I'm injecting native x86 code into a .NET application, via a TLS callback in the binary image. Unfortunately, .NET executables only import mscorlib.dll
within the PE, and have kernel32.dll
mapped automatically into the memory space at runtime. I don't want to inject any imports. This makes finding the addresses of LoadLibrary
and GetProcAddress
awkward.
My first thought for a solution was to find the PEB via mov eax, dword ptr [fs:030h]
, then load PEB->Ldr
and PEB->Ldr.InMemoryOrderModuleList.Flink
from there, and use them to find the module in memory. From there I could grab the base address of kernel32.dll
in memory, and offset to the PE header and export directory RVA. From there I could scan through the import entries for the export by name, and find the address.
This has the following problems:
- Lots of code for something as trivial as an API call.
- ASCII string that represents the API name would have to be embedded in the code.
- Caching the found addresses across a long runtime / multiple threads is awkward.
Is there a cleaner way of doing this that solves these problems, without resorting to import injection? Keep in mind that I can't change the EP of the image, because the CLR relies on the EP being a jump to the managed IL.