+// Purpose: Implementation of the CModule class.
+// Original commit: https://github.com/IcePixelx/silver-bun/commit/72c74b455bf4d02b424096ad2f30cd65535f814c
+#include "module.h"
+#include "utils.h"
+// Purpose: constructor
+// Input : *szModuleName -
+CModule::CModule(HMODULE hModule)
+ MODULEINFO mInfo {0};
+ if (hModule && hModule != INVALID_HANDLE_VALUE)
+ GetModuleInformation(GetCurrentProcess(), hModule, &mInfo, sizeof(MODULEINFO));
+ m_nModuleSize = static_cast<size_t>(mInfo.SizeOfImage);
+ m_pModuleBase = reinterpret_cast<uintptr_t>(mInfo.lpBaseOfDll);
+ if (!m_nModuleSize || !m_pModuleBase)
+ return;
+ CHAR szModuleName[MAX_PATH];
+ DWORD dwSize = GetModuleFileNameA(hModule, szModuleName, sizeof(szModuleName));
+ char* chLast = strrchr(szModuleName, '\\');
+ m_ModuleName = chLast == nullptr ? szModuleName : chLast + 1;
+ Init();
+ LoadSections();
+// Purpose: constructor
+// Input : *szModuleName -
+CModule::CModule(const char* szModuleName)
+ m_pModuleBase = reinterpret_cast<uintptr_t>(GetModuleHandleA(szModuleName));
+ m_ModuleName = szModuleName;
+ Init();
+ LoadSections();
+// Purpose: initializes module descriptors
+void CModule::Init()
+ m_pDOSHeader = reinterpret_cast<IMAGE_DOS_HEADER*>(m_pModuleBase);
+ m_pNTHeaders = reinterpret_cast<decltype(m_pNTHeaders)>(m_pModuleBase + m_pDOSHeader->e_lfanew);
+ m_nModuleSize = static_cast<size_t>(m_pNTHeaders->OptionalHeader.SizeOfImage);
+ const IMAGE_SECTION_HEADER* hSection = IMAGE_FIRST_SECTION(m_pNTHeaders); // Get first image section.
+ for (WORD i = 0; i < m_pNTHeaders->FileHeader.NumberOfSections; i++) // Loop through the sections.
+ {
+ const IMAGE_SECTION_HEADER& hCurrentSection = hSection[i]; // Get current section.
+ m_ModuleSections.push_back(ModuleSections_t(reinterpret_cast<const char*>(hCurrentSection.Name),
+ static_cast<uintptr_t>(m_pModuleBase + hCurrentSection.VirtualAddress), hCurrentSection.SizeOfRawData)); // Push back a struct with the section data.
+ }
+// Purpose: initializes the default executable segments
+void CModule::LoadSections()
+ m_ExecutableCode = GetSectionByName(".text");
+ m_ExceptionTable = GetSectionByName(".pdata");
+ m_RunTimeData = GetSectionByName(".data");
+ m_ReadOnlyData = GetSectionByName(".rdata");
+// Purpose: Gets memory at relative offset
+// Input : nOffset -
+// Output : CMemory
+CMemory CModule::Offset(const uintptr_t nOffset) const
+ return CMemory(m_pModuleBase + nOffset);
+// Purpose: find array of bytes in process memory using SIMD instructions
+// Input : *pPattern -
+// *szMask -
+// *moduleSection -
+// nOccurrence -
+// Output : CMemory
+CMemory CModule::FindPatternSIMD(const uint8_t* pPattern, const char* szMask,
+ const ModuleSections_t* moduleSection, const size_t nOccurrence) const
+ if (!m_ExecutableCode.IsSectionValid())
+ return CMemory();
+ const bool bSectionValid = moduleSection ? moduleSection->IsSectionValid() : false;
+ const uintptr_t nBase = bSectionValid ? moduleSection->m_pSectionBase : m_ExecutableCode.m_pSectionBase;
+ const uintptr_t nSize = bSectionValid ? moduleSection->m_nSectionSize : m_ExecutableCode.m_nSectionSize;
+ const size_t nMaskLen = strlen(szMask);
+ const uint8_t* pData = reinterpret_cast<uint8_t*>(nBase);
+ const uint8_t* pEnd = pData + nSize - nMaskLen;
+ size_t nOccurrenceCount = 0;
+ int nMasks[64]; // 64*16 = enough masks for 1024 bytes.
+ const int iNumMasks = static_cast<int>(ceil(static_cast<float>(nMaskLen) / 16.f));
+ memset(nMasks, '\0', iNumMasks * sizeof(int));
+ for (intptr_t i = 0; i < iNumMasks; ++i)
+ {
+ for (intptr_t j = strnlen(szMask + i * 16, 16) - 1; j >= 0; --j)
+ {
+ if (szMask[i * 16 + j] == 'x')
+ {
+ _bittestandset(reinterpret_cast<LONG*>(&nMasks[i]), static_cast<LONG>(j));
+ }
+ }
+ }
+ const __m128i xmm1 = _mm_loadu_si128(reinterpret_cast<const __m128i*>(pPattern));
+ __m128i xmm2, xmm3, msks;
+ for (; pData != pEnd; _mm_prefetch(reinterpret_cast<const char*>(++pData + 64), _MM_HINT_NTA))
+ {
+ if (pPattern[0] == pData[0])
+ {
+ xmm2 = _mm_loadu_si128(reinterpret_cast<const __m128i*>(pData));
+ msks = _mm_cmpeq_epi8(xmm1, xmm2);
+ if ((_mm_movemask_epi8(msks) & nMasks[0]) == nMasks[0])
+ {
+ for (uintptr_t i = 1; i < static_cast<uintptr_t>(iNumMasks); ++i)
+ {
+ xmm2 = _mm_loadu_si128(reinterpret_cast<const __m128i*>((pData + i * 16)));
+ xmm3 = _mm_loadu_si128(reinterpret_cast<const __m128i*>((pPattern + i * 16)));
+ msks = _mm_cmpeq_epi8(xmm2, xmm3);
+ if ((_mm_movemask_epi8(msks) & nMasks[i]) == nMasks[i])
+ {
+ if ((i + 1) == iNumMasks)
+ {
+ if (nOccurrenceCount == nOccurrence)
+ {
+ return static_cast<CMemory>(const_cast<uint8_t*>(pData));
+ }
+ nOccurrenceCount++;
+ }
+ }
+ else
+ {
+ goto cont;
+ }
+ }
+ if (nOccurrenceCount == nOccurrence)
+ {
+ return static_cast<CMemory>((&*(const_cast<uint8_t*>(pData))));
+ }
+ nOccurrenceCount++;
+ }
+ }cont:;
+ }
+ return CMemory();
+// Purpose: find a string pattern in process memory using SIMD instructions
+// Input : *szPattern -
+// *moduleSection -
+// Output : CMemory
+CMemory CModule::FindPatternSIMD(const char* szPattern, const ModuleSections_t* moduleSection) const
+ const std::pair<std::vector<uint8_t>, std::string> patternInfo = Utils::PatternToMaskedBytes(szPattern);
+ return FindPatternSIMD(patternInfo.first.data(), patternInfo.second.c_str(), moduleSection);
+// Purpose: find address of reference to string constant in executable memory
+// Input : *szString -
+// bNullTerminator -
+// Output : CMemory
+CMemory CModule::FindString(const char* szString, const ptrdiff_t nOccurrence, bool bNullTerminator) const
+ if (!m_ExecutableCode.IsSectionValid())
+ return CMemory();
+ const CMemory stringAddress = FindStringReadOnly(szString, bNullTerminator); // Get Address for the string in the .rdata section.
+ if (!stringAddress)
+ return CMemory();
+ uint8_t* pLatestOccurrence = nullptr;
+ uint8_t* pTextStart = reinterpret_cast<uint8_t*>(m_ExecutableCode.m_pSectionBase); // Get the start of the .text section.
+ ptrdiff_t dOccurrencesFound = 0;
+ CMemory resultAddress;
+ for (size_t i = 0ull; i < m_ExecutableCode.m_nSectionSize - 0x5; i++)
+ {
+ byte byte = pTextStart[i];
+ if (byte == 0x8D) // 0x8D = LEA
+ {
+ const CMemory skipOpCode = CMemory(reinterpret_cast<uintptr_t>(&pTextStart[i])).OffsetSelf(0x2); // Skip next 2 opcodes, those being the instruction and the register.
+ const int32_t relativeAddress = skipOpCode.GetValue<int32_t>(); // Get 4-byte long string relative Address
+ const uintptr_t nextInstruction = skipOpCode.Offset(0x4).GetPtr(); // Get location of next instruction.
+ const CMemory potentialLocation = CMemory(nextInstruction + relativeAddress); // Get potential string location.
+ if (potentialLocation == stringAddress)
+ {
+ dOccurrencesFound++;
+ if (nOccurrence == dOccurrencesFound)
+ {
+ return CMemory(&pTextStart[i]);
+ }
+ pLatestOccurrence = &pTextStart[i]; // Stash latest occurrence.
+ }
+ }
+ }
+ return CMemory(pLatestOccurrence);
+// Purpose: find address of input string constant in read only memory
+// Input : *szString -
+// bNullTerminator -
+// Output : CMemory
+CMemory CModule::FindStringReadOnly(const char* szString, bool bNullTerminator) const
+ if (!m_ReadOnlyData.IsSectionValid())
+ return CMemory();
+ const std::vector<int> vBytes = Utils::StringToBytes(szString, bNullTerminator); // Convert our string to a byte array.
+ const std::pair<size_t, const int*> bytesInfo = std::make_pair<size_t, const int*>(vBytes.size(), vBytes.data()); // Get the size and data of our bytes.
+ const uint8_t* pBase = reinterpret_cast<uint8_t*>(m_ReadOnlyData.m_pSectionBase); // Get start of .rdata section.
+ for (size_t i = 0ull; i < m_ReadOnlyData.m_nSectionSize - bytesInfo.first; i++)
+ {
+ bool bFound = true;
+ // If either the current byte equals to the byte in our pattern or our current byte in the pattern is a wildcard
+ // our if clause will be false.
+ for (size_t j = 0ull; j < bytesInfo.first; j++)
+ {
+ if (pBase[i + j] != bytesInfo.second[j] && bytesInfo.second[j] != -1)
+ {
+ bFound = false;
+ break;
+ }
+ }
+ if (bFound)
+ {
+ return CMemory(&pBase[i]);
+ }
+ }
+ return CMemory();
+// Purpose: find 'free' page in r/w/x sections
+// Input : nSize -
+// Output : CMemory
+CMemory CModule::FindFreeDataPage(const size_t nSize) const
+ auto checkDataSection = [](const void* address, const std::size_t size)
+ {
+ VirtualQuery(address, &membInfo, sizeof(membInfo));
+ if (membInfo.AllocationBase && membInfo.BaseAddress && membInfo.State == MEM_COMMIT && !(membInfo.Protect & PAGE_GUARD) && membInfo.Protect != PAGE_NOACCESS)
+ {
+ if ((membInfo.Protect & (PAGE_EXECUTE_READWRITE | PAGE_READWRITE)) && membInfo.RegionSize >= size)
+ {
+ return ((membInfo.Protect & (PAGE_EXECUTE_READWRITE | PAGE_READWRITE)) && membInfo.RegionSize >= size) ? true : false;
+ }
+ }
+ return false;
+ };
+ // This is very unstable, this doesn't check for the actual 'page' sizes.
+ // Also can be optimized to search per 'section'.
+ const uintptr_t endOfModule = m_pModuleBase + m_pNTHeaders->OptionalHeader.SizeOfImage - sizeof(uintptr_t);
+ for (uintptr_t currAddr = endOfModule; m_pModuleBase < currAddr; currAddr -= sizeof(uintptr_t))
+ {
+ if (*reinterpret_cast<uintptr_t*>(currAddr) == 0 && checkDataSection(reinterpret_cast<void*>(currAddr), nSize))
+ {
+ bool bIsGoodPage = true;
+ uint32_t nPageCount = 0;
+ for (; nPageCount < nSize && bIsGoodPage; nPageCount += sizeof(uintptr_t))
+ {
+ const uintptr_t pageData = *reinterpret_cast<std::uintptr_t*>(currAddr + nPageCount);
+ if (pageData != 0)
+ bIsGoodPage = false;
+ }
+ if (bIsGoodPage && nPageCount >= nSize)
+ return currAddr;
+ }
+ }
+ return CMemory();
+// Purpose: get address of a virtual method table by rtti type descriptor name
+// Input : *szTableName -
+// nRefIndex -
+// Output : CMemory
+CMemory CModule::GetVirtualMethodTable(const char* szTableName, const size_t nRefIndex)
+ if (!m_ReadOnlyData.IsSectionValid()) // Process decided to rename the readonlydata section if this fails.
+ return CMemory();
+ ModuleSections_t moduleSection(".data", m_RunTimeData.m_pSectionBase, m_RunTimeData.m_nSectionSize);
+ const auto tableNameInfo = Utils::StringToMaskedBytes(szTableName, false);
+ CMemory rttiTypeDescriptor = FindPatternSIMD(tableNameInfo.first.data(), tableNameInfo.second.c_str(), &moduleSection).OffsetSelf(-0x10);
+ if (!rttiTypeDescriptor)
+ return CMemory();
+ uintptr_t scanStart = m_ReadOnlyData.m_pSectionBase; // Get the start address of our scan.
+ const uintptr_t scanEnd = (m_ReadOnlyData.m_pSectionBase + m_ReadOnlyData.m_nSectionSize) - 0x4; // Calculate the end of our scan.
+ const uintptr_t rttiTDRva = rttiTypeDescriptor.GetPtr() - m_pModuleBase; // The RTTI gets referenced by a 4-Byte RVA address. We need to scan for that address.
+ while (scanStart < scanEnd)
+ {
+ moduleSection = { ".rdata", scanStart, m_ReadOnlyData.m_nSectionSize };
+ CMemory reference = FindPatternSIMD(reinterpret_cast<rsig_t>(&rttiTDRva), "xxxx", &moduleSection, nRefIndex);
+ if (!reference)
+ break;
+ CMemory referenceOffset = reference.Offset(-0xC);
+ if (referenceOffset.GetValue<int32_t>() != 1) // Check if we got a RTTI Object Locator for this reference by checking if -0xC is 1, which is the 'signature' field which is always 1 on x64.
+ {
+ scanStart = reference.Offset(0x4).GetPtr(); // Set location to current reference + 0x4 so we avoid pushing it back again into the vector.
+ continue;
+ }
+ moduleSection = { ".rdata", m_ReadOnlyData.m_pSectionBase, m_ReadOnlyData.m_nSectionSize };
+ return FindPatternSIMD(reinterpret_cast<rsig_t>(&referenceOffset), "xxxxxxxx", &moduleSection).OffsetSelf(0x8);
+ }
+ return CMemory();
+// Purpose: get address of imported function in this module
+// Input : *szModuleName -
+// *szFunctionName -
+// bGetFunctionReference -
+// Output : CMemory
+CMemory CModule::GetImportedFunction(const char* szModuleName, const char* szFunctionName, const bool bGetFunctionReference) const
+ if (!m_pDOSHeader || m_pDOSHeader->e_magic != IMAGE_DOS_SIGNATURE) // Is dosHeader valid?
+ return CMemory();
+ if (!m_pNTHeaders || m_pNTHeaders->Signature != IMAGE_NT_SIGNATURE) // Is ntHeader valid?
+ return CMemory();
+ // Get the location of IMAGE_IMPORT_DESCRIPTOR for this module by adding the IMAGE_DIRECTORY_ENTRY_IMPORT relative virtual address onto our module base address.
+ IMAGE_IMPORT_DESCRIPTOR* pImageImportDescriptors = reinterpret_cast<IMAGE_IMPORT_DESCRIPTOR*>(m_pModuleBase + m_pNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
+ if (!pImageImportDescriptors)
+ return CMemory();
+ for (IMAGE_IMPORT_DESCRIPTOR* pIID = pImageImportDescriptors; pIID->Name != 0; pIID++)
+ {
+ // Get virtual relative Address of the imported module name. Then add module base Address to get the actual location.
+ const char* szImportedModuleName = reinterpret_cast<char*>(reinterpret_cast<DWORD*>(m_pModuleBase + pIID->Name));
+ if (_stricmp(szImportedModuleName, szModuleName) == 0) // Is this our wanted imported module?.
+ {
+ // Original First Thunk to get function name.
+ IMAGE_THUNK_DATA* pOgFirstThunk = reinterpret_cast<IMAGE_THUNK_DATA*>(m_pModuleBase + pIID->OriginalFirstThunk);
+ // To get actual function address.
+ IMAGE_THUNK_DATA* pFirstThunk = reinterpret_cast<IMAGE_THUNK_DATA*>(m_pModuleBase + pIID->FirstThunk);
+ for (; pOgFirstThunk->u1.AddressOfData; ++pOgFirstThunk, ++pFirstThunk)
+ {
+ // Get image import by name.
+ const IMAGE_IMPORT_BY_NAME* pImageImportByName = reinterpret_cast<IMAGE_IMPORT_BY_NAME*>(m_pModuleBase + pOgFirstThunk->u1.AddressOfData);
+ if (strcmp(pImageImportByName->Name, szFunctionName) == 0) // Is this our wanted imported function?
+ {
+ // Grab function address from firstThunk.
+#if _WIN64
+ uintptr_t* pFunctionAddress = &pFirstThunk->u1.Function;
+ uintptr_t* pFunctionAddress = reinterpret_cast<uintptr_t*>(&pFirstThunk->u1.Function);
+#endif // #if _WIN64
+ // Reference or address?
+ return bGetFunctionReference ? CMemory(pFunctionAddress) : CMemory(*pFunctionAddress); // Return as CMemory class.
+ }
+ }
+ }
+ }
+ return CMemory();
+// Purpose: get address of exported function in this module
+// Input : *szFunctionName -
+// bNullTerminator -
+// Output : CMemory
+CMemory CModule::GetExportedFunction(const char* szFunctionName) const
+ if (!m_pDOSHeader || m_pDOSHeader->e_magic != IMAGE_DOS_SIGNATURE) // Is dosHeader valid?
+ return CMemory();
+ if (!m_pNTHeaders || m_pNTHeaders->Signature != IMAGE_NT_SIGNATURE) // Is ntHeader valid?
+ return CMemory();
+ // Get the location of IMAGE_EXPORT_DIRECTORY for this module by adding the IMAGE_DIRECTORY_ENTRY_EXPORT relative virtual address onto our module base address.
+ const IMAGE_EXPORT_DIRECTORY* pImageExportDirectory = reinterpret_cast<IMAGE_EXPORT_DIRECTORY*>(m_pModuleBase + m_pNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
+ if (!pImageExportDirectory)
+ return CMemory();
+ // Are there any exported functions?
+ if (!pImageExportDirectory->NumberOfFunctions)
+ return CMemory();
+ // Get the location of the functions via adding the relative virtual address from the struct into our module base address.
+ const DWORD* pAddressOfFunctions = reinterpret_cast<DWORD*>(m_pModuleBase + pImageExportDirectory->AddressOfFunctions);
+ if (!pAddressOfFunctions)
+ return CMemory();
+ // Get the names of the functions via adding the relative virtual address from the struct into our module base Address.
+ const DWORD* pAddressOfName = reinterpret_cast<DWORD*>(m_pModuleBase + pImageExportDirectory->AddressOfNames);
+ if (!pAddressOfName)
+ return CMemory();
+ // Get the ordinals of the functions via adding the relative virtual Address from the struct into our module base address.
+ DWORD* pAddressOfOrdinals = reinterpret_cast<DWORD*>(m_pModuleBase + pImageExportDirectory->AddressOfNameOrdinals);
+ if (!pAddressOfOrdinals)
+ return CMemory();
+ for (DWORD i = 0; i < pImageExportDirectory->NumberOfNames; i++) // Iterate through all the functions.
+ {
+ // Get virtual relative Address of the function name. Then add module base Address to get the actual location.
+ const char* ExportFunctionName = reinterpret_cast<char*>(reinterpret_cast<DWORD*>(m_pModuleBase + pAddressOfName[i]));
+ if (strcmp(ExportFunctionName, szFunctionName) == 0) // Is this our wanted exported function?
+ {
+ // Get the function ordinal. Then grab the relative virtual address of our wanted function. Then add module base address so we get the actual location.
+ return CMemory(m_pModuleBase + pAddressOfFunctions[reinterpret_cast<WORD*>(pAddressOfOrdinals)[i]]); // Return as CMemory class.
+ }
+ }
+ return CMemory();
+// Purpose: get the module section by name (example: '.rdata', '.text')
+// Input : *szSectionName -
+// Output : ModuleSections_t
+CModule::ModuleSections_t CModule::GetSectionByName(const char* szSectionName) const
+ for (const ModuleSections_t& section : m_ModuleSections)
+ {
+ if (section.m_SectionName.compare(szSectionName) == 0)
+ return section;
+ }
+ return ModuleSections_t();