-
Notifications
You must be signed in to change notification settings - Fork 0
/
cwapi.cs
237 lines (202 loc) · 6.79 KB
/
cwapi.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace ebshseubhfhisb
{
// Token: 0x02000006 RID: 6
internal class cwapi
{
// Token: 0x06000039 RID: 57
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenProcess(cwapi.ProcessAccessFlags processAccess, bool bInheritHandle, int processId);
// Token: 0x0600003A RID: 58
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, long nSize, out IntPtr lpNumberOfBytesRead);
// Token: 0x0600003B RID: 59
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [MarshalAs(UnmanagedType.AsAny)] object lpBuffer, long nSize, out IntPtr lpNumberOfBytesWritten);
// Token: 0x0600003C RID: 60
[DllImport("kernel32.dll")]
private static extern bool Process32First(IntPtr hSnapshot, ref cwapi.PROCESSENTRY32 lppe);
// Token: 0x0600003D RID: 61
[DllImport("kernel32.dll")]
private static extern bool Process32Next(IntPtr hSnapshot, ref cwapi.PROCESSENTRY32 lppe);
// Token: 0x0600003E RID: 62
[DllImport("kernel32.dll")]
private static extern bool Module32First(IntPtr hSnapshot, ref cwapi.MODULEENTRY32 lpme);
// Token: 0x0600003F RID: 63
[DllImport("kernel32.dll")]
private static extern bool Module32Next(IntPtr hSnapshot, ref cwapi.MODULEENTRY32 lpme);
// Token: 0x06000040 RID: 64
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool CloseHandle(IntPtr hHandle);
// Token: 0x06000041 RID: 65
[DllImport("kernel32.dll", SetLastError = true)]
private static extern IntPtr CreateToolhelp32Snapshot(cwapi.SnapshotFlags dwFlags, int th32ProcessID);
// Token: 0x06000042 RID: 66 RVA: 0x00005464 File Offset: 0x00003664
public static IntPtr GetModuleBaseAddress(Process proc, string modName)
{
IntPtr result = IntPtr.Zero;
foreach (object obj in proc.Modules)
{
ProcessModule processModule = (ProcessModule)obj;
bool flag = processModule.ModuleName == modName;
if (flag)
{
result = processModule.BaseAddress;
break;
}
}
return result;
}
// Token: 0x06000043 RID: 67 RVA: 0x000054E8 File Offset: 0x000036E8
public static IntPtr GetModuleBaseAddress(int procId, string modName)
{
IntPtr result = IntPtr.Zero;
IntPtr intPtr = cwapi.CreateToolhelp32Snapshot(cwapi.SnapshotFlags.Module | cwapi.SnapshotFlags.Module32, procId);
bool flag = intPtr.ToInt64() != -1L;
if (flag)
{
cwapi.MODULEENTRY32 moduleentry = default(cwapi.MODULEENTRY32);
moduleentry.dwSize = (uint)Marshal.SizeOf(typeof(cwapi.MODULEENTRY32));
bool flag2 = cwapi.Module32First(intPtr, ref moduleentry);
if (flag2)
{
for (;;)
{
bool flag3 = moduleentry.szModule.Equals(modName);
if (flag3)
{
break;
}
if (!cwapi.Module32Next(intPtr, ref moduleentry))
{
goto IL_7C;
}
}
result = moduleentry.modBaseAddr;
IL_7C:;
}
}
cwapi.CloseHandle(intPtr);
return result;
}
// Token: 0x06000044 RID: 68 RVA: 0x00005584 File Offset: 0x00003784
public static IntPtr FindDMAAddy(IntPtr hProc, IntPtr ptr, int[] offsets)
{
byte[] array = new byte[IntPtr.Size];
foreach (int offset in offsets)
{
IntPtr intPtr;
cwapi.ReadProcessMemory(hProc, ptr, array, (long)array.Length, out intPtr);
ptr = ((IntPtr.Size == 4) ? IntPtr.Add(new IntPtr(BitConverter.ToInt32(array, 0)), offset) : (ptr = IntPtr.Add(new IntPtr(BitConverter.ToInt64(array, 0)), offset)));
}
return ptr;
}
// Token: 0x0400006C RID: 108
private const int INVALID_HANDLE_VALUE = -1;
// Token: 0x02000008 RID: 8
[Flags]
public enum ProcessAccessFlags : uint
{
// Token: 0x04000071 RID: 113
All = 2035711U,
// Token: 0x04000072 RID: 114
Terminate = 1U,
// Token: 0x04000073 RID: 115
CreateThread = 2U,
// Token: 0x04000074 RID: 116
VirtualMemoryOperation = 8U,
// Token: 0x04000075 RID: 117
VirtualMemoryRead = 16U,
// Token: 0x04000076 RID: 118
VirtualMemoryWrite = 32U,
// Token: 0x04000077 RID: 119
DuplicateHandle = 64U,
// Token: 0x04000078 RID: 120
CreateProcess = 128U,
// Token: 0x04000079 RID: 121
SetQuota = 256U,
// Token: 0x0400007A RID: 122
SetInformation = 512U,
// Token: 0x0400007B RID: 123
QueryInformation = 1024U,
// Token: 0x0400007C RID: 124
QueryLimitedInformation = 4096U,
// Token: 0x0400007D RID: 125
Synchronize = 1048576U
}
// Token: 0x02000009 RID: 9
public struct PROCESSENTRY32
{
// Token: 0x0400007E RID: 126
public uint dwSize;
// Token: 0x0400007F RID: 127
public uint cntUsage;
// Token: 0x04000080 RID: 128
public uint th32ProcessID;
// Token: 0x04000081 RID: 129
public IntPtr th32DefaultHeapID;
// Token: 0x04000082 RID: 130
public uint th32ModuleID;
// Token: 0x04000083 RID: 131
public uint cntThreads;
// Token: 0x04000084 RID: 132
public uint th32ParentProcessID;
// Token: 0x04000085 RID: 133
public int pcPriClassBase;
// Token: 0x04000086 RID: 134
public uint dwFlags;
// Token: 0x04000087 RID: 135
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 260)]
public string szExeFile;
}
// Token: 0x0200000A RID: 10
public struct MODULEENTRY32
{
// Token: 0x04000088 RID: 136
internal uint dwSize;
// Token: 0x04000089 RID: 137
internal uint th32ModuleID;
// Token: 0x0400008A RID: 138
internal uint th32ProcessID;
// Token: 0x0400008B RID: 139
internal uint GlblcntUsage;
// Token: 0x0400008C RID: 140
internal uint ProccntUsage;
// Token: 0x0400008D RID: 141
internal IntPtr modBaseAddr;
// Token: 0x0400008E RID: 142
internal uint modBaseSize;
// Token: 0x0400008F RID: 143
internal IntPtr hModule;
// Token: 0x04000090 RID: 144
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 256)]
internal string szModule;
// Token: 0x04000091 RID: 145
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 260)]
internal string szExePath;
}
// Token: 0x0200000B RID: 11
[Flags]
private enum SnapshotFlags : uint
{
// Token: 0x04000093 RID: 147
HeapList = 1U,
// Token: 0x04000094 RID: 148
Process = 2U,
// Token: 0x04000095 RID: 149
Thread = 4U,
// Token: 0x04000096 RID: 150
Module = 8U,
// Token: 0x04000097 RID: 151
Module32 = 16U,
// Token: 0x04000098 RID: 152
Inherit = 2147483648U,
// Token: 0x04000099 RID: 153
All = 31U,
// Token: 0x0400009A RID: 154
NoHeaps = 1073741824U
}
}
}