEB, the address of the map is there.
    266. 

  266. #ifdef _WIN64
    267. 

  267. 	API_SET_NAMESPACE_ARRAY_V2* const apiSetSchemaBase = (API_SET_NAMESPACE_ARRAY_V2*)((PPEB)__readgsqword(0x60))->ApiSetMap;
    268. 

  268. #else
    269. 

  269. 	API_SET_NAMESPACE_ARRAY_V2* const apiSetSchemaBase = (API_SET_NAMESPACE_ARRAY_V2*)((PPEB)__readfsdword(0x30))->ApiSetMap;
    270. 

  270. #endif
    271. 

  271. 	
    272. 

  272. 	Byte* const apiSetSchemaFileBuffer = (Byte*)apiSetSchemaBase;
    273. 

  273. 	API_SET_NAMESPACE_ENTRY_V2* pDescriptor = apiSetSchemaBase->Array;
    274. 

  274. 	
    275. 

  275. 	// Iterate through the descriptor structs.
    276. 

  276. 	for (unsigned int i = 0; i < apiSetSchemaBase->Count; ++i, ++pDescriptor)
    277. 

  277. 	{
    278. 

  278. 		// Compare virtual API with input.
    279. 

  279. 		if (_wcsnicmp(ApiSetSchemaDll, (wchar*)(apiSetSchemaFileBuffer + pDescriptor->NameOffset), Length) == 0)
    280. 

  280. 		{
    281. 

  281. 			API_SET_VALUE_ARRAY_V2* const directorStruct = (API_SET_VALUE_ARRAY_V2*)(apiSetSchemaFileBuffer + pDescriptor->DataOffset);
    282. 

  282. 			
    283. 

  283. 			// Iterate redirections for this api set.
    284. 

  284. 			API_SET_VALUE_ENTRY_V2* pRedirectionDescriptor = directorStruct->Array;
    285. 

  285. 			const wchar* const redirectionString = (wchar*)(apiSetSchemaFileBuffer + pRedirectionDescriptor->ValueOffset);
    286. 

  286. 			
    287. 

  287. 			// Apparently a virtual library may have two redirections. If the library being
    288. 

  288. 			// processed matches the first API redirection, we must use the second one.
    289. 

  289. 			const unsigned int totalLengthW = (unsigned int)wcslen(redirectionString);
    290. 

  290. 			const DWORD wcsIndex = pRedirectionDescriptor->ValueLength / sizeof(wchar);
    291. 

  291. 			wchar* const nameBuffer = new wchar[totalLengthW * sizeof(wchar)];
    292. 

  292. 			if (_wcsnicmp(ApiSetSchemaDll, redirectionString + 4, Length) == 0)
    293. 

  293. 			{
    294. 

  294. 				// Redirection is found, create buffer to return to the caller and copy the logical dll name into it.
    295. 

  295. 				const DWORD wcharCount = totalLengthW - wcsIndex;
    296. 

  296. 				memcpy(nameBuffer, redirectionString + wcsIndex, wcharCount);
    297. 

  297. 				nameBuffer[wcharCount] = NULL;
    298. 

  298. 			}
    299. 

  299. 			else
    300. 

  300. 			{
    301. 

  301. 				// Take the first redirection as result.
    302. 

  302. 				memcpy(nameBuffer, redirectionString, pRedirectionDescriptor->ValueLength);
    303. 

  303. 				nameBuffer[pRedirectionDescriptor->ValueLength / sizeof(wchar)] = NULL;
    304. 

  304. 			}
    305. 

  305. 			
    306. 

  306. 			return nameBuffer;
    307. 

  307. 		}
    308. 

  308. 	}
    309. 

  309. 	
    310. 

  310. 	return NULL;
    311. 

  311. }
    312. 

  312. 

  313. // Compatibility with Windows 10 ApiSetSchema is implemented since v2.0 of CrySearch.
    314. 

  314. // Return value is the same as the PortableExecutable::ResolveApiSetSchemaMapping function.
    315. 

  315. wchar* PortableExecutable::ResolveApiSetSchemaMapping10(const wchar* ApiSetSchemaDll, const DWORD Length ) const
    316. 

  316. {
    317. 

  317. 	// Retrieve PEB, the address of the map is there.
    318. 

  318. #ifdef _WIN64
    319. 

  319. 	API_SET_NAMESPACE_ARRAY_10* const apiSetSchemaBase = (API_SET_NAMESPACE_ARRAY_10*)((PPEB)__readgsqword(0x60))->ApiSetMap;
    320. 

  320. #else
    321. 

  321. 	API_SET_NAMESPACE_ARRAY_10* const apiSetSchemaBase = (API_SET_NAMESPACE_ARRAY_10*)((PPEB)__readfsdword(0x30))->ApiSetMap;
    322. 

  322. #endif
    323. 

  323. 	
    324. 

  324. 	Byte* const apiSetSchemaFileBuffer = (Byte*)apiSetSchemaBase;
    325. 

  325. 	API_SET_NAMESPACE_ENTRY_10* pDescriptor = (API_SET_NAMESPACE_ENTRY_10*)(apiSetSchemaFileBuffer + apiSetSchemaBase->End);
    326. 

  326. 

  327. 	// Iterate through the descriptor structs.
    328. 

  328. 	for (unsigned int i = 0; i < apiSetSchemaBase->Count; ++i, ++pDescriptor)
    329. 

  329. 	{
    330. 

  330. 		// Retrieve the data associated with the current ApiSet schema entry.
    331. 

  331. 		API_SET_VALUE_ARRAY_10* const directorStruct = (API_SET_VALUE_ARRAY_10*)(apiSetSchemaFileBuffer + apiSetSchemaBase->Start + sizeof(API_SET_VALUE_ARRAY_10) * pDescriptor->Size);
    332. 

  332. 		
    333. 

  333. 		// Compare virtual API with input. We need to add 4 words to the pointer because in Windows 10, the API names are not truncated to 'ms-win...'.
    334. 

  334. 		if (_wcsnicmp(ApiSetSchemaDll, (wchar*)(apiSetSchemaFileBuffer + directorStruct->NameOffset + 8), Length - 1) == 0)
    335. 

  335. 		{
    336. 

  336. 			// Iterate redirections for this api set.
    337. 

  337. 			API_SET_VALUE_ENTRY_10* pRedirectionDescriptor = (API_SET_VALUE_ENTRY_10*)(apiSetSchemaFileBuffer + directorStruct->DataOffset);
    338. 

  338. 			const wchar* const redirectionString = (wchar*)(apiSetSchemaFileBuffer + pRedirectionDescriptor->ValueOffset);
    339. 

  339. 			
    340. 

  340. 			// Apparently a virtual library may have two redirections. If the library being
    341. 

  341. 			// processed matches the first API redirection, we must use the second one.
    342. 

  342. 			const unsigned int totalLengthW = (unsigned int)wcslen(redirectionString);
    343. 

  343. 			const DWORD wcsIndex = pRedirectionDescriptor->ValueLength / sizeof(wchar);
    344. 

  344. 			wchar* const nameBuffer = new wchar[totalLengthW * sizeof(wchar)];
    345. 

  345. 			if (_wcsnicmp(ApiSetSchemaDll, redirectionString + 4, Length) == 0)
    346. 

  346. 			{
    347. 

  347. 				// Redirection is found, create buffer to return to the caller and copy the logical dll name into it.
    348. 

  348. 				const DWORD wcharCount = totalLengthW - wcsIndex;
    349. 

  349. 				memcpy(nameBuffer, redirectionString + wcsIndex, wcharCount);
    350. 

  350. 				nameBuffer[wcharCount] = NULL;
    351. 

  351. 			}
    352. 

  352. 			else
    353. 

  353. 			{
    354. 

  354. 				// Take the first redirection as result.
    355. 

  355. 				memcpy(nameBuffer, redirectionString, pRedirectionDescriptor->ValueLength);
    356. 

  356. 				nameBuffer[pRedirectionDescriptor->ValueLength / sizeof(wchar)] = NULL;
    357. 

  357. 			}
    358. 

  358. 			
    359. 

  359. 			return nameBuffer;
    360. 

  360. 		}
    361. 

  361. 	}
    362. 

  362. 	
    363. 

  363. 	return NULL;
    364. 

  364. }
    365. 

  365. 

  366. // Reads the COM directory from a PE file header. Most likely this is the .NET header.
    367. 

  367. // This function does not free the buffer pointed to by the parameter.
    368. 

  368. void PortableExecutable::GetDotNetDirectoryInformation(const IMAGE_DATA_DIRECTORY* const netHeader) const
    369. 

  369. {
    370. 

  370. 	// Check if the executable contains a COM header.
    371. 

  371. 	if (netHeader->VirtualAddress && netHeader->Size >= sizeof(IMAGE_COR20_HEADER))
    372. 

  372. 	{
    373. 

  373. 		SIZE_T bytesRead;
    374. 

  374. 

  375. 		// Read COR20 header from file.
    376. 

  376. 		Byte* netDirBuffer = new Byte[netHeader->Size];
    377. 

  377. 		bool b = CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(this->mBaseAddress + netHeader->VirtualAddress), netDirBuffer, netHeader->Size, &bytesRead);
    378. 

  378. 

  379. 		// Check if the section data was read succesfully.
    380. 

  380. 		if (b && bytesRead == netHeader->Size)
    381. 

  381. 		{
    382. 

  382. 			// Save version information from COR20 header.
    383. 

  383. 			IMAGE_DATA_DIRECTORY mdDir;
    384. 

  384. 			memcpy(&mdDir, &((IMAGE_COR20_HEADER*)netDirBuffer)->MetaData, sizeof(IMAGE_DATA_DIRECTORY));
    385. 

  385. 			delete[] netDirBuffer;
    386. 

  386. 

  387. 			// Save the offset to the metadata header to allow dumping of .NET sections later.
    388. 

  388. 			LoadedProcessPEInformation.DotNetInformation.MetadataHeaderOffset = mdDir.VirtualAddress;
    389. 

  389. 

  390. 			// Read metadata from header.
    391. 

  391. 			netDirBuffer = new Byte[mdDir.Size];
    392. 

  392. 			b = CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(this->mBaseAddress + mdDir.VirtualAddress), netDirBuffer, mdDir.Size, &bytesRead);
    393. 

  393. 

  394. 			// Check whether the metadata was succesfully read into the local buffer.
    395. 

  395. 			if (b && bytesRead == mdDir.Size)
    396. 

  396. 			{
    397. 

  397. 				// Dissect metadata. Since its a dynamic structure we cannot compile this into a struct.
    398. 

  398. 				const DWORD vStrLength = *(DWORD*)(netDirBuffer + 12);
    399. 

  399. 				const WORD streamCount = *(WORD*)(netDirBuffer + 18 + vStrLength);
    400. 

  400. 

  401. 				// Based on the stream count, dissect streams from the header.
    402. 

  402. 				DWORD streamIterator = 0;
    403. 

  403. 				for (const char* iterator = (char*)(netDirBuffer + 20 + vStrLength); streamIterator < streamCount; ++streamIterator)
    404. 

  404. 				{
    405. 

  405. 					// Get offset and size fields.
    406. 

  406. 					const DWORD* const offsetPtr = (DWORD*)iterator;
    407. 

  407. 					iterator += sizeof(DWORD);
    408. 

  408. 					const DWORD* const sizePtr = (DWORD*)iterator;
    409. 

  409. 					iterator += sizeof(DWORD);
    410. 

  410. 

  411. 					// Read the name of the stream.
    412. 

  412. 					WORD str = 0;
    413. 

  413. 					const char* const beginIterator = iterator;
    414. 

  414. 					bool strEnded = false;
    415. 

  415. 					while (1)
    416. 

  416. 					{
    417. 

  417. 						// First find the end of the string.
    418. 

  418. 						if (!strEnded && *iterator == 0)
    419. 

  419. 						{
    420. 

  420. 							strEnded = true;
    421. 

  421. 						}
    422. 

  422. 						// Continue until the next 4 byte boundary is reached.
    423. 

  423. 						else if (strEnded && ((SIZE_T)iterator % 4) == 0)
    424. 

  424. 						{
    425. 

  425. 							break;
    426. 

  426. 						}
    427. 

  427. 

  428. 						++str;
    429. 

  429. 						++iterator;
    430. 

  430. 					}
    431. 

  431. 

  432. 					// String length was measured, now read it into a variable.
    433. 

  433. 					Win32DotNetSectionInformation& newSect = LoadedProcessPEInformation.DotNetInformation.DotNetSections.Add();
    434. 

  434. 					newSect.SectionName = String(beginIterator, str + 1);
    435. 

  435. 					newSect.Offset = *offsetPtr;
    436. 

  436. 					newSect.Size = *sizePtr;
    437. 

  437. 				}
    438. 

  438. 			}
    439. 

  439. 		}
    440. 

  440. 

  441. 		delete[] netDirBuffer;
    442. 

  442. 	}
    443. 

  443. }
    444. 

  444. 

  445. // Resolves ApiSetSchema module names and returns a pointer to the resolved module.
    446. 

  446. const Win32ModuleInformation* PortableExecutable::GetResolvedModule(const char* pModName, int* const recurseIndex, const char* NameOrdinal) const
    447. 

  447. {
    448. 

  448. 	// Find the first dot in the filename.
    449. 

  449. 	String forwardedModName = pModName;
    450. 

  450. 	*recurseIndex = forwardedModName.Find('.');
    451. 

  451. 

  452. 	// If the resulting filename starts with api-ms-win, we are dealing with ApiSetSchema libraries.
    453. 

  453. 	WString apiSetDllName = ToLower(forwardedModName);
    454. 

  454. 	if (apiSetDllName.StartsWith("api-ms-win") || apiSetDllName.StartsWith("ext-ms-win"))
    455. 

  455. 	{
    456. 

  456. 		apiSetDllName.Remove(0, 4);
    457. 

  457. 		apiSetDllName.Remove(apiSetDllName.Find('.'), (int)strlen(NameOrdinal) + 1);
    458. 

  458. 

  459. 		const wchar* const outWString = this->InlineResolveApiSetSchema(apiSetDllName);
    460. 

  460. 		forwardedModName = WString(outWString).ToString();
    461. 

  461. 		delete[] outWString;
    462. 

  462. 	}
    463. 

  463. 

  464. 	// Append .dll after the filename.
    465. 

  465. 	const int dotIndex = forwardedModName.Find('.');
    466. 

  466. 	if (dotIndex >= 0)
    467. 

  467. 	{
    468. 

  468. 		forwardedModName.Remove(dotIndex, forwardedModName.GetLength() - dotIndex);
    469. 

  469. 		forwardedModName += ".dll";
    470. 

  470. 	}
    471. 

  471. 

  472. 	// Resolve the module to a loaded one.
    473. 

  473. 	return mModuleManager->FindModule(forwardedModName);
    474. 

  474. }
    475. 

  475. 

  476. // -------------------------------------------------------------------------------------------------------------------------------
    477. 

  477. // PE32 class methods
    478. 

  478. // -------------------------------------------------------------------------------------------------------------------------------
    479. 

  479. 

  480. // Default PE32 destructor. Base class destructor is virtual so this destructor is executed with the base's.
    481. 

  481. PortableExecutable32::~PortableExecutable32()
    482. 

  482. {
    483. 

  483. 	
    484. 

  484. }
    485. 

  485. 

  486. // Retrieves PE header information from the loaded process. Information is saved in global storage that has process lifetime.
    487. 

  487. // Note that IMAGE_NT_HEADERS and IMAGE_OPTIONAL_HEADER are explicitly defined as the 32 bit version. If compiled as 64 bit the structs differ.
    488. 

  488. void PortableExecutable32::GetExecutablePeInformation() const
    489. 

  489. {
    490. 

  490. 	// Clear image sections before getting new ones.
    491. 

  491. 	LoadedProcessPEInformation.Reset();
    492. 

  492. 	
    493. 

  493. 	// Read process memory into local buffer in order to load PE headers.
    494. 

  494. 	Byte moduleBuffer[0x400];
    495. 

  495. 	CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)this->mBaseAddress, moduleBuffer, 0x400, NULL);
    496. 

  496. 	
    497. 

  497. 	// Load PE headers.
    498. 

  498. 	IMAGE_DOS_HEADER* const pDosHeader = (IMAGE_DOS_HEADER*)moduleBuffer;
    499. 

  499. 	IMAGE_NT_HEADERS32* const pNTHeader =(IMAGE_NT_HEADERS32*)(moduleBuffer + pDosHeader->e_lfanew);
    500. 

  500. 

  501. 	// When the PE Headers are destroyed at runtime the pointer to the headers may run out of the buffer's bounds.
    502. 

  502. 	if ((Byte*)pNTHeader > (moduleBuffer + 0x400))
    503. 

  503. 	{
    504. 

  504. 		LoadedProcessPEInformation.PEFields.Clear();
    505. 

  505. 		return;
    506. 

  506. 	}
    507. 

  507. 	
    508. 

  508. 	// The headers should be fine, proceed loading the optional and file header.
    509. 

  509. 	const IMAGE_OPTIONAL_HEADER32* const pOptionalHeader = (IMAGE_OPTIONAL_HEADER32*)&pNTHeader->OptionalHeader;
    510. 

  510. 	const IMAGE_FILE_HEADER* const pFileHeader = &(pNTHeader->FileHeader);
    511. 

  511. 	
    512. 

  512. 	// Retrieve the type of machine the PE executable can run on.
    513. 

  513. 	this->ParseMachineType(pFileHeader->Machine);
    514. 

  514. 	
    515. 

  515. 	// Retrieve PE fields and add them to the map.
    516. 

  516. 	LoadedProcessPEInformation.PEFields.Add("Number of sections", pFileHeader->NumberOfSections);
    517. 

  517. 	LoadedProcessPEInformation.PEFields.Add("Size of optional header", Format("%X", pFileHeader->SizeOfOptionalHeader));
    518. 

  518. 	LoadedProcessPEInformation.PEFields.Add("Pointer to symbol table", (int)pFileHeader->PointerToSymbolTable);
    519. 

  519. 	LoadedProcessPEInformation.PEFields.Add("Number of symbols", (int)pFileHeader->NumberOfSymbols);
    520. 

  520. 	LoadedProcessPEInformation.PEFields.Add("Image base", Format("%lX", (int)pOptionalHeader->ImageBase));
    521. 

  521. 

  522. #ifndef _WIN64
    523. 

  523. 	LoadedProcessPEInformation.PEFields.Add("Base of data", Format("%lX", (int)pOptionalHeader->BaseOfData));
    524. 

  524. #endif
    525. 

  525. 

  526. 	LoadedProcessPEInformation.PEFields.Add("Base of code", Format("%lX", (int)pOptionalHeader->BaseOfCode));
    527. 

  527. 	LoadedProcessPEInformation.PEFields.Add("Address of entrypoint", Format("%lX", (int)pOptionalHeader->AddressOfEntryPoint));
    528. 

  528. 	LoadedProcessPEInformation.PEFields.Add("Size of code", Format("%lX", (int)pOptionalHeader->SizeOfCode));
    529. 

  529. 	LoadedProcessPEInformation.PEFields.Add("Size of initialized data", Format("%lX", (int)pOptionalHeader->SizeOfInitializedData));
    530. 

  530. 	LoadedProcessPEInformation.PEFields.Add("Size of uninitialized data", Format("%lX", (int)pOptionalHeader->SizeOfUninitializedData));
    531. 

  531. 	LoadedProcessPEInformation.PEFields.Add("Section alignment", Format("%lX", (int)pOptionalHeader->SectionAlignment));
    532. 

  532. 	LoadedProcessPEInformation.PEFields.Add("File alignment", Format("%lX", (int)pOptionalHeader->FileAlignment));
    533. 

  533. 	LoadedProcessPEInformation.PEFields.Add("Size of image", Format("%lX", (int)pOptionalHeader->SizeOfImage));
    534. 

  534. 	LoadedProcessPEInformation.PEFields.Add("Size of headers", Format("%lX", (int)pOptionalHeader->SizeOfHeaders));
    535. 

  535. 	LoadedProcessPEInformation.PEFields.Add("Checksum", Format("%lX", (int)pOptionalHeader->CheckSum));
    536. 

  536. 	LoadedProcessPEInformation.PEFields.Add("Linker version", Format("%i.%i", pOptionalHeader->MajorLinkerVersion, pOptionalHeader->MinorLinkerVersion));
    537. 

  537. 	LoadedProcessPEInformation.PEFields.Add("OS version", Format("%i.%i", pOptionalHeader->MajorOperatingSystemVersion, pOptionalHeader->MinorOperatingSystemVersion));
    538. 

  538. 	LoadedProcessPEInformation.PEFields.Add("Image version", Format("%i.%i", pOptionalHeader->MajorImageVersion, pOptionalHeader->MinorImageVersion));
    539. 

  539. 	LoadedProcessPEInformation.PEFields.Add("Subsystem version", Format("%i.%i", pOptionalHeader->MajorSubsystemVersion, pOptionalHeader->MinorSubsystemVersion));
    540. 

  540. 	LoadedProcessPEInformation.PEFields.Add("Number of data directories", Format("%lX", (int)pOptionalHeader->NumberOfRvaAndSizes));
    541. 

  541. 	
    542. 

  542. 	// Parse the last general property value of the PE header, save the section values and destroy the buffer.
    543. 

  543. 	this->ParseSubsystemValue(pOptionalHeader->Subsystem);
    544. 

  544. 	const DWORD sectionCount = pNTHeader->FileHeader.NumberOfSections;
    545. 

  545. 	const DWORD sectionSizeBytes = sizeof(IMAGE_SECTION_HEADER) * sectionCount;
    546. 

  546. 	const IMAGE_SECTION_HEADER* const firstSectionPtr = (IMAGE_SECTION_HEADER*)(this->mBaseAddress + ((Byte*)IMAGE_FIRST_SECTION(pNTHeader) - moduleBuffer));
    547. 

  547. 	
    548. 

  548. 	// Get the COM header from the PE file.
    549. 

  549. 	this->GetDotNetDirectoryInformation(&pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]);
    550. 

  550. 	
    551. 

  551. 	// Attempt to load the sections inside the PE file.
    552. 

  552. 	Byte* const sectionBuffer = new Byte[sectionSizeBytes];
    553. 

  553. 	CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, firstSectionPtr, sectionBuffer, sectionSizeBytes, NULL);
    554. 

  554. 	this->GetImageSectionsList((IMAGE_SECTION_HEADER*)sectionBuffer, sectionCount, LoadedProcessPEInformation.ImageSections);
    555. 

  555. 	delete[] sectionBuffer;
    556. 

  556. }
    557. 

  557. 

  558. // Retrieves the address of a function in the export table of a module. Address can be returned for function by name or ordinal.
    559. 

  559. // Returns the address of the function, created from the module base address added by the function RVA.
    560. 

  560. // If the function is not found, the return value is 0xFFFFFFFF.
    561. 

  561. // The NameLength parameter contains the length of the name if there is a name, or 0 if the function is ordinal-based.
    562. 

  562. SIZE_T PortableExecutable32::GetAddressFromExportTable(const AddrStruct* addr, const char* NameOrdinal, const unsigned int NameLength) const
    563. 

  563. {
    564. 

  564. 	if (addr->ExportDirectory->AddressOfNameOrdinals)
    565. 

  565. 	{
    566. 

  566. 		int ResurseDotIndex = 0;
    567. 

  567. 		const DWORD* funcAddrPtr = NULL;
    568. 

  568. 		bool b;
    569. 

  569. 		SIZE_T bytesRead;
    570. 

  570. 		
    571. 

  571. 		// Walk the exported functions in the target module.
    572. 

  572. 		for (unsigned int i = 0; i < addr->ExportDirectory->NumberOfFunctions; ++i)
    573. 

  573. 		{
    574. 

  574. 			const WORD* const ordValue = (WORD*)((addr->BufferBaseAddress + addr->ExportDirectory->AddressOfNameOrdinals) + (i * sizeof(WORD)));
    575. 

  575. 

  576. 			if (!NameLength)
    577. 

  577. 			{
    578. 

  578. 				bool found = false;
    579. 

  579. 

  580. 				// Compare ordinal values without magic bitoperations!
    581. 

  581. 				if ((addr->ExportDirectory->Base + *ordValue) == *reinterpret_cast<WORD*>(&NameOrdinal))
    582. 

  582. 				{
    583. 

  583. 					funcAddrPtr = (DWORD*)((addr->BufferBaseAddress + addr->ExportDirectory->AddressOfFunctions) + (sizeof(DWORD) * *ordValue));
    584. 

  584. 					found = true;
    585. 

  585. 				}
    586. 

  586. 				
    587. 

  587. 				// Skip the entry if it is not found.
    588. 

  588. 				if (!found || ((Byte*)funcAddrPtr < addr->BufferBaseAddress || (Byte*)funcAddrPtr > addr->BufferEndAddress))
    589. 

  589. 				{
    590. 

  590. 					continue;
    591. 

  591. 				}
    592. 

  592. 				
    593. 

  593. 				if (*funcAddrPtr > addr->DirectoryAddress->VirtualAddress && *funcAddrPtr < (addr->DirectoryAddress->VirtualAddress + addr->DirectoryAddress->Size))
    594. 

  594. 				{
    595. 

  595. 					const Win32ModuleInformation* modBaseAddr = this->GetResolvedModule((char*)(addr->BufferBaseAddress + *funcAddrPtr), &ResurseDotIndex, NameOrdinal);
    596. 

  596. 					
    597. 

  597. 					// Sometimes infinite redirecting causes stack overflowing. Terminate this sequence by returning not found.
    598. 

  598. 					if (!modBaseAddr || (SIZE_T)addr->BaseAddress == modBaseAddr->BaseAddress)
    599. 

  599. 					{
    600. 

  600. 						return EAT_ADDRESS_NOT_FOUND;
    601. 

  601. 					}
    602. 

  602. 						
    603. 

  603. 					Byte dllBuffer[0x400];
    604. 

  604. 			        CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)modBaseAddr->BaseAddress, dllBuffer, 0x400, NULL);
    605. 

  605. 			        
    606. 

  606. 			        const IMAGE_NT_HEADERS32* const pNTHeader =(IMAGE_NT_HEADERS32*)(dllBuffer + ((IMAGE_DOS_HEADER*)dllBuffer)->e_lfanew);
    607. 

  607. 					IMAGE_DATA_DIRECTORY dataDir = *(&((IMAGE_OPTIONAL_HEADER32*)&pNTHeader->OptionalHeader)->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
    608. 

  608. 			            
    609. 

  609. 			        Byte* const exportDirectoryBuffer = new Byte[dataDir.Size];
    610. 

  610. 			        CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(modBaseAddr->BaseAddress + dataDir.VirtualAddress), exportDirectoryBuffer, dataDir.Size, NULL);
    611. 

  611. 					
    612. 

  612. 					Byte* const bufBase = exportDirectoryBuffer - dataDir.VirtualAddress;
    613. 

  613. 					AddrStruct addrStruct((Byte*)modBaseAddr->BaseAddress, (exportDirectoryBuffer - dataDir.VirtualAddress), bufBase + dataDir.VirtualAddress + dataDir.Size
    614. 

  614. 						, &dataDir, (IMAGE_EXPORT_DIRECTORY*)exportDirectoryBuffer);
    615. 

  615. 			            
    616. 

  616. 					SIZE_T forwardedAddress = this->GetAddressFromExportTable(&addrStruct, (char*)addr->BufferBaseAddress + *funcAddrPtr + ResurseDotIndex + 2, NameLength);
    617. 

  617. 					delete[] exportDirectoryBuffer;
    618. 

  618. 					return forwardedAddress;
    619. 

  619. 				}
    620. 

  620. 

  621. 				return (SIZE_T)(addr->BaseAddress + *funcAddrPtr);
    622. 

  622. 			}
    623. 

  623. 			else
    624. 

  624. 			{
    625. 

  625. 				const DWORD* const stringPtr = (DWORD*)((addr->BufferBaseAddress + addr->ExportDirectory->AddressOfNames) + (i * sizeof(DWORD)));
    626. 

  626. 				const char* const functionName = (char*)(addr->BufferBaseAddress + *stringPtr);
    627. 

  627. 				
    628. 

  628. 				if ((functionName > (char*)addr->BufferBaseAddress + addr->DirectoryAddress->VirtualAddress && (functionName + NameLength + 1) < (char*)addr->BufferEndAddress) && memcmp(NameOrdinal, functionName, NameLength) == 0)
    629. 

  629. 				{
    630. 

  630. 					funcAddrPtr = (DWORD*)((addr->BufferBaseAddress + addr->ExportDirectory->AddressOfFunctions) + (sizeof(DWORD) * *ordValue));
    631. 

  631. 					if (*funcAddrPtr > addr->DirectoryAddress->VirtualAddress && *funcAddrPtr < (addr->DirectoryAddress->VirtualAddress + addr->DirectoryAddress->Size))
    632. 

  632. 					{
    633. 

  633. 						const Win32ModuleInformation* modBaseAddr = this->GetResolvedModule((char*)(addr->BufferBaseAddress + *funcAddrPtr), &ResurseDotIndex, NameOrdinal);
    634. 

  634. 						
    635. 

  635. 						if (!modBaseAddr || (SIZE_T)addr->BaseAddress == modBaseAddr->BaseAddress)
    636. 

  636. 						{
    637. 

  637. 							return EAT_ADDRESS_NOT_FOUND;
    638. 

  638. 						}
    639. 

  639. 						
    640. 

  640. 						Byte dllBuffer[0x400];
    641. 

  641. 			            CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)modBaseAddr->BaseAddress, dllBuffer, 0x400, NULL);
    642. 

  642. 			           
    643. 

  643. 			            const IMAGE_NT_HEADERS32* const pNTHeader =(IMAGE_NT_HEADERS32*)(dllBuffer + ((IMAGE_DOS_HEADER*)dllBuffer)->e_lfanew);
    644. 

  644. 						IMAGE_DATA_DIRECTORY dataDir = *(&((IMAGE_OPTIONAL_HEADER32*)&pNTHeader->OptionalHeader)->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
    645. 

  645. 			            
    646. 

  646. 			            // Check if the size of the data directory is valid.
    647. 

  647. 						if (dataDir.Size)
    648. 

  648. 						{
    649. 

  649. 							// Read the export directory from memory.
    650. 

  650. 				            Byte* const exportDirectoryBuffer = new Byte[dataDir.Size];
    651. 

  651. 				            b = CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(modBaseAddr->BaseAddress + dataDir.VirtualAddress), exportDirectoryBuffer, dataDir.Size, &bytesRead);
    652. 

  652. 	
    653. 

  653. 							// Check whether it was read succesfully.
    654. 

  654. 							if (b && bytesRead == dataDir.Size)
    655. 

  655. 							{
    656. 

  656. 								Byte* const bufBase = exportDirectoryBuffer - dataDir.VirtualAddress;
    657. 

  657. 								AddrStruct addrStruct((Byte*)modBaseAddr->BaseAddress, (exportDirectoryBuffer - dataDir.VirtualAddress), bufBase + dataDir.VirtualAddress + dataDir.Size
    658. 

  658. 									, &dataDir, (IMAGE_EXPORT_DIRECTORY*)exportDirectoryBuffer);
    659. 

  659. 	
    660. 

  660. 								SIZE_T forwardedAddress = this->GetAddressFromExportTable(&addrStruct, (char*)(addr->BufferBaseAddress + *funcAddrPtr + ResurseDotIndex + 1), NameLength);
    661. 

  661. 								delete[] exportDirectoryBuffer;
    662. 

  662. 								return forwardedAddress;
    663. 

  663. 							}
    664. 

  664. 							else
    665. 

  665. 							{
    666. 

  666. 								return EAT_ADDRESS_NOT_FOUND;
    667. 

  667. 							}
    668. 

  668. 						}
    669. 

  669. 						else
    670. 

  670. 						{
    671. 

  671. 							return EAT_ADDRESS_NOT_FOUND;
    672. 

  672. 						}
    673. 

  673. 					}
    674. 

  674. 

  675. 					return (SIZE_T)(addr->BaseAddress + *funcAddrPtr);
    676. 

  676. 				}
    677. 

  677. 			}
    678. 

  678. 		}
    679. 

  679. 	}
    680. 

  680. 	
    681. 

  681. 	return EAT_ADDRESS_NOT_FOUND;
    682. 

  682. }
    683. 

  683. 

  684. // Attempts to retrieve function name associated to ordinal import from the export table of the loaded module.
    685. 

  685. // Returns a pointer to the function name if it exists. If the function is not found, the return value is NULL.
    686. 

  686. const char* PortableExecutable32::GetOrdinalFunctionNameFromExportTable(const AddrStruct* addr, const WORD ordinal) const
    687. 

  687. {
    688. 

  688. 	const WORD* const ordinals = (WORD*)(addr->BufferBaseAddress + addr->ExportDirectory->AddressOfNameOrdinals);
    689. 

  689. 	
    690. 

  690. 	for (unsigned int i = 0; i < addr->ExportDirectory->NumberOfFunctions; ++i)
    691. 

  691. 	{
    692. 

  692. 		if ((addr->ExportDirectory->Base + ordinals[i]) == ordinal)
    693. 

  693. 		{
    694. 

  694. 			const DWORD* const stringPtr = (DWORD*)(addr->BufferBaseAddress + addr->ExportDirectory->AddressOfNames + i * sizeof(DWORD));
    695. 

  695. 			const Byte* const absStringPtr = (Byte*)(addr->BufferBaseAddress + *stringPtr);
    696. 

  696. 			
    697. 

  697. 			// Make sure the string points inside of the buffer. Scrambled EAT would crash the application.
    698. 

  698. 			if (absStringPtr > (addr->BufferBaseAddress + addr->DirectoryAddress->Size) && absStringPtr < addr->BufferEndAddress)
    699. 

  699. 			{
    700. 

  700. 				return (const char*)absStringPtr;
    701. 

  701. 			}
    702. 

  702. 		}
    703. 

  703. 	}
    704. 

  704. 	
    705. 

  705. 	return NULL;
    706. 

  706. }
    707. 

  707. 

  708. // Retrieves the import table from the PE header of the loaded process. This information is stored in the global storage that has process lifetime.
    709. 

  709. // Note that IMAGE_NT_HEADERS, IMAGE_OPTIONAL_HEADER, IMAGE_THUNK_DATA and SIZE_T are explicitly defined as the 32 bit version. If compiled as 64 bit the structs differ.
    710. 

  710. const bool PortableExecutable32::GetImportAddressTable() const
    711. 

  711. {
    712. 

  712. 	// We use a return value to indicate whether function names can actually be retrieved using OriginalFirstThunk.
    713. 

  713. 	bool result = true;
    714. 

  714. 

  715. 	// Read process memory into local buffer in order to load IAT.
    716. 

  716. 	Byte moduleBuffer[0x400];
    717. 

  717. 	CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)this->mBaseAddress, moduleBuffer, 0x400, NULL);
    718. 

  718. 	
    719. 

  719. 	const IMAGE_NT_HEADERS32* const pNTHeader =(IMAGE_NT_HEADERS32*)(moduleBuffer + ((IMAGE_DOS_HEADER*)moduleBuffer)->e_lfanew);
    720. 

  720. 

  721. 	// The PE Headers are not valid, the pointer runs outside the bounds of the buffer.
    722. 

  722. 	if ((Byte*)pNTHeader > (moduleBuffer + 0x400))
    723. 

  723. 	{
    724. 

  724. 		return false;
    725. 

  725. 	}
    726. 

  726. 

  727. 	const IMAGE_OPTIONAL_HEADER32* const pOptionalHeader = (IMAGE_OPTIONAL_HEADER32*)&pNTHeader->OptionalHeader;
    728. 

  728. 	
    729. 

  729. 	// Read the import descriptor table into local memory.
    730. 

  730. 	unsigned int counter = 0;
    731. 

  731. 	IMAGE_IMPORT_DESCRIPTOR pDesc;
    732. 

  732. 	CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(this->mBaseAddress + pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (counter * sizeof(IMAGE_IMPORT_DESCRIPTOR))), &pDesc, sizeof(IMAGE_IMPORT_DESCRIPTOR), NULL);
    733. 

  733. 

  734. 	// Check whether OriginalFirstThunk is non-zero. If it is zero, the target process executable may be packed. We can find
    735. 

  735. 	// the function addresses, but we cannot find the function names directly.
    736. 

  736. 	if (!pDesc.OriginalFirstThunk)
    737. 

  737. 	{
    738. 

  738. 		result = false;
    739. 

  739. 	}
    740. 

  740. 

  741. 	while (pDesc.FirstThunk && pDesc.Name != 0xFFFF)
    742. 

  742. 	{
    743. 

  743. 		// Read DLL name from import descriptor entry.
    744. 

  744. 		char dllName[48];
    745. 

  745. 		CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(pDesc.Name + this->mBaseAddress), dllName, 48, NULL);
    746. 

  746.         
    747. 

  747.         // Add new import descriptor to the table.
    748. 

  748.         ImportTableDescriptor& impDesc = LoadedProcessPEInformation.ImportAddressTable.Add();
    749. 

  749.         impDesc.ModuleName = dllName;
    750. 

  750.         
    751. 

  751.         // Get base address and length of desired DLL, and look up the function foreign name in the export table of that DLL.
    752. 

  752. 		WString apiSetDllName = ToLower(dllName);
    753. 

  753. 		const Win32ModuleInformation* modBaseAddr = NULL;
    754. 

  754. 

  755. 		// Check whether we have to deal with an ApiSet redirection or not.
    756. 

  756. 		if (apiSetDllName.StartsWith("api-ms-win") || apiSetDllName.StartsWith("ext-ms-win"))
    757. 

  757. 		{
    758. 

  758. 			// Windows ApiSetSchema redirection detected. Remove the file extension before resolving.
    759. 

  759. 			const int lastDot = apiSetDllName.ReverseFind('.');
    760. 

  760. 			if (lastDot != -1)
    761. 

  761. 			{
    762. 

  762. 				apiSetDllName.Remove(lastDot, apiSetDllName.GetLength() - lastDot);
    763. 

  763. 			}
    764. 

  764. 

  765. 			// Recursively resolve the redirection.
    766. 

  766. 			while (!modBaseAddr)
    767. 

  767. 			{
    768. 

  768. 				// First remove the prefix, the resolving works without the prefix.
    769. 

  769. 				apiSetDllName.Remove(0, 4);
    770. 

  770. 

  771. 				// Resolve the redirection.
    772. 

  772. 				const wchar* const outWString = this->InlineResolveApiSetSchema(apiSetDllName);
    773. 

  773. 				if (outWString)
    774. 

  774. 				{
    775. 

  775. 					apiSetDllName = outWString;
    776. 

  776. 					delete[] outWString;
    777. 

  777. 

  778. 					// Get the module base address from the internal module list, and set the logical base address.
    779. 

  779. 					modBaseAddr = mModuleManager->FindModule(apiSetDllName.ToString());
    780. 

  780. 					impDesc.LogicalBaseAddress = modBaseAddr ? modBaseAddr->BaseAddress : 0;
    781. 

  781. 				}
    782. 

  782. 			}
    783. 

  783. 		}
    784. 

  784. 		else
    785. 

  785. 		{
    786. 

  786. 			// Get the module base address from the internal module list.
    787. 

  787. 			modBaseAddr = mModuleManager->FindModule(apiSetDllName.ToString());
    788. 

  788. 			impDesc.LogicalBaseAddress = 0;
    789. 

  789. 		}
    790. 

  790. 	        
    791. 

  791. 		// Does the module have a base address? If so, we parse its export table.
    792. 

  792.         if (modBaseAddr)
    793. 

  793.         {
    794. 

  794.             impDesc.ModulePointer = modBaseAddr;
    795. 

  795.             
    796. 

  796.             Byte dllBuffer[0x400];
    797. 

  797.             CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)modBaseAddr->BaseAddress, dllBuffer, 0x400, NULL);
    798. 

  798.            
    799. 

  799.             const IMAGE_NT_HEADERS32* const pNTHeader =(IMAGE_NT_HEADERS32*)(dllBuffer + ((IMAGE_DOS_HEADER*)dllBuffer)->e_lfanew);
    800. 

  800. 			IMAGE_DATA_DIRECTORY dataDir = *(&((IMAGE_OPTIONAL_HEADER32*)&pNTHeader->OptionalHeader)->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
    801. 

  801.             
    802. 

  802.             // Check whether the discovered module actually has an export table.
    803. 

  803.             if (dataDir.Size)
    804. 

  804.             {
    805. 

  805. 				Byte* const exportDirectoryBuffer = new Byte[dataDir.Size];
    806. 

  806. 	            CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(modBaseAddr->BaseAddress + dataDir.VirtualAddress), exportDirectoryBuffer, dataDir.Size, NULL);
    807. 

  807. 	            
    808. 

  808. 				Byte* const bufBase = (exportDirectoryBuffer - dataDir.VirtualAddress);
    809. 

  809. 				AddrStruct addrStruct((Byte*)modBaseAddr->BaseAddress, (exportDirectoryBuffer - dataDir.VirtualAddress), bufBase + dataDir.VirtualAddress + dataDir.Size
    810. 

  810. 					, &dataDir, (IMAGE_EXPORT_DIRECTORY*)exportDirectoryBuffer);
    811. 

  811. 	
    812. 

  812. 				IMAGE_THUNK_DATA32 thunk;
    813. 

  813. 				unsigned int count = 0;
    814. 

  814. 	
    815. 

  815. 				do
    816. 

  816. 				{
    817. 

  817. 					// Try to read current thunk into local memory.
    818. 

  818. 					CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(this->mBaseAddress + pDesc.OriginalFirstThunk + count * sizeof(DWORD)), &thunk, sizeof(IMAGE_THUNK_DATA32), NULL);
    819. 

  819. 

  820. 					ImportAddressTableEntry funcEntry;
    821. 

  821. 	
    822. 

  822. 					// Check for 32-bit ordinal magic flag.
    823. 

  823. 					if (thunk.u1.Ordinal & IMAGE_ORDINAL_FLAG32)
    824. 

  824. 					{
    825. 

  825. 						funcEntry.Ordinal = IMAGE_ORDINAL32(thunk.u1.Ordinal);
    826. 

  826. 						funcEntry.Hint = 0;
    827. 

  827. 	
    828. 

  828. 						if (addrStruct.ExportDirectory->AddressOfNames)
    829. 

  829. 						{
    830. 

  830. 							funcEntry.FunctionName = this->GetOrdinalFunctionNameFromExportTable(&addrStruct, funcEntry.Ordinal);
    831. 

  831. 						}
    832. 

  832. 					}
    833. 

  833. 					else
    834. 

  834. 					{
    835. 

  835. 						// Read function name from thunk data.
    836. 

  836. 						char funcName[96];
    837. 

  837. 						CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(this->mBaseAddress + thunk.u1.AddressOfData), funcName, 96, NULL);
    838. 

  838. 	
    839. 

  839. 						// Set ordinal value to 0, read function name and WORD sized hint from the first two read bytes sequence.
    840. 

  840. 						funcEntry.Ordinal = 0;
    841. 

  841. 						funcEntry.Hint = *(WORD*)funcName;
    842. 

  842. 						funcEntry.FunctionName = funcName + sizeof(WORD);
    843. 

  843. 					}
    844. 

  844. 	
    845. 

  845. 					// In a rare occasion the ordinal bit-flag is already removed. In this case the ordinal should be detected by section awareness.
    846. 

  846. 					if (funcEntry.FunctionName.IsEmpty() && !RVAPointsInsideSection(thunk.u1.Ordinal))
    847. 

  847. 					{
    848. 

  848. 						funcEntry.Ordinal = (WORD)thunk.u1.Ordinal;
    849. 

  849. 						funcEntry.Hint = 0;
    850. 

  850. 						
    851. 

  851. 						if (addrStruct.ExportDirectory->AddressOfNames)
    852. 

  852. 						{
    853. 

  853. 							funcEntry.FunctionName = this->GetOrdinalFunctionNameFromExportTable(&addrStruct, funcEntry.Ordinal);
    854. 

  854. 						}
    855. 

  855. 					}
    856. 

  856. 					
    857. 

  857. 					// If the function name is empty even after ordinal resolving, the function has no name. Give it an automated name.
    858. 

  858. 					if (funcEntry.FunctionName.IsEmpty())
    859. 

  859. 					{
    860. 

  860. 						String localModName = dllName;
    861. 

  861. 						const int dotIndex = localModName.ReverseFind('.');
    862. 

  862. 						localModName.Remove(dotIndex, localModName.GetLength() - dotIndex);
    863. 

  863. 						funcEntry.FunctionName = Format("%s.%i", localModName, funcEntry.Ordinal);
    864. 

  864. 					}
    865. 

  865. 					
    866. 

  866. 					// Save the thunk address of the function.
    867. 

  867. 					funcEntry.ThunkAddress = this->mBaseAddress + pDesc.FirstThunk + count++ * sizeof(DWORD);
    868. 

  868. 					
    869. 

  869. 					// Read function address from thunk data and increment function iteration counter.
    870. 

  870. 					DWORD funcAddress;
    871. 

  871. 					CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)funcEntry.ThunkAddress, &funcAddress, sizeof(DWORD), NULL);
    872. 

  872. 		
    873. 

  873. 					if (!funcAddress)
    874. 

  874. 					{
    875. 

  875. 						continue;
    876. 

  876. 					}
    877. 

  877. 					
    878. 

  878. 					funcEntry.VirtualAddress = funcAddress;
    879. 

  879. 					funcEntry.Flag = 0;
    880. 

  880. 					
    881. 

  881. 					// Check whether actual address is equal to the address it should be, otherwise the IAT is hooked.
    882. 

  882. 					const SIZE_T eatAddress = this->GetAddressFromExportTable(&addrStruct, funcEntry.Ordinal ? (char*)funcEntry.Ordinal : funcEntry.FunctionName.Begin(), funcEntry.Ordinal ? 0 : funcEntry.FunctionName.GetLength());
    883. 

  883. 					if (eatAddress == EAT_ADDRESS_NOT_FOUND)
    884. 

  884. 					{
    885. 

  885. 						funcEntry.Flag = IAT_FLAG_NOT_FOUND;
    886. 

  886. 					}
    887. 

  887. 					else if (eatAddress != funcEntry.VirtualAddress)
    888. 

  888. 					{
    889. 

  889. 						funcEntry.Flag = IAT_FLAG_HOOKED;
    890. 

  890. 					}
    891. 

  891. 					
    892. 

  892. 					// Add function to import descriptor.
    893. 

  893. 					impDesc.FunctionList.Add(funcEntry);
    894. 

  894. 				}
    895. 

  895. 				while (thunk.u1.AddressOfData);
    896. 

  896. 				
    897. 

  897. 				delete[] exportDirectoryBuffer;
    898. 

  898.             }
    899. 

  899.         }
    900. 

  900. 

  901. 		CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(this->mBaseAddress + pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (++counter * sizeof(IMAGE_IMPORT_DESCRIPTOR))), &pDesc, sizeof(IMAGE_IMPORT_DESCRIPTOR), NULL);
    902. 

  902. 	}
    903. 

  903. 

  904. 	return result;
    905. 

  905. }
    906. 

  906. 

  907. // Places a hook in the IAT, replacing the function address with another one.
    908. 

  908. // First parameter is either a pointer to a buffer containing the function name or an ordinal value.
    909. 

  909. bool PortableExecutable32::PlaceIATHook(const Win32ModuleInformation* modBase, const char* NameOrdinal, const SIZE_T newAddress, bool IsOrdinal) const
    910. 

  910. {
    911. 

  911. 	bool result = false;
    912. 

  912. 	Byte* const moduleBuffer = new Byte[modBase->Length];
    913. 

  913. 	CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)this->mBaseAddress, moduleBuffer, modBase->Length, NULL);
    914. 

  914. 	
    915. 

  915. 	const IMAGE_NT_HEADERS32* const pNTHeader =(IMAGE_NT_HEADERS32*)(moduleBuffer + ((IMAGE_DOS_HEADER*)moduleBuffer)->e_lfanew);
    916. 

  916. 	const IMAGE_OPTIONAL_HEADER32* const pOptionalHeader = (IMAGE_OPTIONAL_HEADER32*)&pNTHeader->OptionalHeader;
    917. 

  917. 	
    918. 

  918. 	const IMAGE_IMPORT_DESCRIPTOR* pDesc = (IMAGE_IMPORT_DESCRIPTOR*)(moduleBuffer + pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
    919. 

  919. 	
    920. 

  920. 	// Additional sanity checking, to avoid pDesc to be located outside of the allocated buffer.
    921. 

  921. 	if ((Byte*)pDesc > moduleBuffer && (Byte*)pDesc < moduleBuffer + modBase->Length)
    922. 

  922. 	{
    923. 

  923. 		while (pDesc->FirstThunk)
    924. 

  924. 		{
    925. 

  925. 			const char* dllName = (char*)(moduleBuffer + pDesc->Name);
    926. 

  926. 			
    927. 

  927. 			IMAGE_THUNK_DATA32* thunk;
    928. 

  928. 	        unsigned int count = 0;
    929. 

  929. 	
    930. 

  930. 			do
    931. 

  931. 			{
    932. 

  932. 				thunk = (IMAGE_THUNK_DATA32*)(moduleBuffer + pDesc->OriginalFirstThunk + count * sizeof(DWORD));
    933. 

  933. 				void* const AddressAddr = (void*)(this->mBaseAddress + pDesc->FirstThunk + count++ * sizeof(DWORD));
    934. 

  934. 	
    935. 

  935. 				if (IsOrdinal)
    936. 

  936. 				{
    937. 

  937. 					if (thunk->u1.Ordinal & IMAGE_ORDINAL_FLAG32)
    938. 

  938. 					{
    939. 

  939. 						// Ordinal import detected, check whether ordinal matches input value.
    940. 

  940. 						if (IMAGE_ORDINAL32(thunk->u1.Ordinal) == (SIZE_T)NameOrdinal)
    941. 

  941. 						{
    942. 

  942. 							DWORD dwOldProtect;
    943. 

  943. 							CrySearchRoutines.CryProtectMemoryRoutine(this->mProcessHandle, AddressAddr, sizeof(DWORD), PAGE_READWRITE, &dwOldProtect);
    944. 

  944. 							CrySearchRoutines.CryWriteMemoryRoutine(this->mProcessHandle, AddressAddr, &newAddress, sizeof(DWORD), NULL);
    945. 

  945. 							CrySearchRoutines.CryProtectMemoryRoutine(this->mProcessHandle, AddressAddr, sizeof(DWORD), dwOldProtect, &dwOldProtect);
    946. 

  946. 							result = true;
    947. 

  947. 							break;
    948. 

  948. 						}
    949. 

  949. 					}
    950. 

  950. 				}
    951. 

  951. 				else
    952. 

  952. 				{
    953. 

  953. 					// Check if function is ordinal, because if it is, skip this one.
    954. 

  954. 					if (thunk->u1.Ordinal & IMAGE_ORDINAL_FLAG32)
    955. 

  955. 					{
    956. 

  956. 						continue;
    957. 

  957. 					}
    958. 

  958. 					
    959. 

  959. 					const char* funcName = (char*)(moduleBuffer + thunk->u1.AddressOfData + sizeof(WORD));
    960. 

  960. 					
    961. 

  961. 					// Named import detected, check whether import matches input name.
    962. 

  962. 					if (strcmp(funcName, NameOrdinal) == 0)
    963. 

  963. 					{
    964. 

  964. 						DWORD dwOldProtect;
    965. 

  965. 						CrySearchRoutines.CryProtectMemoryRoutine(this->mProcessHandle, AddressAddr, sizeof(DWORD), PAGE_READWRITE, &dwOldProtect);
    966. 

  966. 						CrySearchRoutines.CryWriteMemoryRoutine(this->mProcessHandle, AddressAddr, &newAddress, sizeof(DWORD), NULL);
    967. 

  967. 						CrySearchRoutines.CryProtectMemoryRoutine(this->mProcessHandle, AddressAddr, sizeof(DWORD), dwOldProtect, &dwOldProtect);
    968. 

  968. 						result = true;
    969. 

  969. 						break;
    970. 

  970. 					}
    971. 

  971. 				}
    972. 

  972. 			}
    973. 

  973. 			while (thunk->u1.AddressOfData);
    974. 

  974. 			
    975. 

  975. 			++pDesc;
    976. 

  976. 		}
    977. 

  977. 	}
    978. 

  978. 	
    979. 

  979. 	// Success, free used buffers and return.
    980. 

  980. 	delete[] moduleBuffer;
    981. 

  981. 	return result;
    982. 

  982. }
    983. 

  983. 

  984. // Attempts to restore the PE headers from a file on the harddisk to a module loaded in memory.
    985. 

  985. // Retuns true if the operation succeeded and false if it did not succeed.
    986. 

  986. bool PortableExecutable32::RestorePEHeaderFromFile(const String& fileName, const Win32ModuleInformation& module) const
    987. 

  987. {
    988. 

  988. 	bool result = true;
    989. 

  989. 	
    990. 

  990. 	// Create handle to file on the disk.
    991. 

  991. 	HANDLE hFile = CreateFile(fileName, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN, NULL);
    992. 

  992. 	if (!hFile || hFile == INVALID_HANDLE_VALUE)
    993. 

  993. 	{
    994. 

  994. 		result = false;
    995. 

  995. 	}
    996. 

  996. 	
    997. 

  997. 	// Get file size and read file into buffer.
    998. 

  998. 	LARGE_INTEGER size;
    999. 

  999. 	GetFileSizeEx(hFile, &size);
    1000. 

  1000. 	
    1001. 

  1001. 	DWORD bytesRead;
    1002. 

  1002. 	Byte* const fileBuffer = new Byte[size.LowPart];
    1003. 

  1003. 	if (!ReadFile(hFile, fileBuffer, size.LowPart, &bytesRead, NULL))
    1004. 

  1004. 	{
    1005. 

  1005. 		result = false;
    1006. 

  1006. 	}
    1007. 

  1007. 	
    1008. 

  1008. 	// Read header size.
    1009. 

  1009. 	const IMAGE_DOS_HEADER* const pDOSHeader = (IMAGE_DOS_HEADER*)fileBuffer;
    1010. 

  1010. 	if (pDOSHeader->e_magic != IMAGE_DOS_SIGNATURE)
    1011. 

  1011. 	{
    1012. 

  1012. 		return false;
    1013. 

  1013. 	}
    1014. 

  1014. 	
    1015. 

  1015. 	const IMAGE_NT_HEADERS32* const pNTHeader =(IMAGE_NT_HEADERS32*)((BYTE*)pDOSHeader + pDOSHeader->e_lfanew);
    1016. 

  1016. 	if (pNTHeader->Signature != IMAGE_NT_SIGNATURE)
    1017. 

  1017. 	{
    1018. 

  1018. 		result = false;
    1019. 

  1019. 	}
    1020. 

  1020. 	
    1021. 

  1021. 	const IMAGE_OPTIONAL_HEADER32* const pOptionalHeader = (IMAGE_OPTIONAL_HEADER32*)&pNTHeader->OptionalHeader;
    1022. 

  1022. 

  1023. 	// Write header data into process memory at designated location.
    1024. 

  1024. 	CrySearchRoutines.CryProtectMemoryRoutine(this->mProcessHandle, (void*)module.BaseAddress, pOptionalHeader->SizeOfHeaders, PAGE_READWRITE, &bytesRead);
    1025. 

  1025. 

  1026. 	if (!CrySearchRoutines.CryWriteMemoryRoutine(this->mProcessHandle, (void*)module.BaseAddress, fileBuffer, pOptionalHeader->SizeOfHeaders, NULL))
    1027. 

  1027. 	{
    1028. 

  1028. 		result = false;
    1029. 

  1029. 	}
    1030. 

  1030. 

  1031. 	CrySearchRoutines.CryProtectMemoryRoutine(this->mProcessHandle, (void*)module.BaseAddress, pOptionalHeader->SizeOfHeaders, bytesRead, &bytesRead);
    1032. 

  1032. 	
    1033. 

  1033. 	delete[] fileBuffer;
    1034. 

  1034. 	CloseHandle(hFile);
    1035. 

  1035. 	
    1036. 

  1036. 	return result;
    1037. 

  1037. }
    1038. 

  1038. 

  1039. // Attempts to hide a module from the loaded process. Hiding means it not being visible for debuggers anymore.
    1040. 

  1040. // Returns true if the operation succeeded, and false if it did not succeed.
    1041. 

  1041. bool PortableExecutable32::HideModuleFromProcess(const Win32ModuleInformation& module) const
    1042. 

  1042. {
    1043. 

  1043. 	if (!CrySearchRoutines.NtQueryInformationProcess)
    1044. 

  1044. 	{
    1045. 

  1045. 		return false;
    1046. 

  1046. 	}
    1047. 

  1047. 	
    1048. 

  1048. 	// Retrieve target process information using Nt function.
    1049. 

  1049. #ifdef _WIN64
    1050. 

  1050. 	ULONG_PTR pebAddr;
    1051. 

  1051. 	if (CrySearchRoutines.NtQueryInformationProcess(this->mProcessHandle, ProcessWow64Information, &pebAddr, sizeof(ULONG_PTR), NULL) != STATUS_SUCCESS)
    1052. 

  1052. #else
    1053. 

  1053. 	PROCESS_BASIC_INFORMATION procBlock;
    1054. 

  1054. 	if (CrySearchRoutines.NtQueryInformationProcess(this->mProcessHandle, ProcessBasicInformation, &procBlock, sizeof(PROCESS_BASIC_INFORMATION), NULL) != STATUS_SUCCESS)
    1055. 

  1055. #endif
    1056. 

  1056. 	{
    1057. 

  1057. 		return false;
    1058. 

  1058. 	}
    1059. 

  1059. 	
    1060. 

  1060. 	PEB_LDR_DATA32 peb;
    1061. 

  1061. 	SIZE_T pebPtr;
    1062. 

  1062. 

  1063. 	// Read process environment block and loader data from the process memory.
    1064. 

  1064. #ifdef _WIN64
    1065. 

  1065. 	CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (unsigned char*)pebAddr + offsetof(PEB32, LoaderData), &pebPtr, sizeof(DWORD), NULL);
    1066. 

  1066. #else
    1067. 

  1067. 	CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (unsigned char*)procBlock.PebBaseAddress + offsetof(PEB, LoaderData), &pebPtr, sizeof(DWORD), NULL);
    1068. 

  1068. #endif
    1069. 

  1069. 	CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)pebPtr, &peb, sizeof(PEB_LDR_DATA), NULL);
    1070. 

  1070. 

  1071. 	LDR_MODULE32 curModule;
    1072. 

  1072. 	bool found = false;
    1073. 

  1073. 	unsigned int retryCount = 0;
    1074. 

  1074. 	int moduleCount = 0;
    1075. 

  1075. 

  1076.     SIZE_T Head = peb.InMemoryOrderModuleList.Flink;
    1077. 

  1077.     SIZE_T Node = Head;
    1078. 

  1078. 

  1079.     do
    1080. 

  1080.     {
    1081. 

  1081. 		// Read current linked list module from the process memory.
    1082. 

  1082.         if (CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(Node -= sizeof(LIST_ENTRY32)), &curModule, sizeof(LDR_MODULE32), NULL))
    1083. 

  1083.         {
    1084. 

  1084.             if (curModule.BaseAddress)
    1085. 

  1085.             {
    1086. 

  1086. 				// some applications cause an infinite loop. This is one way to help preventing it.
    1087. 

  1087. 				++moduleCount;
    1088. 

  1088. 

  1089. 				// A valid module is found, read its base dll name from the process memory.
    1090. 

  1090.                 wchar BaseDllName[MAX_PATH];
    1091. 

  1091.                 CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)curModule.BaseDllName.Buffer, BaseDllName, curModule.BaseDllName.Length, NULL);
    1092. 

  1092.                 BaseDllName[curModule.BaseDllName.Length / 2] = 0;
    1093. 

  1093.                 PathStripPathW(BaseDllName);
    1094. 

  1094.                 
    1095. 

  1095.                 // Compare current module's base name and desired module name, if it matches, the desired one is found.
    1096. 

  1096.                 String selModName = mModuleManager->GetModuleFilename(module.BaseAddress);
    1097. 

  1097.                 if (memcmp(selModName.ToWString().Begin(), BaseDllName, selModName.GetLength() * sizeof(wchar)) == 0)
    1098. 

  1098.                 {
    1099. 

  1099.                     found = true;
    1100. 

  1100.                     
    1101. 

  1101.                     for (unsigned int index = 0; index < 3; (Node += sizeof(LIST_ENTRY32)), index++)
    1102. 

  1102.                     {
    1103. 

  1103. 				        LIST_ENTRY32 current;
    1104. 

  1104. 

  1105. 				        // Read current, previous and next list entry from the process memory.
    1106. 

  1106. 						BOOL localRes = CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)Node, &current, sizeof(LIST_ENTRY32), NULL);
    1107. 

  1107. 						if (!localRes)
    1108. 

  1108. 				        {
    1109. 

  1109. 							found = false;
    1110. 

  1110. 							break;
    1111. 

  1111. 				        }
    1112. 

  1112. 				        
    1113. 

  1113. 						const SIZE_T nextItemAddr = current.Flink;
    1114. 

  1114. 						const SIZE_T prevItemAddr = current.Blink;
    1115. 

  1115. 						
    1116. 

  1116. 						// Overwrite the pointers of the previous and next list entry so the current one is effectively hidden.
    1117. 

  1117. 						localRes = CrySearchRoutines.CryWriteMemoryRoutine(this->mProcessHandle, (void*)current.Blink, &nextItemAddr, sizeof(DWORD), NULL);
    1118. 

  1118. 						localRes = CrySearchRoutines.CryWriteMemoryRoutine(this->mProcessHandle, (unsigned char*)current.Flink + sizeof(DWORD), &prevItemAddr, sizeof(DWORD), NULL);
    1119. 

  1119.                     }
    1120. 

  1120. 				    
    1121. 

  1121.                     break;
    1122. 

  1122.                 }
    1123. 

  1123.             }
    1124. 

  1124.         }
    1125. 

  1125. 		else
    1126. 

  1126. 		{
    1127. 

  1127. 			// Prevent infinite while looping. In most situations this code may be unnessecary.
    1128. 

  1128. 			if (++retryCount == 3)
    1129. 

  1129. 			{
    1130. 

  1130. 				break;
    1131. 

  1131. 			}
    1132. 

  1132. 		}
    1133. 

  1133. 		
    1134. 

  1134. 		// Desired module was not yet found, traverse to the next one.
    1135. 

  1135.         Node = curModule.InMemoryOrderModuleList.Flink;
    1136. 

  1136.     }
    1137. 

  1137.     while(Head != Node && moduleCount < mModuleManager->GetModuleCount());
    1138. 

  1138. 

  1139. 	return found;
    1140. 

  1140. }
    1141. 

  1141. 

  1142. // Dumps a specific section in the loaded process to a file on the harddisk.
    1143. 

  1143. // Returns true if the operation succeeded, and false if it did not succeed.
    1144. 

  1144. bool PortableExecutable32::DumpProcessSection(const String& fileName, const SIZE_T address, const SIZE_T size) const
    1145. 

  1145. {
    1146. 

  1146. 	bool result = true;
    1147. 

  1147. 	Byte* const buffer = new Byte[size];
    1148. 

  1148. 	SIZE_T bytesRead;
    1149. 

  1149. 	
    1150. 

  1150. 	// Read section memory from target process and save it into the buffer.
    1151. 

  1151. 	if (!CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)address, buffer, size, &bytesRead)
    1152. 

  1152. 		&& bytesRead == 0)
    1153. 

  1153. 	{
    1154. 

  1154. 		delete[] buffer;
    1155. 

  1155. 		return false;
    1156. 

  1156. 	}
    1157. 

  1157. 	
    1158. 

  1158. 	// Create dmp file on the disk.
    1159. 

  1159. 	HANDLE hFile = CreateFile(fileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    1160. 

  1160. 	if (hFile == INVALID_HANDLE_VALUE)
    1161. 

  1161. 	{
    1162. 

  1162. 		result = false;
    1163. 

  1163. 	}
    1164. 

  1164. 	
    1165. 

  1165. 	// Write the data read to the file.
    1166. 

  1166. 	DWORD bytesWritten;
    1167. 

  1167. #ifdef _WIN64
    1168. 

  1168. 	if (!WriteFile(hFile, buffer, (DWORD)bytesRead, &bytesWritten, NULL))
    1169. 

  1169. #else
    1170. 

  1170. 	if (!WriteFile(hFile, buffer, bytesRead, &bytesWritten, NULL))
    1171. 

  1171. #endif
    1172. 

  1172. 	{
    1173. 

  1173. 		DeleteFile(fileName);
    1174. 

  1174. 		result = false;
    1175. 

  1175. 	}
    1176. 

  1176. 	
    1177. 

  1177. 	// All succeeded, free resources and return.
    1178. 

  1178. 	CloseHandle(hFile);
    1179. 

  1179. 	delete[] buffer;
    1180. 

  1180. 	return result;
    1181. 

  1181. }
    1182. 

  1182. 

  1183. // Attempts to load a dynamic link library into the target process.
    1184. 

  1184. // Returns true if the operation succeeded, and false if it did not succeed.
    1185. 

  1185. bool PortableExecutable32::LoadLibraryExternal(const String& library) const
    1186. 

  1186. {
    1187. 

  1187. 	// Allocate memory space for the library path.
    1188. 

  1188. 	void* const lpRemoteAddress = VirtualAllocEx(this->mProcessHandle, NULL, library.GetLength(), MEM_COMMIT, PAGE_READWRITE);
    1189. 

  1189. 	SIZE_T bytesWritten;
    1190. 

  1190. 	
    1191. 

  1191. 	// Write path to library into the newly allocated memory.
    1192. 

  1192. 	CrySearchRoutines.CryWriteMemoryRoutine(this->mProcessHandle, lpRemoteAddress, library, library.GetLength(), &bytesWritten);
    1193. 

  1193. 	if (bytesWritten != library.GetLength())
    1194. 

  1194. 	{
    1195. 

  1195. 		VirtualFreeEx(this->mProcessHandle, lpRemoteAddress, 0, MEM_RELEASE);
    1196. 

  1196. 		return false;
    1197. 

  1197. 	}
    1198. 

  1198. 	
    1199. 

  1199. 	// Create a thread remotely that executes LoadLibraryA, pointing to the allocated string as parameter.
    1200. 

  1200. #ifndef _WIN64
    1201. 

  1201. 	HANDLE hThread = CreateRemoteThread(this->mProcessHandle, NULL, NULL, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"), lpRemoteAddress, NULL, NULL);
    1202. 

  1202. #else
    1203. 

  1203. 	DWORD krnl32Base;
    1204. 

  1204. 	const int modCount = mModuleManager->GetModuleCount();
    1205. 

  1205. 	for (int i = 0; i < modCount; ++i)
    1206. 

  1206. 	{
    1207. 

  1207. 		if (ToLower(mModuleManager->GetModuleFilename((*mModuleManager)[i].BaseAddress)) == "kernel32.dll")
    1208. 

  1208. 		{
    1209. 

  1209. 			krnl32Base = (DWORD)(*mModuleManager)[i].BaseAddress;
    1210. 

  1210. 			break;
    1211. 

  1211. 		}
    1212. 

  1212. 	}
    1213. 

  1213. 	
    1214. 

  1214. 	HANDLE hThread = CreateRemoteThread(this->mProcessHandle, NULL, NULL, (LPTHREAD_START_ROUTINE)Wow64GetProcAddress(this->mProcessHandle, krnl32Base, "LoadLibraryA"), lpRemoteAddress, NULL, NULL);
    1215. 

  1215. #endif
    1216. 

  1216. 	
    1217. 

  1217. 	// Succesfully created thread, wait for it to complete and free resources after.
    1218. 

  1218. 	if (hThread && hThread != INVALID_HANDLE_VALUE)
    1219. 

  1219. 	{
    1220. 

  1220. 		WaitForSingleObject(hThread, 5000);
    1221. 

  1221. 		CloseHandle(hThread);
    1222. 

  1222. 	}
    1223. 

  1223. 	
    1224. 

  1224. 	VirtualFreeEx(this->mProcessHandle, lpRemoteAddress, 0, MEM_RELEASE);
    1225. 

  1225. 	
    1226. 

  1226. 	return !!hThread;
    1227. 

  1227. }
    1228. 

  1228. 

  1229. // Attempts to load a dynamic link library into the target process.
    1230. 

  1230. // Returns true if the operation succeeded, and false if it did not succeed.
    1231. 

  1231. bool PortableExecutable32::LoadLibraryExternalHijack(const String& library, HANDLE hThread) const
    1232. 

  1232. {
    1233. 

  1233. 	// If the thread wasn't opened succesfully, the function can return inmediately.
    1234. 

  1234. 	if (!hThread || hThread == INVALID_HANDLE_VALUE)
    1235. 

  1235. 	{
    1236. 

  1236. 		return false;
    1237. 

  1237. 	}
    1238. 

  1238. 		
    1239. 

  1239. 	// Allocate memory space for the library path.
    1240. 

  1240. 	void* const lpRemoteAddress = VirtualAllocEx(this->mProcessHandle, NULL, library.GetLength(), MEM_COMMIT, PAGE_READWRITE);
    1241. 

  1241. 	SIZE_T bytesWritten;
    1242. 

  1242. 

  1243. 	// Write path to library into the newly allocated memory.
    1244. 

  1244. 	CrySearchRoutines.CryWriteMemoryRoutine(this->mProcessHandle, lpRemoteAddress, library, library.GetLength(), &bytesWritten);
    1245. 

  1245. 	if (bytesWritten != library.GetLength())
    1246. 

  1246. 	{
    1247. 

  1247. 		VirtualFreeEx(this->mProcessHandle, lpRemoteAddress, 0, MEM_RELEASE);
    1248. 

  1248. 		return false;
    1249. 

  1249. 	}
    1250. 

  1250. 	
    1251. 

  1251. 	// The shellcode that is written and executed inside the target program:
    1252. 

  1252. 	// push 0xCCCCCCCC
    1253. 

  1253. 	// pushad
    1254. 

  1254. 	// pushfd
    1255. 

  1255. 	// mov ebx, 0xCCCCCCCC
    1256. 

  1256. 	// push 0xCCCCCCCC
    1257. 

  1257. 	// call ebx
    1258. 

  1258. 	// popfd
    1259. 

  1259. 	// popad
    1260. 

  1260. 	// mov dword ptr [0xCCCCCCCC], 0x1337
    1261. 

  1261. 	// ret
    1262. 

  1262. 	Byte shellCode[] = { 0x68, 0xCC, 0xCC, 0xCC, 0xCC, 0x60, 0x9C, 0xBB, 0xCC, 0xCC, 0xCC, 0xCC, 0x68, 0xCC, 0xCC, 0xCC, 0xCC, 0xFF, 0xD3, 0x9D, 0x61, 0xC7, 0x05, 0xCC, 0xCC, 0xCC, 0xCC, 0x37, 0x13, 0x00, 0x00, 0xC3 };
    1263. 

  1263. 	
    1264. 

  1264. 	// Allocate executable block of memory for the shellcode.
    1265. 

  1265. 	void* const lpShellCode = VirtualAllocEx(this->mProcessHandle, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    1266. 

  1266. 	const DWORD flagAddress = (DWORD)lpShellCode + 0x100;
    1267. 

  1267. 	
    1268. 

  1268. 	// Suspend the thread and back up the context.
    1269. 

  1269. #ifdef _WIN64
    1270. 

  1270. 	Wow64SuspendThread(hThread);
    1271. 

  1271. 	WOW64_CONTEXT ctx;
    1272. 

  1272. 	ctx.ContextFlags = WOW64_CONTEXT_FULL;
    1273. 

  1273. 	Wow64GetThreadContext(hThread, &ctx);
    1274. 

  1274. #else
    1275. 

  1275. 	SuspendThread(hThread);
    1276. 

  1276. 	CONTEXT ctx;
    1277. 

  1277. 	ctx.ContextFlags = CONTEXT_FULL;
    1278. 

  1278. 	GetThreadContext(hThread, &ctx);
    1279. 

  1279. #endif
    1280. 

  1280. 	
    1281. 

  1281. 	// Replace addresses with correct ones at runtime.
    1282. 

  1282. 	*(DWORD*)&shellCode[1] = ctx.Eip;
    1283. 

  1283. #ifdef _WIN64
    1284. 

  1284. 	const Win32ModuleInformation* krnl32mod = mModuleManager->FindModule("kernel32.dll");
    1285. 

  1285. 	if (!krnl32mod)
    1286. 

  1286. 	{
    1287. 

  1287. 		VirtualFreeEx(this->mProcessHandle, lpRemoteAddress, 0, MEM_RELEASE);
    1288. 

  1288. 		CloseHandle(hThread);
    1289. 

  1289. 		return false;
    1290. 

  1290. 	}
    1291. 

  1291. 	
    1292. 

  1292. 	*(DWORD*)&shellCode[8] = Wow64GetProcAddress(this->mProcessHandle, (DWORD)krnl32mod->BaseAddress, "LoadLibraryA");
    1293. 

  1293. #else
    1294. 

  1294. 	*(DWORD*)&shellCode[8] = (DWORD)LoadLibraryA;
    1295. 

  1295. #endif
    1296. 

  1296. 	*(DWORD*)&shellCode[13] = (DWORD)lpRemoteAddress;
    1297. 

  1297. 	*(DWORD*)&shellCode[23] = flagAddress;
    1298. 

  1298. 	
    1299. 

  1299. 	// Write the shellcode to the remotely allocated buffer.
    1300. 

  1300. 	CrySearchRoutines.CryWriteMemoryRoutine(this->mProcessHandle, lpShellCode, shellCode, sizeof(shellCode), &bytesWritten);
    1301. 

  1301. 	if (bytesWritten != sizeof(shellCode))
    1302. 

  1302. 	{
    1303. 

  1303. 		VirtualFreeEx(this->mProcessHandle, lpShellCode, 0, MEM_RELEASE);
    1304. 

  1304. 		VirtualFreeEx(this->mProcessHandle, lpRemoteAddress, 0, MEM_RELEASE);
    1305. 

  1305. 		return false;
    1306. 

  1306. 	}
    1307. 

  1307. 	
    1308. 

  1308. 	// Change EIP to resume execution at the shellcode.
    1309. 

  1309. 	ctx.Eip = (DWORD)lpShellCode;
    1310. 

  1310. 	
    1311. 

  1311. 	// Place the new context inside the thread.
    1312. 

  1312. #ifdef _WIN64
    1313. 

  1313. 	Wow64SetThreadContext(hThread, &ctx);
    1314. 

  1314. #else
    1315. 

  1315. 	SetThreadContext(hThread, &ctx);
    1316. 

  1316. #endif
    1317. 

  1317. 	
    1318. 

  1318. 	// Flush the instruction cache to avoid problems with cached instructions.
    1319. 

  1319. 	FlushInstructionCache(this->mProcessHandle, lpShellCode, sizeof(shellCode));
    1320. 

  1320. 	
    1321. 

  1321. 	// Resume the thread to let the DLL load and close thread handle.
    1322. 

  1322. 	ResumeThread(hThread);
    1323. 

  1323. 	
    1324. 

  1324. 	// Sample the completion flag to contain the magic number 0x1337. Block the thread until the sampling is succesful.
    1325. 

  1325. 	DWORD magic = 0;
    1326. 

  1326. 	unsigned int threshold = 0;
    1327. 

  1327. 	do
    1328. 

  1328. 	{
    1329. 

  1329. 		CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)flagAddress, &magic, sizeof(DWORD), &bytesWritten);
    1330. 

  1330. 		
    1331. 

  1331. 		// Prevent CrySearch to start eating CPU time while still trying to have an accurate sample.
    1332. 

  1332. 		Sleep(75);
    1333. 

  1333. 		++threshold;
    1334. 

  1334. 	}
    1335. 

  1335. 	while (magic != 0x1337 && threshold < THREAD_HIJACK_MAGIC_PROBE_THRESHOLD);
    1336. 

  1336. 	
    1337. 

  1337. 	// The loop finished, free memory pages and close thread handle.
    1338. 

  1338. 	VirtualFreeEx(this->mProcessHandle, lpShellCode, 0, MEM_RELEASE);
    1339. 

  1339. 	VirtualFreeEx(this->mProcessHandle, lpRemoteAddress, 0, MEM_RELEASE);
    1340. 

  1340. 	CloseHandle(hThread);
    1341. 

  1341. 	
    1342. 

  1342. 	return (threshold != THREAD_HIJACK_MAGIC_PROBE_THRESHOLD);
    1343. 

  1343. }
    1344. 

  1344. 

  1345. // Attempts to unload a loaded module from the target process.
    1346. 

  1346. void PortableExecutable32::UnloadLibraryExternal(const SIZE_T module) const
    1347. 

  1347. {
    1348. 

  1348. #ifndef _WIN64
    1349. 

  1349. 	HANDLE hThread = CreateRemoteThread(this->mProcessHandle, NULL, NULL, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"), "FreeLibrary"), (void*)module, NULL, NULL);
    1350. 

  1350. #else
    1351. 

  1351. 	DWORD krnl32Base;
    1352. 

  1352. 	const int modCount = mModuleManager->GetModuleCount();
    1353. 

  1353. 	for (int i = 0; i < modCount; ++i)
    1354. 

  1354. 	{
    1355. 

  1355. 		if (ToLower(mModuleManager->GetModuleFilename((*mModuleManager)[i].BaseAddress)) == "kernel32.dll")
    1356. 

  1356. 		{
    1357. 

  1357. 			krnl32Base = (DWORD)(*mModuleManager)[i].BaseAddress;
    1358. 

  1358. 			break;
    1359. 

  1359. 		}
    1360. 

  1360. 	}
    1361. 

  1361. 

  1362. 	DWORD freeAddr = Wow64GetProcAddress(this->mProcessHandle, krnl32Base, "FreeLibrary");
    1363. 

  1363. 	HANDLE hThread = CreateRemoteThread(this->mProcessHandle, NULL, NULL, (LPTHREAD_START_ROUTINE)freeAddr, (void*)module, NULL, NULL);
    1364. 

  1364. #endif
    1365. 

  1365. 	
    1366. 

  1366. 	// Succesfully created thread, wait for it to complete and free resources after.
    1367. 

  1367. 	if (hThread && hThread != INVALID_HANDLE_VALUE)
    1368. 

  1368. 	{
    1369. 

  1369. 		WaitForSingleObject(hThread, 5000);
    1370. 

  1370. 		CloseHandle(hThread);
    1371. 

  1371. 	}
    1372. 

  1372. }
    1373. 

  1373. 

  1374. // Restores the original address of an imported function from the export table.
    1375. 

  1375. void PortableExecutable32::RestoreExportTableAddressImport(const Win32ModuleInformation* modBase, const SIZE_T baseAddress, const char* NameOrdinal, const int NameLength) const
    1376. 

  1376. {
    1377. 

  1377. 	Byte dllBuffer[0x400];
    1378. 

  1378.     CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)baseAddress, dllBuffer, 0x400, NULL);
    1379. 

  1379.    
    1380. 

  1380.     const IMAGE_NT_HEADERS32* const pNTHeader =(IMAGE_NT_HEADERS32*)(dllBuffer + ((IMAGE_DOS_HEADER*)dllBuffer)->e_lfanew);
    1381. 

  1381. 	IMAGE_DATA_DIRECTORY dataDir = *(&((IMAGE_OPTIONAL_HEADER32*)&pNTHeader->OptionalHeader)->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
    1382. 

  1382.     
    1383. 

  1383.     // Check whether the discovered module actually has an export table.
    1384. 

  1384.     if (dataDir.Size)
    1385. 

  1385.     {
    1386. 

  1386. 	    Byte* const exportDirectoryBuffer = new Byte[dataDir.Size];
    1387. 

  1387. 	    CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(baseAddress + dataDir.VirtualAddress), exportDirectoryBuffer, dataDir.Size, NULL);
    1388. 

  1388. 	    
    1389. 

  1389. 		Byte* const bufBase = (exportDirectoryBuffer - dataDir.VirtualAddress);
    1390. 

  1390. 		AddrStruct addrStruct((Byte*)baseAddress, (exportDirectoryBuffer - dataDir.VirtualAddress), bufBase + dataDir.VirtualAddress + dataDir.Size
    1391. 

  1391. 			, &dataDir, (IMAGE_EXPORT_DIRECTORY*)exportDirectoryBuffer);
    1392. 

  1392. 	    
    1393. 

  1393. 		this->PlaceIATHook(modBase, NameOrdinal, this->GetAddressFromExportTable(&addrStruct, NameOrdinal, NameLength), !NameLength);
    1394. 

  1394. 		
    1395. 

  1395. 		delete[] exportDirectoryBuffer;
    1396. 

  1396.     }
    1397. 

  1397. }
    1398. 

  1398. 

  1399. // -------------------------------------------------------------------------------------------------------------------------------
    1400. 

  1400. // PE 64 methods
    1401. 

  1401. // -------------------------------------------------------------------------------------------------------------------------------
    1402. 

  1402. 

  1403. #ifdef _WIN64
    1404. 

  1404. 	PortableExecutable64::~PortableExecutable64()
    1405. 

  1405. 	{
    1406. 

  1406. 		
    1407. 

  1407. 	}
    1408. 

  1408. 	
    1409. 

  1409. 	// Retrieves PE header information from the loaded process. Information is saved in global storage that has process lifetime.
    1410. 

  1410. 	// Note that IMAGE_NT_HEADERS and IMAGE_OPTIONAL_HEADER are explicitly defined as the 32 bit version. If compiled as 64 bit the structs differ.
    1411. 

  1411. 	void PortableExecutable64::GetExecutablePeInformation() const
    1412. 

  1412. 	{
    1413. 

  1413. 		// Clear image sections before getting new ones.
    1414. 

  1414. 		LoadedProcessPEInformation.Reset();
    1415. 

  1415. 	
    1416. 

  1416. 		// Read process memory into local buffer in order to load PE headers.
    1417. 

  1417. 		Byte moduleBuffer[0x400];
    1418. 

  1418. 		CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)this->mBaseAddress, moduleBuffer, 0x400, NULL);
    1419. 

  1419. 		
    1420. 

  1420. 		// Load PE headers.
    1421. 

  1421. 		const IMAGE_NT_HEADERS64* const pNTHeader =(IMAGE_NT_HEADERS64*)(moduleBuffer + ((IMAGE_DOS_HEADER*)moduleBuffer)->e_lfanew);
    1422. 

  1422. 		
    1423. 

  1423. 		// When the PE Headers are destroyed at runtime the pointer to the headers may run out of the buffer's bounds.
    1424. 

  1424. 		if ((Byte*)pNTHeader > (moduleBuffer + 0x400))
    1425. 

  1425. 		{
    1426. 

  1426. 			LoadedProcessPEInformation.PEFields.Clear();
    1427. 

  1427. 			return;
    1428. 

  1428. 		}
    1429. 

  1429. 		
    1430. 

  1430. 		const IMAGE_OPTIONAL_HEADER64* const pOptionalHeader = (IMAGE_OPTIONAL_HEADER64*)&pNTHeader->OptionalHeader;
    1431. 

  1431. 		const IMAGE_FILE_HEADER* const pFileHeader = &(pNTHeader->FileHeader);
    1432. 

  1432. 		
    1433. 

  1433. 		// Retrieve the type of machine the PE executable can run on.
    1434. 

  1434. 		this->ParseMachineType(pFileHeader->Machine);
    1435. 

  1435. 		
    1436. 

  1436. 		// Retrieve PE fields and add them to the map.
    1437. 

  1437. 		LoadedProcessPEInformation.PEFields.Add("Number of sections", pFileHeader->NumberOfSections);
    1438. 

  1438. 		LoadedProcessPEInformation.PEFields.Add("Size of optional header", Format("%X", pFileHeader->SizeOfOptionalHeader));
    1439. 

  1439. 		LoadedProcessPEInformation.PEFields.Add("Pointer to symbol table", (int)pFileHeader->PointerToSymbolTable);
    1440. 

  1440. 		LoadedProcessPEInformation.PEFields.Add("Number of symbols", (int)pFileHeader->NumberOfSymbols);
    1441. 

  1441. 		LoadedProcessPEInformation.PEFields.Add("Image base", Format("%llX", (__int64)pOptionalHeader->ImageBase));
    1442. 

  1442. 		LoadedProcessPEInformation.PEFields.Add("Base of code", Format("%llX", (__int64)pOptionalHeader->BaseOfCode));
    1443. 

  1443. 		LoadedProcessPEInformation.PEFields.Add("Address of entrypoint", Format("%llX", (__int64)pOptionalHeader->AddressOfEntryPoint));
    1444. 

  1444. 		LoadedProcessPEInformation.PEFields.Add("Size of code", Format("%llX", (__int64)pOptionalHeader->SizeOfCode));
    1445. 

  1445. 		LoadedProcessPEInformation.PEFields.Add("Size of initialized data", Format("%llX", (__int64)pOptionalHeader->SizeOfInitializedData));
    1446. 

  1446. 		LoadedProcessPEInformation.PEFields.Add("Size of uninitialized data", Format("%llX", (__int64)pOptionalHeader->SizeOfUninitializedData));
    1447. 

  1447. 		LoadedProcessPEInformation.PEFields.Add("Section alignment", Format("%llX", (__int64)pOptionalHeader->SectionAlignment));
    1448. 

  1448. 		LoadedProcessPEInformation.PEFields.Add("File alignment", Format("%llX", (__int64)pOptionalHeader->FileAlignment));
    1449. 

  1449. 		LoadedProcessPEInformation.PEFields.Add("Size of image", Format("%llX", (__int64)pOptionalHeader->SizeOfImage));
    1450. 

  1450. 		LoadedProcessPEInformation.PEFields.Add("Size of headers", Format("%llX", (__int64)pOptionalHeader->SizeOfHeaders));
    1451. 

  1451. 		LoadedProcessPEInformation.PEFields.Add("Checksum", Format("%llX", (__int64)pOptionalHeader->CheckSum));
    1452. 

  1452. 		LoadedProcessPEInformation.PEFields.Add("Linker version", Format("%i.%i", pOptionalHeader->MajorLinkerVersion, pOptionalHeader->MinorLinkerVersion));
    1453. 

  1453. 		LoadedProcessPEInformation.PEFields.Add("OS version", Format("%i.%i", pOptionalHeader->MajorOperatingSystemVersion, pOptionalHeader->MinorOperatingSystemVersion));
    1454. 

  1454. 		LoadedProcessPEInformation.PEFields.Add("Image version", Format("%i.%i", pOptionalHeader->MajorImageVersion, pOptionalHeader->MinorImageVersion));
    1455. 

  1455. 		LoadedProcessPEInformation.PEFields.Add("Subsystem version", Format("%i.%i", pOptionalHeader->MajorSubsystemVersion, pOptionalHeader->MinorSubsystemVersion));
    1456. 

  1456. 		LoadedProcessPEInformation.PEFields.Add("Number of data directories", Format("%llX", (__int64)pOptionalHeader->NumberOfRvaAndSizes));
    1457. 

  1457. 		
    1458. 

  1458. 		// Parse the last general property value of the PE header, save the section values and destroy the buffer.
    1459. 

  1459. 		this->ParseSubsystemValue(pOptionalHeader->Subsystem);
    1460. 

  1460. 		const DWORD sectionCount = pNTHeader->FileHeader.NumberOfSections;
    1461. 

  1461. 		const DWORD sectionSizeBytes = sizeof(IMAGE_SECTION_HEADER) * sectionCount;
    1462. 

  1462. 		const IMAGE_SECTION_HEADER* const firstSectionPtr = (IMAGE_SECTION_HEADER*)(this->mBaseAddress + ((Byte*)IMAGE_FIRST_SECTION(pNTHeader) - moduleBuffer));
    1463. 

  1463. 		
    1464. 

  1464. 		// Get the COM header from the PE file.
    1465. 

  1465. 		this->GetDotNetDirectoryInformation(&pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]);
    1466. 

  1466. 		
    1467. 

  1467. 		// Retrieve the sections from the PE header.
    1468. 

  1468. 		Byte* const sectionBuffer = new Byte[sectionSizeBytes];
    1469. 

  1469. 		CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, firstSectionPtr, sectionBuffer, sectionSizeBytes, NULL);
    1470. 

  1470. 		this->GetImageSectionsList((IMAGE_SECTION_HEADER*)sectionBuffer, sectionCount, LoadedProcessPEInformation.ImageSections);
    1471. 

  1471. 		delete[] sectionBuffer;
    1472. 

  1472. 	}
    1473. 

  1473. 	
    1474. 

  1474. 	// Retrieves the address of a function in the export table of a module. Address can be returned for function by name or ordinal.
    1475. 

  1475. 	// Returns the address of the function, created from the module base address added by the function RVA.
    1476. 

  1476. 	// If the function is not found, the return value is 0xFFFFFFFF.
    1477. 

  1477. 	// The NameLength parameter contains the length of the name if there is a name, or 0 if the function is ordinal-based.
    1478. 

  1478. 	SIZE_T PortableExecutable64::GetAddressFromExportTable(const AddrStruct* addr, const char* NameOrdinal, const unsigned int NameLength) const
    1479. 

  1479. 	{
    1480. 

  1480. 		if (addr->ExportDirectory->AddressOfNameOrdinals)
    1481. 

  1481. 		{
    1482. 

  1482. 			const DWORD* funcAddrPtr = NULL;
    1483. 

  1483. 			int RecurseDotIndex = 0;
    1484. 

  1484. 			bool b;
    1485. 

  1485. 			SIZE_T bytesRead;
    1486. 

  1486. 			
    1487. 

  1487. 			for (unsigned int i = 0; i < addr->ExportDirectory->NumberOfFunctions; ++i)
    1488. 

  1488. 			{
    1489. 

  1489. 				const WORD* const ordValue = (WORD*)(addr->BufferBaseAddress + addr->ExportDirectory->AddressOfNameOrdinals + (i * sizeof(WORD)));
    1490. 

  1490. 	
    1491. 

  1491. 				if (!NameLength)
    1492. 

  1492. 				{
    1493. 

  1493. 					bool found = false;
    1494. 

  1494. 					
    1495. 

  1495. 					// Compare ordinal values without magic bitoperations!
    1496. 

  1496. 					if ((addr->ExportDirectory->Base + *ordValue) == *reinterpret_cast<WORD*>(&NameOrdinal))
    1497. 

  1497. 					{
    1498. 

  1498. 						funcAddrPtr = (DWORD*)(addr->BufferBaseAddress + addr->ExportDirectory->AddressOfFunctions + (sizeof(DWORD) * *ordValue));
    1499. 

  1499. 						found = true;
    1500. 

  1500. 					}
    1501. 

  1501. 					
    1502. 

  1502. 					// Skip the entry if it is not found.
    1503. 

  1503. 					if (!found || ((Byte*)funcAddrPtr < addr->BufferBaseAddress || (Byte*)funcAddrPtr > addr->BufferEndAddress))
    1504. 

  1504. 					{
    1505. 

  1505. 						continue;
    1506. 

  1506. 					}
    1507. 

  1507. 

  1508. 					if (*funcAddrPtr > addr->DirectoryAddress->VirtualAddress && *funcAddrPtr < addr->DirectoryAddress->VirtualAddress + addr->DirectoryAddress->Size)
    1509. 

  1509. 					{
    1510. 

  1510. 						const Win32ModuleInformation* modBaseAddr = this->GetResolvedModule((char*)(addr->BufferBaseAddress + *funcAddrPtr), &RecurseDotIndex, NameOrdinal);
    1511. 

  1511. 						if (!modBaseAddr || (SIZE_T)addr->BaseAddress == modBaseAddr->BaseAddress)
    1512. 

  1512. 						{
    1513. 

  1513. 							return EAT_ADDRESS_NOT_FOUND;
    1514. 

  1514. 						}
    1515. 

  1515. 	
    1516. 

  1516. 						Byte dllBuffer[0x400];
    1517. 

  1517. 				        CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)modBaseAddr->BaseAddress, dllBuffer, 0x400, NULL);
    1518. 

  1518. 				           
    1519. 

  1519. 				        const IMAGE_NT_HEADERS64* pNTHeader =(IMAGE_NT_HEADERS64*)(dllBuffer + ((IMAGE_DOS_HEADER*)dllBuffer)->e_lfanew);
    1520. 

  1520. 						IMAGE_DATA_DIRECTORY dataDir = *(&((IMAGE_OPTIONAL_HEADER64*)&pNTHeader->OptionalHeader)->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
    1521. 

  1521. 				            
    1522. 

  1522. 				        Byte* const exportDirectoryBuffer = new Byte[dataDir.Size];
    1523. 

  1523. 				        CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(modBaseAddr->BaseAddress + dataDir.VirtualAddress), exportDirectoryBuffer, dataDir.Size, NULL);
    1524. 

  1524. 						
    1525. 

  1525. 						Byte* const bufBase = exportDirectoryBuffer - dataDir.VirtualAddress;
    1526. 

  1526. 						AddrStruct addrStruct((Byte*)modBaseAddr->BaseAddress, (exportDirectoryBuffer - dataDir.VirtualAddress), bufBase + dataDir.VirtualAddress + dataDir.Size
    1527. 

  1527. 							, &dataDir, (IMAGE_EXPORT_DIRECTORY*)exportDirectoryBuffer);
    1528. 

  1528. 

  1529. 						const SIZE_T forwardedAddress = this->GetAddressFromExportTable(&addrStruct, (char*)addr->BufferBaseAddress + *funcAddrPtr + RecurseDotIndex + 1, true);
    1530. 

  1530. 						delete[] exportDirectoryBuffer;
    1531. 

  1531. 						return forwardedAddress;
    1532. 

  1532. 					}
    1533. 

  1533. 	
    1534. 

  1534. 					return (SIZE_T)(addr->BaseAddress + *funcAddrPtr);
    1535. 

  1535. 				}
    1536. 

  1536. 				else
    1537. 

  1537. 				{
    1538. 

  1538. 					const DWORD* const stringPtr = (DWORD*)(addr->BufferBaseAddress + addr->ExportDirectory->AddressOfNames + (i * sizeof(DWORD)));
    1539. 

  1539. 					const char* const functionName = (char*)(addr->BufferBaseAddress + *stringPtr);
    1540. 

  1540. 					
    1541. 

  1541. 					if ((functionName > (char*)addr->BufferBaseAddress + addr->DirectoryAddress->VirtualAddress && (functionName + NameLength + 1) < (char*)addr->BufferEndAddress) && memcmp(NameOrdinal, functionName, NameLength) == 0)
    1542. 

  1542. 					{
    1543. 

  1543. 						funcAddrPtr = (DWORD*)(addr->BufferBaseAddress + addr->ExportDirectory->AddressOfFunctions + (sizeof(DWORD) * *ordValue));
    1544. 

  1544. 						if (*funcAddrPtr > addr->DirectoryAddress->VirtualAddress && *funcAddrPtr < addr->DirectoryAddress->VirtualAddress + addr->DirectoryAddress->Size)
    1545. 

  1545. 						{
    1546. 

  1546. 							const Win32ModuleInformation* modBaseAddr = this->GetResolvedModule((char*)(addr->BufferBaseAddress + *funcAddrPtr), &RecurseDotIndex, NameOrdinal);
    1547. 

  1547. 							if (!modBaseAddr || (SIZE_T)addr->BaseAddress == modBaseAddr->BaseAddress)
    1548. 

  1548. 							{
    1549. 

  1549. 								return EAT_ADDRESS_NOT_FOUND;
    1550. 

  1550. 							}
    1551. 

  1551. 

  1552. 							Byte dllBuffer[0x400];
    1553. 

  1553. 				            CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)modBaseAddr->BaseAddress, dllBuffer, 0x400, NULL);
    1554. 

  1554. 				           
    1555. 

  1555. 				            const IMAGE_NT_HEADERS64* const pNTHeader =(IMAGE_NT_HEADERS64*)(dllBuffer + ((IMAGE_DOS_HEADER*)dllBuffer)->e_lfanew);
    1556. 

  1556. 							IMAGE_DATA_DIRECTORY dataDir = *(&((IMAGE_OPTIONAL_HEADER64*)&pNTHeader->OptionalHeader)->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
    1557. 

  1557. 							
    1558. 

  1558. 							// Check if the size of the data directory is valid.
    1559. 

  1559. 							if (dataDir.Size)
    1560. 

  1560. 							{
    1561. 

  1561. 								// Read the export directory from memory.
    1562. 

  1562. 					            Byte* const exportDirectoryBuffer = new Byte[dataDir.Size];
    1563. 

  1563. 					            b = CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(modBaseAddr->BaseAddress + dataDir.VirtualAddress), exportDirectoryBuffer, dataDir.Size, &bytesRead);
    1564. 

  1564. 					            
    1565. 

  1565. 					            // Check whether it was read succesfully.
    1566. 

  1566. 								if (b && bytesRead == dataDir.Size)
    1567. 

  1567. 								{
    1568. 

  1568. 									Byte* const bufBase = exportDirectoryBuffer - dataDir.VirtualAddress;
    1569. 

  1569. 									AddrStruct addrStruct((Byte*)modBaseAddr->BaseAddress, (exportDirectoryBuffer - dataDir.VirtualAddress), bufBase + dataDir.VirtualAddress + dataDir.Size
    1570. 

  1570. 										, &dataDir, (IMAGE_EXPORT_DIRECTORY*)exportDirectoryBuffer);
    1571. 

  1571. 						            
    1572. 

  1572. 									SIZE_T forwardedAddress = this->GetAddressFromExportTable(&addrStruct, (char*)(addr->BufferBaseAddress + *funcAddrPtr + RecurseDotIndex + 1), false);
    1573. 

  1573. 									delete[] exportDirectoryBuffer;
    1574. 

  1574. 									return forwardedAddress;
    1575. 

  1575. 								}
    1576. 

  1576. 								else
    1577. 

  1577. 								{
    1578. 

  1578. 									return EAT_ADDRESS_NOT_FOUND;
    1579. 

  1579. 								}
    1580. 

  1580. 							}
    1581. 

  1581. 				            else
    1582. 

  1582. 				            {
    1583. 

  1583. 				            	return EAT_ADDRESS_NOT_FOUND;
    1584. 

  1584. 				            }
    1585. 

  1585. 						}
    1586. 

  1586. 	
    1587. 

  1587. 						return (SIZE_T)(addr->BaseAddress + *funcAddrPtr);
    1588. 

  1588. 					}
    1589. 

  1589. 				}
    1590. 

  1590. 			}
    1591. 

  1591. 		}
    1592. 

  1592. 		
    1593. 

  1593. 		return EAT_ADDRESS_NOT_FOUND;
    1594. 

  1594. 	}
    1595. 

  1595. 	
    1596. 

  1596. 	// Attempts to retrieve function name associated to ordinal import from the export table of the loaded module.
    1597. 

  1597. 	// Returns a pointer to the function name if it exists. If the function is not found, the return value is NULL.
    1598. 

  1598. 	const char* PortableExecutable64::GetOrdinalFunctionNameFromExportTable(const AddrStruct* addr, const WORD ordinal) const
    1599. 

  1599. 	{
    1600. 

  1600. 		const WORD* const ordinals = (WORD*)(addr->BufferBaseAddress + addr->ExportDirectory->AddressOfNameOrdinals);
    1601. 

  1601. 		
    1602. 

  1602. 		for (unsigned int i = 0; i < addr->ExportDirectory->NumberOfFunctions; ++i)
    1603. 

  1603. 		{
    1604. 

  1604. 			if ((addr->ExportDirectory->Base + ordinals[i]) == ordinal)
    1605. 

  1605. 			{
    1606. 

  1606. 				const DWORD* const stringPtr = (DWORD*)(addr->BufferBaseAddress + addr->ExportDirectory->AddressOfNames + i * sizeof(DWORD));
    1607. 

  1607. 				const Byte* const absStringPtr = (Byte*)(addr->BufferBaseAddress + *stringPtr);
    1608. 

  1608. 				
    1609. 

  1609. 				// Make sure the string points inside of the buffer. Scrambled EAT would crash the application.
    1610. 

  1610. 				if (absStringPtr > (addr->BufferBaseAddress + addr->DirectoryAddress->Size) && absStringPtr < addr->BufferEndAddress)
    1611. 

  1611. 				{
    1612. 

  1612. 					return (const char*)absStringPtr;
    1613. 

  1613. 				}
    1614. 

  1614. 			}
    1615. 

  1615. 		}
    1616. 

  1616. 		
    1617. 

  1617. 		return NULL;
    1618. 

  1618. 	}
    1619. 

  1619. 

  1620. 	
    1621. 

  1621. 	// Retrieves the import table from the PE header of the loaded process. This information is stored in the global storage that has process lifetime.
    1622. 

  1622. 	const bool PortableExecutable64::GetImportAddressTable() const
    1623. 

  1623. 	{
    1624. 

  1624. 		// We use a return value to indicate whether function names can actually be retrieved using OriginalFirstThunk.
    1625. 

  1625. 		bool result = true;
    1626. 

  1626. 		
    1627. 

  1627. 		// Read process memory into local buffer in order to load IAT.
    1628. 

  1628. 		Byte moduleBuffer[0x400];
    1629. 

  1629. 		CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)this->mBaseAddress, moduleBuffer, 0x400, NULL);
    1630. 

  1630. 		
    1631. 

  1631. 		const IMAGE_NT_HEADERS64* const pNTHeader = (IMAGE_NT_HEADERS*)((BYTE*)moduleBuffer + ((IMAGE_DOS_HEADER*)moduleBuffer)->e_lfanew);
    1632. 

  1632. 		
    1633. 

  1633. 		// The PE Headers are not valid, the pointer runs outside the bounds of the buffer.
    1634. 

  1634. 		if ((Byte*)pNTHeader > (moduleBuffer + 0x400))
    1635. 

  1635. 		{
    1636. 

  1636. 			return false;
    1637. 

  1637. 		}
    1638. 

  1638. 		
    1639. 

  1639. 		const IMAGE_OPTIONAL_HEADER* const pOptionalHeader = ((IMAGE_OPTIONAL_HEADER*)&pNTHeader->OptionalHeader);
    1640. 

  1640. 		
    1641. 

  1641. 		// Read the import descriptor table into local memory.
    1642. 

  1642. 		unsigned int counter = 0;
    1643. 

  1643. 		IMAGE_IMPORT_DESCRIPTOR pDesc;
    1644. 

  1644. 		CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(this->mBaseAddress + pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (counter * sizeof(IMAGE_IMPORT_DESCRIPTOR))), &pDesc, sizeof(IMAGE_IMPORT_DESCRIPTOR), NULL);
    1645. 

  1645. 		
    1646. 

  1646. 		// Check whether OriginalFirstThunk is non-zero. If it is zero, the target process executable may be packed. We can find
    1647. 

  1647. 		// the function addresses, but we cannot find the function names directly.
    1648. 

  1648. 		if (!pDesc.OriginalFirstThunk)
    1649. 

  1649. 		{
    1650. 

  1650. 			result = false;
    1651. 

  1651. 		}
    1652. 

  1652. 		
    1653. 

  1653. 		while (pDesc.FirstThunk && pDesc.Name != 0xFFFF)
    1654. 

  1654. 		{
    1655. 

  1655. 			// Read DLL name from import descriptor entry.
    1656. 

  1656. 			char dllName[48];
    1657. 

  1657. 			CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(pDesc.Name + this->mBaseAddress), dllName, 48, NULL);
    1658. 

  1658. 	        
    1659. 

  1659. 	        // Add new import descriptor to the table.
    1660. 

  1660. 	        ImportTableDescriptor& impDesc = LoadedProcessPEInformation.ImportAddressTable.Add();
    1661. 

  1661. 	        impDesc.ModuleName = dllName;
    1662. 

  1662. 	        
    1663. 

  1663. 	        // Get base address and length of desired DLL, and look up the function foreign name in the export table of that DLL.
    1664. 

  1664. 			WString apiSetDllName = ToLower(dllName);
    1665. 

  1665. 			const Win32ModuleInformation* modBaseAddr = NULL;
    1666. 

  1666. 

  1667. 			// Check whether we have to deal with an ApiSet redirection or not.
    1668. 

  1668. 			if (apiSetDllName.StartsWith("api-ms-win") || apiSetDllName.StartsWith("ext-ms-win"))
    1669. 

  1669. 			{
    1670. 

  1670. 				// Windows ApiSetSchema redirection detected. Remove the file extension before resolving.
    1671. 

  1671. 				const int lastDot = apiSetDllName.ReverseFind('.');
    1672. 

  1672. 				if (lastDot != -1)
    1673. 

  1673. 				{
    1674. 

  1674. 					apiSetDllName.Remove(lastDot, apiSetDllName.GetLength() - lastDot);
    1675. 

  1675. 				}
    1676. 

  1676. 

  1677. 				// Recursively resolve the redirection.
    1678. 

  1678. 				while (!modBaseAddr)
    1679. 

  1679. 				{
    1680. 

  1680. 					// First remove the prefix, the resolving works without the prefix.
    1681. 

  1681. 					apiSetDllName.Remove(0, 4);
    1682. 

  1682. 

  1683. 					// Resolve the redirection.
    1684. 

  1684. 					const wchar* const outWString = this->InlineResolveApiSetSchema(apiSetDllName);
    1685. 

  1685. 					if (outWString)
    1686. 

  1686. 					{
    1687. 

  1687. 						apiSetDllName = outWString;
    1688. 

  1688. 						delete[] outWString;
    1689. 

  1689. 

  1690. 						// Get the module base address from the internal module list, and set the logical base address.
    1691. 

  1691. 						modBaseAddr = mModuleManager->FindModule(apiSetDllName.ToString());
    1692. 

  1692. 						impDesc.LogicalBaseAddress = modBaseAddr ? modBaseAddr->BaseAddress : 0;
    1693. 

  1693. 					}
    1694. 

  1694. 				}
    1695. 

  1695. 			}
    1696. 

  1696. 			else
    1697. 

  1697. 			{
    1698. 

  1698. 				// Get the module base address from the internal module list.
    1699. 

  1699. 				modBaseAddr = mModuleManager->FindModule(apiSetDllName.ToString());
    1700. 

  1700. 				impDesc.LogicalBaseAddress = 0;
    1701. 

  1701. 			}
    1702. 

  1702. 	        
    1703. 

  1703. 			// Does the module have a base address? If so, we parse its export table.
    1704. 

  1704. 			if (modBaseAddr)
    1705. 

  1705. 			{
    1706. 

  1706. 				impDesc.ModulePointer = modBaseAddr;
    1707. 

  1707. 				
    1708. 

  1708. 	            Byte dllBuffer[0x400];
    1709. 

  1709. 	            CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)modBaseAddr->BaseAddress, dllBuffer, 0x400, NULL);
    1710. 

  1710. 	           
    1711. 

  1711. 	            const IMAGE_NT_HEADERS64* pNTHeader =(IMAGE_NT_HEADERS64*)(dllBuffer + ((IMAGE_DOS_HEADER*)dllBuffer)->e_lfanew);
    1712. 

  1712. 				IMAGE_DATA_DIRECTORY dataDir = *(&((IMAGE_OPTIONAL_HEADER64*)&pNTHeader->OptionalHeader)->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
    1713. 

  1713. 	            
    1714. 

  1714. 	            // Check whether the discovered module actually contains an export table.
    1715. 

  1715. 	            if (dataDir.Size)
    1716. 

  1716. 	            {
    1717. 

  1717. 		            Byte* exportDirectoryBuffer = new Byte[dataDir.Size];
    1718. 

  1718. 		            CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(modBaseAddr->BaseAddress + dataDir.VirtualAddress), exportDirectoryBuffer, dataDir.Size, NULL);
    1719. 

  1719. 		            
    1720. 

  1720. 					Byte* const bufBase = exportDirectoryBuffer - dataDir.VirtualAddress;
    1721. 

  1721. 					AddrStruct addrStruct((Byte*)modBaseAddr->BaseAddress, (exportDirectoryBuffer - dataDir.VirtualAddress), bufBase + dataDir.VirtualAddress + dataDir.Size
    1722. 

  1722. 						, &dataDir, (IMAGE_EXPORT_DIRECTORY*)exportDirectoryBuffer);
    1723. 

  1723. 		        
    1724. 

  1724. 					IMAGE_THUNK_DATA thunk;
    1725. 

  1725. 			        unsigned int count = 0;
    1726. 

  1726. 		        
    1727. 

  1727. 					do
    1728. 

  1728. 					{
    1729. 

  1729. 						// Try to read current thunk into local memory.
    1730. 

  1730. 						CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(this->mBaseAddress + pDesc.OriginalFirstThunk + count * sizeof(IMAGE_THUNK_DATA)), &thunk, sizeof(IMAGE_THUNK_DATA), NULL);
    1731. 

  1731. 					
    1732. 

  1732. 						ImportAddressTableEntry funcEntry;
    1733. 

  1733. 						
    1734. 

  1734. 						// Check for 64-bit ordinal magic flag.
    1735. 

  1735. 						if (thunk.u1.Ordinal & IMAGE_ORDINAL_FLAG64)
    1736. 

  1736. 						{
    1737. 

  1737. 							funcEntry.Ordinal = IMAGE_ORDINAL64(thunk.u1.Ordinal);
    1738. 

  1738. 							funcEntry.Hint = 0;
    1739. 

  1739. 							
    1740. 

  1740. 							if (addrStruct.ExportDirectory->AddressOfNames)
    1741. 

  1741. 							{
    1742. 

  1742. 								funcEntry.FunctionName = this->GetOrdinalFunctionNameFromExportTable(&addrStruct, funcEntry.Ordinal);
    1743. 

  1743. 							}
    1744. 

  1744. 						}
    1745. 

  1745. 						else
    1746. 

  1746. 						{
    1747. 

  1747. 							char funcName[96];
    1748. 

  1748. 							CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(this->mBaseAddress + thunk.u1.AddressOfData), funcName, 96, NULL);
    1749. 

  1749. 						
    1750. 

  1750. 							// Set ordinal value to 0, read function name and WORD sized hint from the first two read bytes sequence.
    1751. 

  1751. 							funcEntry.Ordinal = 0;
    1752. 

  1752. 							funcEntry.Hint = *(WORD*)funcName;
    1753. 

  1753. 							funcEntry.FunctionName = funcName + sizeof(WORD);
    1754. 

  1754. 						}
    1755. 

  1755. 						
    1756. 

  1756. 						// In a rare occasion the ordinal bit-flag is already removed. In this case the ordinal should be detected by section awareness.
    1757. 

  1757. 						if (funcEntry.FunctionName.IsEmpty() && !RVAPointsInsideSection((DWORD)thunk.u1.Ordinal))
    1758. 

  1758. 						{
    1759. 

  1759. 							funcEntry.Ordinal = (WORD)thunk.u1.Ordinal;
    1760. 

  1760. 							funcEntry.Hint = 0;
    1761. 

  1761. 							
    1762. 

  1762. 							if (addrStruct.ExportDirectory->AddressOfNames)
    1763. 

  1763. 							{
    1764. 

  1764. 								funcEntry.FunctionName = this->GetOrdinalFunctionNameFromExportTable(&addrStruct, funcEntry.Ordinal);
    1765. 

  1765. 							}
    1766. 

  1766. 						}
    1767. 

  1767. 						
    1768. 

  1768. 						// If the function name is empty even after ordinal resolving, the function has no name. Give it an automated name.
    1769. 

  1769. 						if (funcEntry.FunctionName.IsEmpty())
    1770. 

  1770. 						{
    1771. 

  1771. 							String localModName = dllName;
    1772. 

  1772. 							const int dotIndex = localModName.ReverseFind('.');
    1773. 

  1773. 							localModName.Remove(dotIndex, localModName.GetLength() - dotIndex);
    1774. 

  1774. 							funcEntry.FunctionName = Format("%s.%i", localModName, funcEntry.Ordinal);
    1775. 

  1775. 						}
    1776. 

  1776. 						
    1777. 

  1777. 						// Save the thunk address of the function.
    1778. 

  1778. 						funcEntry.ThunkAddress = this->mBaseAddress + pDesc.FirstThunk + count++ * sizeof(SIZE_T);
    1779. 

  1779. 	
    1780. 

  1780. 						// Read function address from thunk data and increment function iteration counter.
    1781. 

  1781. 						SIZE_T funcAddress;
    1782. 

  1782. 						CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)funcEntry.ThunkAddress, &funcAddress, sizeof(SIZE_T), NULL);
    1783. 

  1783. 		
    1784. 

  1784. 						if (!funcAddress)
    1785. 

  1785. 						{
    1786. 

  1786. 							continue;
    1787. 

  1787. 						}
    1788. 

  1788. 					
    1789. 

  1789. 						funcEntry.VirtualAddress = funcAddress;
    1790. 

  1790. 						funcEntry.Flag = 0;
    1791. 

  1791. 						
    1792. 

  1792. 						// Check whether actual address is equal to the address it should be, otherwise the IAT is hooked.
    1793. 

  1793. 						const SIZE_T eatAddress = this->GetAddressFromExportTable(&addrStruct, funcEntry.Ordinal ? (char*)funcEntry.Ordinal : funcEntry.FunctionName.Begin(), funcEntry.Ordinal ? 0 : funcEntry.FunctionName.GetLength());
    1794. 

  1794. 						if (eatAddress == EAT_ADDRESS_NOT_FOUND)
    1795. 

  1795. 						{
    1796. 

  1796. 							funcEntry.Flag = IAT_FLAG_NOT_FOUND;
    1797. 

  1797. 						}
    1798. 

  1798. 						else if (eatAddress != funcEntry.VirtualAddress)
    1799. 

  1799. 						{
    1800. 

  1800. 							funcEntry.Flag = IAT_FLAG_HOOKED;
    1801. 

  1801. 						}
    1802. 

  1802. 				
    1803. 

  1803. 						// Add function to import descriptor.
    1804. 

  1804. 						impDesc.FunctionList.Add(funcEntry);
    1805. 

  1805. 					}
    1806. 

  1806. 					while (thunk.u1.AddressOfData);
    1807. 

  1807. 				
    1808. 

  1808. 					delete[] exportDirectoryBuffer;
    1809. 

  1809. 	            }
    1810. 

  1810. 			}
    1811. 

  1811. 			
    1812. 

  1812. 			CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(this->mBaseAddress + pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (++counter * sizeof(IMAGE_IMPORT_DESCRIPTOR))), &pDesc, sizeof(IMAGE_IMPORT_DESCRIPTOR), NULL);
    1813. 

  1813. 		}
    1814. 

  1814. 		
    1815. 

  1815. 		return result;
    1816. 

  1816. 	}
    1817. 

  1817. 	
    1818. 

  1818. 	// Places a hook in the IAT, replacing the function address with another one.
    1819. 

  1819. 	// First parameter is either a pointer to a buffer containing the function name or an ordinal value.
    1820. 

  1820. 	bool PortableExecutable64::PlaceIATHook(const Win32ModuleInformation* modBase, const char* NameOrdinal, const SIZE_T newAddress, bool IsOrdinal) const
    1821. 

  1821. 	{
    1822. 

  1822. 		bool result = false;
    1823. 

  1823. 		Byte* const moduleBuffer = new Byte[modBase->Length];
    1824. 

  1824. 		CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)this->mBaseAddress, moduleBuffer, modBase->Length, NULL);
    1825. 

  1825. 		
    1826. 

  1826. 		const IMAGE_NT_HEADERS* const pNTHeader =(IMAGE_NT_HEADERS*)(moduleBuffer + ((IMAGE_DOS_HEADER*)moduleBuffer)->e_lfanew);
    1827. 

  1827. 		const IMAGE_IMPORT_DESCRIPTOR* pDesc = (IMAGE_IMPORT_DESCRIPTOR*)(moduleBuffer + ((IMAGE_OPTIONAL_HEADER*)&pNTHeader->OptionalHeader)->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
    1828. 

  1828. 		
    1829. 

  1829. 		// Additional sanity checking, to avoid pDesc to be located outside of the allocated buffer.
    1830. 

  1830. 		if ((Byte*)pDesc > moduleBuffer && (Byte*)pDesc < moduleBuffer + modBase->Length)
    1831. 

  1831. 		{
    1832. 

  1832. 			while (pDesc->FirstThunk)
    1833. 

  1833. 			{
    1834. 

  1834. 				// Read DLL name from import descriptor entry.
    1835. 

  1835. 				const char* const dllName = (char*)(moduleBuffer + pDesc->Name);
    1836. 

  1836. 		
    1837. 

  1837. 				IMAGE_THUNK_DATA* thunk;
    1838. 

  1838. 		        unsigned int count = 0;
    1839. 

  1839. 		        
    1840. 

  1840. 				do
    1841. 

  1841. 				{
    1842. 

  1842. 					IMAGE_THUNK_DATA* const curAddress = (IMAGE_THUNK_DATA*)(moduleBuffer + pDesc->OriginalFirstThunk + count * sizeof(IMAGE_THUNK_DATA));
    1843. 

  1843. 					
    1844. 

  1844. 					// Read current thunk into local memory.
    1845. 

  1845. 					thunk = curAddress;
    1846. 

  1846. 					void* const AddressAddr = (void*)(this->mBaseAddress + pDesc->FirstThunk + count++ * sizeof(IMAGE_THUNK_DATA));
    1847. 

  1847. 					
    1848. 

  1848. 					if (IsOrdinal)
    1849. 

  1849. 					{
    1850. 

  1850. 						if (thunk->u1.Ordinal & IMAGE_ORDINAL_FLAG64)
    1851. 

  1851. 						{
    1852. 

  1852. 							// Ordinal import detected, check whether ordinal matches input value.
    1853. 

  1853. 							if (IMAGE_ORDINAL64(thunk->u1.Ordinal) == (SIZE_T)NameOrdinal)
    1854. 

  1854. 							{
    1855. 

  1855. 								DWORD dwOldProtect;
    1856. 

  1856. 								CrySearchRoutines.CryProtectMemoryRoutine(this->mProcessHandle, AddressAddr, sizeof(IMAGE_THUNK_DATA), PAGE_READWRITE, &dwOldProtect);
    1857. 

  1857. 								CrySearchRoutines.CryWriteMemoryRoutine(this->mProcessHandle, AddressAddr, &newAddress, sizeof(IMAGE_THUNK_DATA), NULL);
    1858. 

  1858. 								CrySearchRoutines.CryProtectMemoryRoutine(this->mProcessHandle, AddressAddr, sizeof(IMAGE_THUNK_DATA), dwOldProtect, &dwOldProtect);
    1859. 

  1859. 								result = true;
    1860. 

  1860. 								break;
    1861. 

  1861. 							}
    1862. 

  1862. 						}
    1863. 

  1863. 					}
    1864. 

  1864. 					else
    1865. 

  1865. 					{
    1866. 

  1866. 						// If the current import is not a named one, move over to the next.
    1867. 

  1867. 						if (thunk->u1.Ordinal & IMAGE_ORDINAL_FLAG64)
    1868. 

  1868. 						{
    1869. 

  1869. 							continue;
    1870. 

  1870. 						}
    1871. 

  1871. 	
    1872. 

  1872. 						// Read function name from thunk data.
    1873. 

  1873. 						const char* const funcName = (char*)(moduleBuffer + thunk->u1.AddressOfData + sizeof(WORD));
    1874. 

  1874. 						
    1875. 

  1875. 						// Named import detected, check whether import matches input name.
    1876. 

  1876. 						if (strcmp(funcName, NameOrdinal) == 0)
    1877. 

  1877. 						{
    1878. 

  1878. 							DWORD dwOldProtect;
    1879. 

  1879. 							CrySearchRoutines.CryProtectMemoryRoutine(this->mProcessHandle, AddressAddr, sizeof(IMAGE_THUNK_DATA), PAGE_READWRITE, &dwOldProtect);
    1880. 

  1880. 							CrySearchRoutines.CryWriteMemoryRoutine(this->mProcessHandle, AddressAddr, &newAddress, sizeof(IMAGE_THUNK_DATA), NULL);
    1881. 

  1881. 							CrySearchRoutines.CryProtectMemoryRoutine(this->mProcessHandle, AddressAddr, sizeof(IMAGE_THUNK_DATA), dwOldProtect, &dwOldProtect);
    1882. 

  1882. 							result = true;
    1883. 

  1883. 							break;
    1884. 

  1884. 						}
    1885. 

  1885. 					}
    1886. 

  1886. 				}
    1887. 

  1887. 				while (thunk->u1.AddressOfData);
    1888. 

  1888. 				
    1889. 

  1889. 				++pDesc;
    1890. 

  1890. 			}
    1891. 

  1891. 		}
    1892. 

  1892. 		
    1893. 

  1893. 		// Success, free used buffers and return.
    1894. 

  1894. 		delete[] moduleBuffer;
    1895. 

  1895. 		return result;
    1896. 

  1896. 	}
    1897. 

  1897. 	
    1898. 

  1898. 	// Attempts to restore the PE headers from a file on the harddisk to a module loaded in memory.
    1899. 

  1899. 	// Retuns true if the operation succeeded and false if it did not succeed.
    1900. 

  1900. 	bool PortableExecutable64::RestorePEHeaderFromFile(const String& fileName, const Win32ModuleInformation& module) const
    1901. 

  1901. 	{
    1902. 

  1902. 		bool result = true;
    1903. 

  1903. 		
    1904. 

  1904. 		// Create handle to file on the disk.
    1905. 

  1905. 		HANDLE hFile = CreateFile(fileName, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN, NULL);
    1906. 

  1906. 		if (!hFile || hFile == INVALID_HANDLE_VALUE)
    1907. 

  1907. 		{
    1908. 

  1908. 			result = false;
    1909. 

  1909. 		}
    1910. 

  1910. 		
    1911. 

  1911. 		// Get file size and read file into buffer.
    1912. 

  1912. 		LARGE_INTEGER size;
    1913. 

  1913. 		GetFileSizeEx(hFile, &size);
    1914. 

  1914. 		
    1915. 

  1915. 		DWORD bytesRead;
    1916. 

  1916. 		Byte* const fileBuffer = new Byte[size.LowPart];
    1917. 

  1917. 		if (!ReadFile(hFile, fileBuffer, size.LowPart, &bytesRead, NULL))
    1918. 

  1918. 		{
    1919. 

  1919. 			result = false;
    1920. 

  1920. 		}
    1921. 

  1921. 		
    1922. 

  1922. 		// Read header size.
    1923. 

  1923. 		const IMAGE_DOS_HEADER* const pDOSHeader = (IMAGE_DOS_HEADER*)fileBuffer;
    1924. 

  1924. 		if (pDOSHeader->e_magic != IMAGE_DOS_SIGNATURE)
    1925. 

  1925. 		{
    1926. 

  1926. 			return false;
    1927. 

  1927. 		}
    1928. 

  1928. 	
    1929. 

  1929. 		const IMAGE_NT_HEADERS* const pNTHeader =(IMAGE_NT_HEADERS*)((BYTE*)pDOSHeader + pDOSHeader->e_lfanew);
    1930. 

  1930. 		if (pNTHeader->Signature != IMAGE_NT_SIGNATURE)
    1931. 

  1931. 		{
    1932. 

  1932. 			result = false;
    1933. 

  1933. 		}
    1934. 

  1934. 		
    1935. 

  1935. 		const IMAGE_OPTIONAL_HEADER* const pOptionalHeader = (IMAGE_OPTIONAL_HEADER*)&pNTHeader->OptionalHeader;
    1936. 

  1936. 

  1937. 		// Write header data into process memory at designated location.
    1938. 

  1938. 		CrySearchRoutines.CryProtectMemoryRoutine(this->mProcessHandle, (void*)module.BaseAddress, pOptionalHeader->SizeOfHeaders, PAGE_READWRITE, &bytesRead);
    1939. 

  1939. 	
    1940. 

  1940. 		if (!CrySearchRoutines.CryWriteMemoryRoutine(this->mProcessHandle, (void*)module.BaseAddress, fileBuffer, pOptionalHeader->SizeOfHeaders, NULL))
    1941. 

  1941. 		{
    1942. 

  1942. 			result = false;
    1943. 

  1943. 		}
    1944. 

  1944. 	
    1945. 

  1945. 		CrySearchRoutines.CryProtectMemoryRoutine(this->mProcessHandle, (void*)module.BaseAddress, pOptionalHeader->SizeOfHeaders, bytesRead, &bytesRead);
    1946. 

  1946. 		
    1947. 

  1947. 		delete[] fileBuffer;
    1948. 

  1948. 		CloseHandle(hFile);
    1949. 

  1949. 		
    1950. 

  1950. 		return result;
    1951. 

  1951. 	}
    1952. 

  1952. 	
    1953. 

  1953. 	// Attempts to hide a module from the loaded process. Hiding means it not being visible for debuggers anymore.
    1954. 

  1954. 	// Returns true if the operation succeeded, and false if it did not succeed.
    1955. 

  1955. 	bool PortableExecutable64::HideModuleFromProcess(const Win32ModuleInformation& module) const
    1956. 

  1956. 	{
    1957. 

  1957. 		if (!CrySearchRoutines.NtQueryInformationProcess)
    1958. 

  1958. 		{
    1959. 

  1959. 			return false;
    1960. 

  1960. 		}
    1961. 

  1961. 		
    1962. 

  1962. 		// Retrieve target process information using Nt function.
    1963. 

  1963. 		PROCESS_BASIC_INFORMATION procBlock;
    1964. 

  1964. 		if (CrySearchRoutines.NtQueryInformationProcess(this->mProcessHandle, ProcessBasicInformation, &procBlock, sizeof(procBlock), NULL) != STATUS_SUCCESS)
    1965. 

  1965. 		{
    1966. 

  1966. 			return false;
    1967. 

  1967. 		}
    1968. 

  1968. 		
    1969. 

  1969. 		PEB_LDR_DATA peb;
    1970. 

  1970. 		PPEB_LDR_DATA pebPtr;
    1971. 

  1971. 	
    1972. 

  1972. 		// Read process environment block and loader data from the process memory.
    1973. 

  1973. 		CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (unsigned char*)procBlock.PebBaseAddress + offsetof(PEB, LoaderData), &pebPtr, sizeof(PPEB_LDR_DATA), NULL);
    1974. 

  1974. 		CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, pebPtr, &peb, sizeof(PEB_LDR_DATA), NULL);
    1975. 

  1975. 	
    1976. 

  1976. 		LDR_MODULE curModule;
    1977. 

  1977. 		bool found = false;
    1978. 

  1978. 		int retryCount = 0;
    1979. 

  1979. 		int moduleCount = 0;
    1980. 

  1980. 	
    1981. 

  1981. 	    LIST_ENTRY* Head = peb.InMemoryOrderModuleList.Flink;
    1982. 

  1982. 	    LIST_ENTRY* Node = Head;
    1983. 

  1983. 	
    1984. 

  1984. 	    do
    1985. 

  1985. 	    {
    1986. 

  1986. 			// Read current linked list module from the process memory.
    1987. 

  1987. 	        if (CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, --Node, &curModule, sizeof(LDR_MODULE), NULL))
    1988. 

  1988. 	        {
    1989. 

  1989. 	            if (curModule.BaseAddress)
    1990. 

  1990. 	            {
    1991. 

  1991. 					// some applications cause an infinite loop. This is one way to help preventing it.
    1992. 

  1992. 					++moduleCount;
    1993. 

  1993. 	
    1994. 

  1994. 					// A valid module is found, read its base dll name from the process memory.
    1995. 

  1995. 	                wchar BaseDllName[MAX_PATH];
    1996. 

  1996. 	                CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, curModule.BaseDllName.Buffer, BaseDllName, curModule.BaseDllName.Length, NULL);
    1997. 

  1997. 	                BaseDllName[curModule.BaseDllName.Length / 2] = 0;
    1998. 

  1998. 	                PathStripPathW(BaseDllName);
    1999. 

  1999. 	                
    2000. 

  2000. 	                // Compare current module's base name and desired module name, if it matches, the desired one is found.
    2001. 

  2001. 	                String selModName = mModuleManager->GetModuleFilename(module.BaseAddress);
    2002. 

  2002. 	                if (memcmp(selModName.ToWString().Begin(), BaseDllName, selModName.GetLength() * sizeof(wchar)) == 0)
    2003. 

  2003. 	                {
    2004. 

  2004. 	                    found = true;
    2005. 

  2005. 	                    
    2006. 

  2006. 	                    for (unsigned int index = 0; index < 3; Node++, index++)
    2007. 

  2007. 	                    {
    2008. 

  2008. 					        LIST_ENTRY current;
    2009. 

  2009. 					        
    2010. 

  2010. 					        // Read current, previous and next list entry from the process memory.
    2011. 

  2011. 							BOOL localRes = CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, Node, &current, sizeof(LIST_ENTRY), NULL);
    2012. 

  2012. 					        if (!localRes)
    2013. 

  2013. 					        {
    2014. 

  2014. 								found = false;
    2015. 

  2015. 								break;
    2016. 

  2016. 					        }
    2017. 

  2017. 					        
    2018. 

  2018. 							const unsigned __int64 nextItemAddr = (unsigned __int64)current.Flink;
    2019. 

  2019. 							const unsigned __int64 prevItemAddr = (unsigned __int64)current.Blink;
    2020. 

  2020. 							
    2021. 

  2021. 							// Overwrite the pointers of the previous and next list entry so the current one is effectively hidden.
    2022. 

  2022. 					        localRes = CrySearchRoutines.CryWriteMemoryRoutine(this->mProcessHandle, current.Blink, &nextItemAddr, sizeof(LIST_ENTRY*), NULL);
    2023. 

  2023. 					        localRes = CrySearchRoutines.CryWriteMemoryRoutine(this->mProcessHandle, (unsigned char*)current.Flink + sizeof(LIST_ENTRY*), &prevItemAddr, sizeof(LIST_ENTRY*), NULL);
    2024. 

  2024. 	                    }
    2025. 

  2025. 					    
    2026. 

  2026. 	                    break;
    2027. 

  2027. 	                }
    2028. 

  2028. 	            }
    2029. 

  2029. 	        }
    2030. 

  2030. 			else
    2031. 

  2031. 			{
    2032. 

  2032. 				// Prevent infinite while looping. In most situations this code may be unnessecary.
    2033. 

  2033. 				if (++retryCount == 3)
    2034. 

  2034. 				{
    2035. 

  2035. 					break;
    2036. 

  2036. 				}
    2037. 

  2037. 			}
    2038. 

  2038. 			
    2039. 

  2039. 			// Desired module was not yet found, traverse to the next one.
    2040. 

  2040. 	        Node = curModule.InMemoryOrderModuleList.Flink;
    2041. 

  2041. 	    }
    2042. 

  2042. 	    while(Head != Node && moduleCount < mModuleManager->GetModuleCount());
    2043. 

  2043. 	
    2044. 

  2044. 		return found;
    2045. 

  2045. 	}
    2046. 

  2046. 	
    2047. 

  2047. 	// Dumps a specific section in the loaded process to a file on the harddisk.
    2048. 

  2048. 	// Returns true if the operation succeeded, and false if it did not succeed.
    2049. 

  2049. 	bool PortableExecutable64::DumpProcessSection(const String& fileName, const SIZE_T address, const SIZE_T size) const
    2050. 

  2050. 	{
    2051. 

  2051. 		bool result = true;
    2052. 

  2052. 		Byte* const buffer = new Byte[size];
    2053. 

  2053. 		SIZE_T bytesRead;
    2054. 

  2054. 		
    2055. 

  2055. 		if (!CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)address, buffer, size, &bytesRead)
    2056. 

  2056. 			&& bytesRead == 0)
    2057. 

  2057. 		{
    2058. 

  2058. 			delete[] buffer;
    2059. 

  2059. 			return false;
    2060. 

  2060. 		}
    2061. 

  2061. 		
    2062. 

  2062. 		// Create dmp file on the disk.
    2063. 

  2063. 		HANDLE hFile = CreateFile(fileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    2064. 

  2064. 		if (hFile == INVALID_HANDLE_VALUE)
    2065. 

  2065. 		{
    2066. 

  2066. 			result = false;
    2067. 

  2067. 		}
    2068. 

  2068. 		
    2069. 

  2069. 		// Write the data read to the file.
    2070. 

  2070. 		DWORD bytesWritten;
    2071. 

  2071. 		if (!WriteFile(hFile, buffer, (DWORD)bytesRead, &bytesWritten, NULL))
    2072. 

  2072. 		{
    2073. 

  2073. 			DeleteFile(fileName);
    2074. 

  2074. 			result = false;
    2075. 

  2075. 		}
    2076. 

  2076. 		
    2077. 

  2077. 		// All succeeded, free resources and return.
    2078. 

  2078. 		CloseHandle(hFile);
    2079. 

  2079. 		delete[] buffer;
    2080. 

  2080. 		return result;
    2081. 

  2081. 	}
    2082. 

  2082. 	
    2083. 

  2083. 	// Attempts to load a dynamic link library into the target process.
    2084. 

  2084. 	// Returns true if the operation succeeded, and false if it did not succeed.
    2085. 

  2085. 	bool PortableExecutable64::LoadLibraryExternal(const String& library) const
    2086. 

  2086. 	{
    2087. 

  2087. 		// Allocate memory space for the library path.
    2088. 

  2088. 		void* const lpRemoteAddress = VirtualAllocEx(this->mProcessHandle, NULL, library.GetLength(), MEM_COMMIT, PAGE_READWRITE);
    2089. 

  2089. 		SIZE_T bytesWritten;
    2090. 

  2090. 		
    2091. 

  2091. 		// Write path to library into the newly allocated memory.
    2092. 

  2092. 		CrySearchRoutines.CryWriteMemoryRoutine(this->mProcessHandle, lpRemoteAddress, library, library.GetLength(), &bytesWritten);
    2093. 

  2093. 		if (bytesWritten != library.GetLength())
    2094. 

  2094. 		{
    2095. 

  2095. 			VirtualFreeEx(this->mProcessHandle, lpRemoteAddress, 0, MEM_RELEASE);
    2096. 

  2096. 			return false;
    2097. 

  2097. 		}
    2098. 

  2098. 		
    2099. 

  2099. 		// Create a thread remotely that executes LoadLibraryA, pointing to the allocated string as parameter.
    2100. 

  2100. 		HANDLE hThread = CreateRemoteThread(this->mProcessHandle, NULL, NULL, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryA"), lpRemoteAddress, NULL, NULL);
    2101. 

  2101. 		
    2102. 

  2102. 		// Succesfully created thread, wait for it to complete and free resources after.
    2103. 

  2103. 		if (hThread && hThread != INVALID_HANDLE_VALUE)
    2104. 

  2104. 		{
    2105. 

  2105. 			WaitForSingleObject(hThread, 5000);
    2106. 

  2106. 			CloseHandle(hThread);
    2107. 

  2107. 		}
    2108. 

  2108. 		
    2109. 

  2109. 		VirtualFreeEx(this->mProcessHandle, lpRemoteAddress, 0, MEM_RELEASE);
    2110. 

  2110. 		
    2111. 

  2111. 		return !!hThread;
    2112. 

  2112. 	}
    2113. 

  2113. 	
    2114. 

  2114. 	// Attempts to load a dynamic link library into the target process.
    2115. 

  2115. 	// Returns true if the operation succeeded, and false if it did not succeed.
    2116. 

  2116. 	bool PortableExecutable64::LoadLibraryExternalHijack(const String& library, HANDLE hThread) const
    2117. 

  2117. 	{
    2118. 

  2118. 		// If the thread wasn't opened, the function returns.
    2119. 

  2119. 		if (!hThread || hThread == INVALID_HANDLE_VALUE)
    2120. 

  2120. 		{
    2121. 

  2121. 			return false;
    2122. 

  2122. 		}
    2123. 

  2123. 		
    2124. 

  2124. 		// Allocate memory space for the library path.
    2125. 

  2125. 		void* const lpRemoteAddress = VirtualAllocEx(this->mProcessHandle, NULL, library.GetLength(), MEM_COMMIT, PAGE_READWRITE);
    2126. 

  2126. 		SIZE_T bytesWritten;
    2127. 

  2127. 	
    2128. 

  2128. 		// Write path to library into the newly allocated memory.
    2129. 

  2129. 		CrySearchRoutines.CryWriteMemoryRoutine(this->mProcessHandle, lpRemoteAddress, library, library.GetLength(), &bytesWritten);
    2130. 

  2130. 		if (bytesWritten != library.GetLength())
    2131. 

  2131. 		{
    2132. 

  2132. 			VirtualFreeEx(this->mProcessHandle, lpRemoteAddress, 0, MEM_RELEASE);
    2133. 

  2133. 			return false;
    2134. 

  2134. 		}
    2135. 

  2135. 		
    2136. 

  2136. 		// The shellcode that is written and executed inside the target program:
    2137. 

  2137. 		// sub rsp, 8
    2138. 

  2138. 		// mov dword ptr [rsp], 0xCCCCCCCC
    2139. 

  2139. 		// mov dword ptr [rsp+4], 0xCCCCCCCC
    2140. 

  2140. 		// push rax
    2141. 

  2141. 		// push rbx
    2142. 

  2142. 		// push rcx
    2143. 

  2143. 		// push rdx
    2144. 

  2144. 		// push r8
    2145. 

  2145. 		// push r9
    2146. 

  2146. 		// push r10
    2147. 

  2147. 		// push r11
    2148. 

  2148. 		// movabs rbx, 0xCCCCCCCCCCCCCCCC
    2149. 

  2149. 		// movabs rcx, 0xCCCCCCCCCCCCCCCC
    2150. 

  2150. 		// sub rsp, 32
    2151. 

  2151. 		// call rbx
    2152. 

  2152. 		// add rsp, 32
    2153. 

  2153. 		// pop r11
    2154. 

  2154. 		// pop r10
    2155. 

  2155. 		// pop r9
    2156. 

  2156. 		// pop r8
    2157. 

  2157. 		// pop rdx
    2158. 

  2158. 		// pop rcx
    2159. 

  2159. 		// pop rbx
    2160. 

  2160. 		// movabs rax, 0xCCCCCCCCCCCCCCCC
    2161. 

  2161. 		// mov dword ptr [rax], 0x1337
    2162. 

  2162. 		// pop rax
    2163. 

  2163. 		// ret
    2164. 

  2164. 		Byte shellCode[] = { 0x48, 0x83, 0xEC, 0x08, 0xC7, 0x04, 0x24, 0xCC, 0xCC, 0xCC, 0xCC, 0xC7, 0x44, 0x24, 0x04, 0xCC, 0xCC, 0xCC,
    2165. 

  2165. 							 0xCC, 0x50, 0x53, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0x41, 0x52, 0x41, 0x53, 0x48, 0xBB, 0xCC, 0xCC, 0xCC,
    2166. 

  2166. 							 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0x48, 0xB9, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0x48, 0x83, 0xEC,
    2167. 

  2167. 							 0x20, 0xFF, 0xD3, 0x48, 0x83, 0xC4, 0x20, 0x41, 0x5B, 0x41, 0x5A, 0x41, 0x59, 0x41, 0x58, 0x5A, 0x59, 0x5B,
    2168. 

  2168. 							 0x48, 0xB8, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xC7, 0x00, 0x37, 0x13, 0x00, 0x00, 0x58, 0xC3 };
    2169. 

  2169. 		
    2170. 

  2170. 		// Allocate executable block of memory for the shellcode.
    2171. 

  2171. 		void* const lpShellCode = VirtualAllocEx(this->mProcessHandle, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    2172. 

  2172. 		const SIZE_T flagAddress = (SIZE_T)lpShellCode + 0x100;
    2173. 

  2173. 		
    2174. 

  2174. 		// Suspend the opened thread.
    2175. 

  2175. 		SuspendThread(hThread);
    2176. 

  2176. 		
    2177. 

  2177. 		// Create context, aligned to 64-bits boundary for x64.
    2178. 

  2178. 		void* const ctxBase = VirtualAlloc(NULL, sizeof(CONTEXT) + 8, MEM_COMMIT, PAGE_READWRITE);
    2179. 

  2179. 		PCONTEXT const ctx = (PCONTEXT)ctxBase;
    2180. 

  2180. 		AlignPointer((DWORD_PTR*)&ctx, 8);
    2181. 

  2181. 		memset(ctx, 0, sizeof(CONTEXT));
    2182. 

  2182. 		ctx->ContextFlags = CONTEXT_FULL;
    2183. 

  2183. 		GetThreadContext(hThread, ctx);
    2184. 

  2184. 		PLARGE_INTEGER rip64large = (PLARGE_INTEGER)&ctx->Rip;
    2185. 

  2185. 		
    2186. 

  2186. 		// Fix up dynamic addresses inside shellcode.
    2187. 

  2187. 		*(DWORD*)&shellCode[7] = rip64large->LowPart;
    2188. 

  2188. 		*(DWORD*)&shellCode[15] = rip64large->HighPart;
    2189. 

  2189. 		*(SIZE_T*)&shellCode[33] = (SIZE_T)LoadLibraryA;
    2190. 

  2190. 		*(SIZE_T*)&shellCode[43] = (SIZE_T)lpRemoteAddress;
    2191. 

  2191. 		*(SIZE_T*)&shellCode[74] = flagAddress;
    2192. 

  2192. 		
    2193. 

  2193. 		// Write the shellcode to the remotely allocated buffer.
    2194. 

  2194. 		CrySearchRoutines.CryWriteMemoryRoutine(this->mProcessHandle, lpShellCode, shellCode, sizeof(shellCode), &bytesWritten);
    2195. 

  2195. 		if (bytesWritten != sizeof(shellCode))
    2196. 

  2196. 		{
    2197. 

  2197. 			VirtualFreeEx(this->mProcessHandle, lpShellCode, 0, MEM_RELEASE);
    2198. 

  2198. 			VirtualFreeEx(this->mProcessHandle, lpRemoteAddress, 0, MEM_RELEASE);
    2199. 

  2199. 			return false;
    2200. 

  2200. 		}
    2201. 

  2201. 		
    2202. 

  2202. 		// Change RIP to resume execution at the shellcode.
    2203. 

  2203. 		ctx->Rip = (SIZE_T)lpShellCode;
    2204. 

  2204. 

  2205. 		// Place the new context inside the thread.
    2206. 

  2206. 		SetThreadContext(hThread, ctx);
    2207. 

  2207. 		
    2208. 

  2208. 		// Flush the instruction cache to avoid problems with cached instructions.
    2209. 

  2209. 		FlushInstructionCache(this->mProcessHandle, lpShellCode, sizeof(shellCode));
    2210. 

  2210. 		
    2211. 

  2211. 		// Resume the thread to let the DLL load and close thread handle.
    2212. 

  2212. 		ResumeThread(hThread);
    2213. 

  2213. 		
    2214. 

  2214. 		// Sample the completion flag to contain the magic number 0x1337. Block the thread until the sampling is succesful.
    2215. 

  2215. 		DWORD magic = 0;
    2216. 

  2216. 		unsigned int threshold = 0;
    2217. 

  2217. 		do
    2218. 

  2218. 		{
    2219. 

  2219. 			CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)flagAddress, &magic, sizeof(DWORD), &bytesWritten);
    2220. 

  2220. 			
    2221. 

  2221. 			// Prevent CrySearch to start eating CPU time while still trying to have an accurate sample.
    2222. 

  2222. 			Sleep(75);
    2223. 

  2223. 			++threshold;
    2224. 

  2224. 		}
    2225. 

  2225. 		while (magic != 0x1337 && threshold < THREAD_HIJACK_MAGIC_PROBE_THRESHOLD);
    2226. 

  2226. 		
    2227. 

  2227. 		// The loop finished, free memory pages and close thread handle.
    2228. 

  2228. 		VirtualFreeEx(this->mProcessHandle, lpShellCode, 0, MEM_RELEASE);
    2229. 

  2229. 		VirtualFreeEx(this->mProcessHandle, lpRemoteAddress, 0, MEM_RELEASE);
    2230. 

  2230. 		CloseHandle(hThread);
    2231. 

  2231. 		VirtualFree(ctxBase, 0, MEM_RELEASE);
    2232. 

  2232. 		
    2233. 

  2233. 		return (threshold != THREAD_HIJACK_MAGIC_PROBE_THRESHOLD);
    2234. 

  2234. 	}
    2235. 

  2235. 	
    2236. 

  2236. 	// Attempts to unload a loaded module from the target process.
    2237. 

  2237. 	void PortableExecutable64::UnloadLibraryExternal(const SIZE_T module) const
    2238. 

  2238. 	{
    2239. 

  2239. 		// Create a thread remotely that executes FreeLibrary, with module handle as parameter.
    2240. 

  2240. 		HANDLE hThread = CreateRemoteThread(this->mProcessHandle, NULL, NULL, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "FreeLibrary"), (void*)module, NULL, NULL);
    2241. 

  2241. 		
    2242. 

  2242. 		// Succesfully created thread, wait for it to complete and free resources after.
    2243. 

  2243. 		if (hThread && hThread != INVALID_HANDLE_VALUE)
    2244. 

  2244. 		{
    2245. 

  2245. 			WaitForSingleObject(hThread, 5000);
    2246. 

  2246. 			CloseHandle(hThread);
    2247. 

  2247. 		}
    2248. 

  2248. 	}
    2249. 

  2249. 	
    2250. 

  2250. 	// Restores the original address of an imported function from the export table.
    2251. 

  2251. 	void PortableExecutable64::RestoreExportTableAddressImport(const Win32ModuleInformation* modBase, const SIZE_T baseAddress, const char* NameOrdinal, const int NameLength) const
    2252. 

  2252. 	{
    2253. 

  2253. 		Byte* const dllBuffer = new Byte[0x400];
    2254. 

  2254. 	    CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)baseAddress, dllBuffer, 0x400, NULL);
    2255. 

  2255. 	   
    2256. 

  2256. 	    const IMAGE_NT_HEADERS64* const pNTHeader =(IMAGE_NT_HEADERS64*)(dllBuffer + ((IMAGE_DOS_HEADER*)dllBuffer)->e_lfanew);
    2257. 

  2257. 		IMAGE_DATA_DIRECTORY dataDir = *(&((IMAGE_OPTIONAL_HEADER64*)&pNTHeader->OptionalHeader)->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
    2258. 

  2258. 	
    2259. 

  2259. 	    delete[] dllBuffer;
    2260. 

  2260. 	    
    2261. 

  2261. 	    // Check whether the discovered module actually has an export table.
    2262. 

  2262.     	if (dataDir.Size)
    2263. 

  2263.     	{
    2264. 

  2264. 	 	    Byte* const exportDirectoryBuffer = new Byte[dataDir.Size];
    2265. 

  2265. 		    CrySearchRoutines.CryReadMemoryRoutine(this->mProcessHandle, (void*)(baseAddress + dataDir.VirtualAddress), exportDirectoryBuffer, dataDir.Size, NULL);
    2266. 

  2266. 		    
    2267. 

  2267. 			Byte* const bufBase = exportDirectoryBuffer - dataDir.VirtualAddress;
    2268. 

  2268. 			AddrStruct addrStruct((Byte*)baseAddress, (exportDirectoryBuffer - dataDir.VirtualAddress), bufBase + dataDir.VirtualAddress + dataDir.Size
    2269. 

  2269. 				, &dataDir, (IMAGE_EXPORT_DIRECTORY*)exportDirectoryBuffer);
    2270. 

  2270. 		    
    2271. 

  2271. 			this->PlaceIATHook(modBase, NameOrdinal, this->GetAddressFromExportTable(&addrStruct, NameOrdinal, NameLength), !NameLength);
    2272. 

  2272. 			
    2273. 

  2273. 			delete[] exportDirectoryBuffer;   		
    2274. 

  2274.     	}
    2275. 

  2275. 	}
    2276. 

  2276. #endif
    2277.