Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include<windows.h>
- #include<stdio.h>
- #include<dbghelp.h>
- DWORD get_thunk(PIMAGE_IMPORT_DESCRIPTOR im)
- {
- if(im->OriginalFirstThunk==0)
- return im->FirstThunk;
- else
- return im->OriginalFirstThunk;
- }
- int main(int i,char *a[])
- {
- HANDLE file,file_map;
- LPVOID base;
- PIMAGE_DOS_HEADER dos;
- PIMAGE_NT_HEADERS nt;
- PIMAGE_SECTION_HEADER sec;
- PIMAGE_IMPORT_DESCRIPTOR import;
- PIMAGE_THUNK_DATA thunk;
- PIMAGE_IMPORT_BY_NAME f;
- LPSTR dll_name,func_name;
- if(i!=2)
- {
- printf("Usage: %s <PE>\n",a[0]);
- return 0;
- }
- file=CreateFileA(a[1],GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
- if(file==NULL)
- {
- printf("Failed to open file");
- return 0;
- }
- file_map=CreateFileMappingA(file,NULL,PAGE_READONLY,0,0,NULL);
- if(file_map==NULL)
- {
- printf("CreateFileMappingA() Failed");
- return 0;
- }
- base=MapViewOfFile(file_map,FILE_MAP_READ,0,0,0);
- if(base==NULL)
- {
- printf("MapViewOfFile() Failed");
- return 0;
- }
- dos=(PIMAGE_DOS_HEADER)base;
- if(dos->e_magic!=23117)
- {
- printf("Invalid PE");
- return 0;
- }
- nt=base+dos->e_lfanew;
- if(nt->Signature!=IMAGE_NT_SIGNATURE)
- {
- printf("Invalid PE");
- return 0;
- }
- if(nt->OptionalHeader.Magic!=IMAGE_NT_OPTIONAL_HDR64_MAGIC) //for 32bit , use IMAGE_NT_OPTIONAL_HDR32_MAGIC
- {
- printf("This is not 64 bit PE");
- return 0;
- }
- sec=(PIMAGE_SECTION_HEADER)((LPVOID)nt+24+nt->FileHeader.SizeOfOptionalHeader); //this is use less. I just showed how to enter section header
- if(nt->OptionalHeader.DataDirectory[1].VirtualAddress==0)
- {
- printf("There is no import table in this PE");
- return 0;
- }
- import=(PIMAGE_IMPORT_DESCRIPTOR)ImageRvaToVa(nt,base,nt->OptionalHeader.DataDirectory[1].VirtualAddress,NULL);
- while(import->Name!=0)
- {
- dll_name=(LPSTR)ImageRvaToVa(nt,base,import->Name,NULL);
- printf("\t\tDll Name: %s\n",dll_name);
- thunk=(PIMAGE_THUNK_DATA)ImageRvaToVa(nt,base,get_thunk(import),NULL);
- i=0;
- while(thunk->u1.AddressOfData!=0)
- {
- i++;
- if(thunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
- {
- printf("%d. Unknown Function - Function ordinal: %#x\n",i,IMAGE_ORDINAL(thunk->u1.Ordinal));
- }
- else
- {
- f=(PIMAGE_IMPORT_BY_NAME)ImageRvaToVa(nt,base,thunk->u1.AddressOfData,NULL);
- func_name=(LPSTR)f->Name;
- printf("%d. %s\n",i,func_name);
- }
- thunk++;
- }
- import++;
- }
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement