int Load_Dll_Event(HANDLE hFile,DWORD dwBase)
{
HANDLE hFileMapp;
LPVOID lpMappedBase;
char szDll[2048];
WORD wMagicMZ;
DWORD dwOffsetPE,dwMagicPE,dwRead;
IMAGE_FILE_HEADER file_header;
IMAGE_OPTIONAL_HEADER optional_header;
MODULE_INFO module_info;
hFileMapp = CreateFileMappingA(hFile,0,PAGE_READONLY,0,1,0);
lpMappedBase = MapViewOfFile(hFileMapp,FILE_MAP_READ,0,0,1);
if (hFileMapp == 0 || lpMappedBase == 0)
{
Log(" load dll handler err:%d CFM:%d",GetLastError(),hFileMapp);
return 0;
}
GetMappedFileNameA(GetCurrentProcess(),lpMappedBase,szDll,sizeof(szDll));
if(!read_word_at_offset((DWORD)dwBase,wMagicMZ))
return 0;
if(!read_dword_at_offset((DWORD)dwBase+0x3c,dwOffsetPE))
return 0;
if (!read_dword_at_offset((DWORD)dwBase+dwOffsetPE,dwMagicPE))
return 0;
memset(&file_header,0,sizeof(file_header));
memset(&optional_header,0,sizeof(optional_header));
ReadProcessMemory(hProcess,(LPCVOID)((DWORD)dwBase+dwOffsetPE+4),&file_header,sizeof(file_header),&dwRead);
ReadProcessMemory(hProcess,(LPCVOID)((DWORD)dwBase+dwOffsetPE+4+sizeof(file_header)),&optional_header,sizeof(optional_header),&dwRead);
module_info.lpBaseLow = (DWORD)dwBase;
module_info.lpBaseHigh = (DWORD)dwBase + optional_header.SizeOfImage;
module_info.dwSizeOfImage = optional_header.SizeOfImage;
lstrcpyA(module_info.szModuleName,szDll);
DWORD dwBaseOfCode,dwSizeOfCode;
dwBaseOfCode = optional_header.BaseOfCode;
dwSizeOfCode = optional_header.SizeOfCode;
Log("mapped base:%x szDll:%s handler:%x",lpMappedBase,szDll,load_dll_handler);
load_dll_handler(szDll,module_info.lpBaseLow,optional_header.SizeOfImage,dwBaseOfCode,dwSizeOfCode);
UnmapViewOfFile(lpMappedBase);
return 1;
}
// https://msdn.microsoft.com/en-us/library/aa366789.aspx
static BOOL
GetFileNameFromHandle(HANDLE hFile,
LPSTR lpszFilePath,
DWORD cchFilePath)
{
static HMODULE hKernel32;
typedef DWORD (WINAPI *PFNGETFINALPATHNAMEBYHANDLE)(HANDLE, LPSTR, DWORD, DWORD);
static PFNGETFINALPATHNAMEBYHANDLE pfnGetFinalPathNameByHandle = NULL;
if (!hKernel32) {
hKernel32 = GetModuleHandleA("kernel32.dll");
if (hKernel32) {
pfnGetFinalPathNameByHandle = (PFNGETFINALPATHNAMEBYHANDLE)GetProcAddress(hKernel32, "GetFinalPathNameByHandleA");
}
}
if (pfnGetFinalPathNameByHandle) {
return pfnGetFinalPathNameByHandle(hFile, lpszFilePath, cchFilePath, 0) < cchFilePath;
}
DWORD dwFileSizeHi = 0;
DWORD dwFileSizeLo = GetFileSize(hFile, &dwFileSizeHi);
if (dwFileSizeLo == 0 && dwFileSizeHi == 0) {
// Cannot map a file with a length of zero.
return FALSE;
}
BOOL bSuccess = FALSE;
HANDLE hFileMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 1, NULL);
if (hFileMap) {
LPVOID pMem = MapViewOfFile(hFileMap, FILE_MAP_READ, 0, 0, 1);
if (pMem) {
if (GetMappedFileNameA(GetCurrentProcess(), pMem, lpszFilePath, cchFilePath)) {
// Unlike the example, we don't bother transliting the path with device name to drive letters.
bSuccess = TRUE;
}
UnmapViewOfFile(pMem);
}
CloseHandle(hFileMap);
}
return bSuccess;
}