Added fix for user marshal parsing issue.

tyranid · tyranid · commit 06cf769a38e7 · 2023-09-02T21:34:55.000-07:00
diff --git a/NtApiDotNet/Ndr/NdrSimpleTypes.cs b/NtApiDotNet/Ndr/NdrSimpleTypes.cs
@@ -337,10 +337,19 @@ internal static IntPtr GetTargetAddress(SafeLoadLibraryHandle curr_module, IntPt
                 case 0xE9:
                     ptr = ptr + 5 + System.Runtime.InteropServices.Marshal.ReadInt32(ptr + 1);
                     break;
-                // lea rax, ofs import - Delay load 64bit
+                // REX prefix, could be a lea rax, ofs import - Delay load 64bit or a jmp.
                 case 0x48:
                     {
-                        if (!Environment.Is64BitProcess || System.Runtime.InteropServices.Marshal.ReadByte(ptr + 1) != 0x8D || System.Runtime.InteropServices.Marshal.ReadByte(ptr + 2) != 0x05)
+                        if (!Environment.Is64BitProcess)
+                        {
+                            return ptr;
+                        }
+                        start_byte = System.Runtime.InteropServices.Marshal.ReadByte(ptr + 1);
+                        if (start_byte == 0xFF)
+                        {
+                            return GetTargetAddress(curr_module, ptr + 1);
+                        }
+                        if (start_byte != 0x8D || System.Runtime.InteropServices.Marshal.ReadByte(ptr + 2) != 0x05)
                         {
                             return ptr;
                         }
