in Detours/creatwth.cpp [371:511]
static BOOL UpdateFrom32To64(HANDLE hProcess, HMODULE hModule, WORD machine,
DETOUR_EXE_RESTORE& der)
{
IMAGE_DOS_HEADER idh;
IMAGE_NT_HEADERS32 inh32;
IMAGE_NT_HEADERS64 inh64;
IMAGE_SECTION_HEADER sects[32];
PBYTE pbModule = (PBYTE)hModule;
DWORD n;
ZeroMemory(&inh32, sizeof(inh32));
ZeroMemory(&inh64, sizeof(inh64));
ZeroMemory(sects, sizeof(sects));
DETOUR_TRACE(("UpdateFrom32To64(%04x)\n", machine));
//////////////////////////////////////////////////////// Read old headers.
//
if (!ReadProcessMemory(hProcess, pbModule, &idh, sizeof(idh), NULL)) {
DETOUR_TRACE(("ReadProcessMemory(idh@%p..%p) failed: %d\n",
pbModule, pbModule + sizeof(idh), GetLastError()));
return FALSE;
}
DETOUR_TRACE(("ReadProcessMemory(idh@%p..%p)\n",
pbModule, pbModule + sizeof(idh)));
PBYTE pnh = pbModule + idh.e_lfanew;
if (!ReadProcessMemory(hProcess, pnh, &inh32, sizeof(inh32), NULL)) {
DETOUR_TRACE(("ReadProcessMemory(inh@%p..%p) failed: %d\n",
pnh, pnh + sizeof(inh32), GetLastError()));
return FALSE;
}
DETOUR_TRACE(("ReadProcessMemory(inh@%p..%p)\n", pnh, pnh + sizeof(inh32)));
if (inh32.FileHeader.NumberOfSections > (sizeof(sects)/sizeof(sects[0]))) {
return FALSE;
}
PBYTE psects = pnh +
FIELD_OFFSET(IMAGE_NT_HEADERS, OptionalHeader) +
inh32.FileHeader.SizeOfOptionalHeader;
ULONG cb = inh32.FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER);
if (!ReadProcessMemory(hProcess, psects, §s, cb, NULL)) {
DETOUR_TRACE(("ReadProcessMemory(ish@%p..%p) failed: %d\n",
psects, psects + cb, GetLastError()));
return FALSE;
}
DETOUR_TRACE(("ReadProcessMemory(ish@%p..%p)\n", psects, psects + cb));
////////////////////////////////////////////////////////// Convert header.
//
inh64.Signature = inh32.Signature;
inh64.FileHeader = inh32.FileHeader;
inh64.FileHeader.Machine = machine;
inh64.FileHeader.SizeOfOptionalHeader = sizeof(IMAGE_OPTIONAL_HEADER64);
inh64.OptionalHeader.Magic = IMAGE_NT_OPTIONAL_HDR64_MAGIC;
inh64.OptionalHeader.MajorLinkerVersion = inh32.OptionalHeader.MajorLinkerVersion;
inh64.OptionalHeader.MinorLinkerVersion = inh32.OptionalHeader.MinorLinkerVersion;
inh64.OptionalHeader.SizeOfCode = inh32.OptionalHeader.SizeOfCode;
inh64.OptionalHeader.SizeOfInitializedData = inh32.OptionalHeader.SizeOfInitializedData;
inh64.OptionalHeader.SizeOfUninitializedData = inh32.OptionalHeader.SizeOfUninitializedData;
inh64.OptionalHeader.AddressOfEntryPoint = inh32.OptionalHeader.AddressOfEntryPoint;
inh64.OptionalHeader.BaseOfCode = inh32.OptionalHeader.BaseOfCode;
inh64.OptionalHeader.ImageBase = inh32.OptionalHeader.ImageBase;
inh64.OptionalHeader.SectionAlignment = inh32.OptionalHeader.SectionAlignment;
inh64.OptionalHeader.FileAlignment = inh32.OptionalHeader.FileAlignment;
inh64.OptionalHeader.MajorOperatingSystemVersion
= inh32.OptionalHeader.MajorOperatingSystemVersion;
inh64.OptionalHeader.MinorOperatingSystemVersion
= inh32.OptionalHeader.MinorOperatingSystemVersion;
inh64.OptionalHeader.MajorImageVersion = inh32.OptionalHeader.MajorImageVersion;
inh64.OptionalHeader.MinorImageVersion = inh32.OptionalHeader.MinorImageVersion;
inh64.OptionalHeader.MajorSubsystemVersion = inh32.OptionalHeader.MajorSubsystemVersion;
inh64.OptionalHeader.MinorSubsystemVersion = inh32.OptionalHeader.MinorSubsystemVersion;
inh64.OptionalHeader.Win32VersionValue = inh32.OptionalHeader.Win32VersionValue;
inh64.OptionalHeader.SizeOfImage = inh32.OptionalHeader.SizeOfImage;
inh64.OptionalHeader.SizeOfHeaders = inh32.OptionalHeader.SizeOfHeaders;
inh64.OptionalHeader.CheckSum = inh32.OptionalHeader.CheckSum;
inh64.OptionalHeader.Subsystem = inh32.OptionalHeader.Subsystem;
inh64.OptionalHeader.DllCharacteristics = inh32.OptionalHeader.DllCharacteristics;
inh64.OptionalHeader.SizeOfStackReserve = inh32.OptionalHeader.SizeOfStackReserve;
inh64.OptionalHeader.SizeOfStackCommit = inh32.OptionalHeader.SizeOfStackCommit;
inh64.OptionalHeader.SizeOfHeapReserve = inh32.OptionalHeader.SizeOfHeapReserve;
inh64.OptionalHeader.SizeOfHeapCommit = inh32.OptionalHeader.SizeOfHeapCommit;
inh64.OptionalHeader.LoaderFlags = inh32.OptionalHeader.LoaderFlags;
inh64.OptionalHeader.NumberOfRvaAndSizes = inh32.OptionalHeader.NumberOfRvaAndSizes;
for (n = 0; n < IMAGE_NUMBEROF_DIRECTORY_ENTRIES; n++) {
inh64.OptionalHeader.DataDirectory[n] = inh32.OptionalHeader.DataDirectory[n];
}
/////////////////////////////////////////////////////// Write new headers.
//
DWORD dwProtect = 0;
if (!DetourVirtualProtectSameExecuteEx(hProcess, pbModule, inh64.OptionalHeader.SizeOfHeaders,
PAGE_EXECUTE_READWRITE, &dwProtect)) {
return FALSE;
}
if (!WriteProcessMemory(hProcess, pnh, &inh64, sizeof(inh64), NULL)) {
DETOUR_TRACE(("WriteProcessMemory(inh@%p..%p) failed: %d\n",
pnh, pnh + sizeof(inh64), GetLastError()));
return FALSE;
}
DETOUR_TRACE(("WriteProcessMemory(inh@%p..%p)\n", pnh, pnh + sizeof(inh64)));
psects = pnh +
FIELD_OFFSET(IMAGE_NT_HEADERS, OptionalHeader) +
inh64.FileHeader.SizeOfOptionalHeader;
cb = inh64.FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER);
if (!WriteProcessMemory(hProcess, psects, §s, cb, NULL)) {
DETOUR_TRACE(("WriteProcessMemory(ish@%p..%p) failed: %d\n",
psects, psects + cb, GetLastError()));
return FALSE;
}
DETOUR_TRACE(("WriteProcessMemory(ish@%p..%p)\n", psects, psects + cb));
// Record the updated headers.
if (!RecordExeRestore(hProcess, hModule, der)) {
return FALSE;
}
// Remove the import table.
if (der.pclr != NULL && (der.clr.Flags & 1)) {
inh64.IMPORT_DIRECTORY.VirtualAddress = 0;
inh64.IMPORT_DIRECTORY.Size = 0;
if (!WriteProcessMemory(hProcess, pnh, &inh64, sizeof(inh64), NULL)) {
DETOUR_TRACE(("WriteProcessMemory(inh@%p..%p) failed: %d\n",
pnh, pnh + sizeof(inh64), GetLastError()));
return FALSE;
}
}
DWORD dwOld = 0;
if (!VirtualProtectEx(hProcess, pbModule, inh64.OptionalHeader.SizeOfHeaders,
dwProtect, &dwOld)) {
return FALSE;
}
return TRUE;
}