RunPE resolving dll names result in chinese characters

[0x33]

func readProcessMemoryString(processHandle windows.Handle, address uintptr) (string, error) {
    var buffer [1024]uint16
    var bytesRead uintptr
    err := windows.ReadProcessMemory(processHandle, address, (*byte)(unsafe.Pointer(&buffer[0])), uintptr(len(buffer)*2), &bytesRead)
    if err != nil {
        return "", fmt.Errorf("failed to read process memory: %v", err)
    }

    // Find null terminator
    var length int
    for length = 0; length < len(buffer) && buffer[length] != 0; length++ {}

    dllName := string(utf16.Decode(buffer[:length]))
    
    // Log the DLL name
    fmt.Printf("Attempting to load DLL: %s\n", dllName)

    // Validate DLL name
    if dllName == "" {
        return "", fmt.Errorf("DLL name is empty")
    }

    return dllName, nil
}


func resolveImports(processHandle windows.Handle, baseAddress uintptr, ntHeaders *IMAGE_NT_HEADERS64) error {
    importDir := &ntHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]
    if importDir.Size == 0 {
        return nil // No imports
    }

    var importDescriptor IMAGE_IMPORT_DESCRIPTOR
    importDescriptorAddr := baseAddress + uintptr(importDir.VirtualAddress)

    for {
        err := windows.ReadProcessMemory(processHandle, importDescriptorAddr, (*byte)(unsafe.Pointer(&importDescriptor)), unsafe.Sizeof(importDescriptor), nil)
        if err != nil {
            return fmt.Errorf("failed to read import descriptor: %v", err)
        }

        if importDescriptor.Name == 0 {
            break // End of import descriptors
        }

        dllNameAddr := baseAddress + uintptr(importDescriptor.Name)
        dllName, err := readProcessMemoryString(processHandle, dllNameAddr)
        if err != nil {
            return fmt.Errorf("failed to read DLL name: %v", err)
        }

        fmt.Printf("Attempting to load DLL: %s\n", dllName)
        dll, err := windows.LoadLibrary(dllName)
        if err != nil {
            return fmt.Errorf("failed to load DLL %s: %v", dllName, err)
        }
        defer windows.FreeLibrary(dll)

        var thunk IMAGE_THUNK_DATA64
        thunkAddr := baseAddress + uintptr(importDescriptor.FirstThunk)

        for {
            err := windows.ReadProcessMemory(processHandle, thunkAddr, (*byte)(unsafe.Pointer(&thunk)), unsafe.Sizeof(thunk), nil)
            if err != nil {
                return fmt.Errorf("failed to read thunk data: %v", err)
            }

            if thunk.AddressOfData == 0 {
                break // End of thunks
            }

            var funcAddr uintptr
            if thunk.AddressOfData&0x8000000000000000 != 0 {
                // Import by ordinal
                ordinal := uint16(thunk.AddressOfData & 0xFFFF)
                funcAddr, err = windows.GetProcAddressByOrdinal(dll, uintptr(ordinal))
            } else {
                // Import by name
                importByNameAddr := baseAddress + uintptr(thunk.AddressOfData)
                var importByName IMAGE_IMPORT_BY_NAME
                err := windows.ReadProcessMemory(processHandle, importByNameAddr, (*byte)(unsafe.Pointer(&importByName)), unsafe.Sizeof(importByName), nil)
                if err != nil {
                    return fmt.Errorf("failed to read import by name: %v", err)
                }
                funcName, err := readProcessMemoryString(processHandle, importByNameAddr+2) // Skip Hint
                if err != nil {
                    return fmt.Errorf("failed to read function name: %v", err)
                }
                funcAddr, err = windows.GetProcAddress(dll, funcName)
            }

            if err != nil {
                return fmt.Errorf("failed to get proc address: %v", err)
            }

            err = windows.WriteProcessMemory(processHandle, thunkAddr, (*byte)(unsafe.Pointer(&funcAddr)), unsafe.Sizeof(funcAddr), nil)
            if err != nil {
                return fmt.Errorf("failed to write function address: %v", err)
            }

            thunkAddr += unsafe.Sizeof(thunk)
        }

        importDescriptorAddr += unsafe.Sizeof(importDescriptor)
    }

    return nil
}

Спойлер: Error

[+] Starting RunPE process...
[+] DOS Header: Magic: 0x5A4D, NtHeaders Offset: 128
[+] Valid PE signature found at offset: 128
[+] File Header: Machine: 0x8664, NumberOfSections: 15, TimeDateStamp: 0
[+] Optional Header:
Magic: 0x020B
SizeOfCode: 2654208
SizeOfInitializedData: 260096
SizeOfUninitializedData: 0
AddressOfEntryPoint: 0x74340
ImageBase: 0x400000
SectionAlignment: 4096
FileAlignment: 512
SizeOfImage: 8785920
SizeOfHeaders: 1536
Subsystem: 3
Attempting to load DLL: 敫湲汥㈳搮汬
Attempting to load DLL: 敫湲汥㈳搮汬
In-memory execution failed: failed to resolve imports: failed to load DLL 敫湲汥㈳搮汬: The specified module could not be found.

What is the problem here?

 

[st0rmr1d3r]

utf16.Decode?

 

[0x33]

utf16.Decode?

Before it was something else, but the product was still chinese letters

 

[xlx]

Before it was something else, but the product was still chinese letters

pe import table use ansi for dll names, not utf16/unicode

 

[waahoo]

Try it for read dll name, is ansi string, not utf16, function names too:

func readProcessMemoryAnsi(processHandle windows.Handle, address uintptr) (string, error) {
    var buffer [1024]byte  // <----  byte
    var bytesRead uintptr
    err := windows.ReadProcessMemory(processHandle, address, (*byte)(unsafe.Pointer(&buffer[0])), uintptr(len(buffer)), &bytesRead) // <---- buf len without x2
    if err != nil {
        return "", fmt.Errorf("failed to read process memory: %v", err)
    }

    // Find null terminator
    var length int
    for length = 0; length < len(buffer) && buffer[length] != 0; length++ {}

    dllName := string(buffer[:length]) // <---- not utf16
    
    // Log the DLL name
    fmt.Printf("Attempting to load DLL: %s\n", dllName)

    // Validate DLL name
    if dllName == "" {
        return "", fmt.Errorf("DLL name is empty")
    }

    return dllName, nil
}