Untitled

#include "Win32Tools.h"

static void _clean_things (HANDLE hFile, HANDLE hMapping, PBYTE pFile, const char *pErrorMessage);

DWORD
get_pid_by_name (char *proc_name)
{
    DWORD dwPID = 0;

    PROCESSENTRY32 pe32;
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

    pe32.dwSize = sizeof(PROCESSENTRY32);

    if (hSnapshot == INVALID_HANDLE_VALUE)
        return 0;

    if (!Process32First(hSnapshot, &pe32))
        return 0;

    while (Process32Next(hSnapshot, &pe32))
    {
        if (!strcmp(proc_name, pe32.szExeFile))
        {
            dwPID = pe32.th32ProcessID;
            break;
        }
    }

    CloseHandle(hSnapshot);

    return dwPID;
}

int
inject_dll_in_process (DWORD pid, char *dll_path)
{
    int pathSize;
    HANDLE hProcess;
    LPVOID hMemory;
    LPTHREAD_START_ROUTINE hLoadLibraryA;
    HANDLE hRemoteThread;
    DWORD lpThreadId;

    info("Ouverture du process.");

    pathSize = strlen(dll_path) + 1;

    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); // We open the process

    if (!hProcess)
    {
        warning("Le process n'a pas pu etre ouvert.");
        return -1;
    }

    info("Reservation et ecriture dans la memoire du processus.");

    hMemory = VirtualAllocEx(hProcess, NULL, pathSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); // We allocate memory IN the process

    if(!hMemory)
    {
        warning("VirtualAlloc failed");
        return -1;
    }

    if (!WriteProcessMemory(hProcess, hMemory, dll_path, pathSize, 0)) // We write the DLL full path in the memory allocated (it will be the argument of LoadLibraryA)
    {
        warning("WriteProcessMemory failed");
        return -1;
    }

    info("Creation du thread dans le processus.");

    hLoadLibraryA = (LPTHREAD_START_ROUTINE) GetProcAddress(LoadLibrary("kernel32"), "LoadLibraryA"); // We get the address of LoadLibraryA function

    hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, hLoadLibraryA, hMemory, 0, &lpThreadId); // We execute LoadLibraryA function with the DLL full path as argument in the remote process through a new remote thread

    if (!hRemoteThread)
    {
        warning("CreateRemoteThread failed.");
        return -1;
    }

    WaitForSingleObject(hRemoteThread, INFINITE);
    VirtualFreeEx(hProcess, hMemory, 0, MEM_DECOMMIT);

    CloseHandle(hProcess);
    CloseHandle(hRemoteThread);

    return 0;
}

HANDLE
get_handle_from_pid (DWORD pid, DWORD flags)
// flags = PROCESS_ALL_ACCESS generarly
{
    HANDLE hHandle = INVALID_HANDLE_VALUE;

    if (flags == -1)
        flags = PROCESS_ALL_ACCESS;

    while (hHandle == INVALID_HANDLE_VALUE)
    {
        hHandle = OpenProcess (
            flags,
            FALSE, pid
        );

        Sleep(1);
    }

    return hHandle;
}

void
exit_process (HANDLE handle)
{
    DWORD code;

    GetExitCodeProcess(handle, &code);
    TerminateProcess(handle, code);
}

void
error_exit (LPTSTR lpszFunction)
{
    LPTSTR  error;

    error = 0;
    FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
                  NULL, GetLastError(), 0, (LPTSTR)&error, 0, NULL);

    MessageBoxA(NULL, error, lpszFunction, MB_OK | MB_ICONWARNING);

    exit(EXIT_FAILURE);
}

void
enable_debug_privileges (void)
{
    HANDLE hProcess = GetCurrentProcess();
    HANDLE hToken;
    int res;

    if (OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken))
    {
        res = set_privilege(hToken, SE_DEBUG_NAME, FALSE);

        if (res == 1)
            info("Debug privilege granted.");
        else
            warning("Debug privilege ERROR.");

        CloseHandle(hToken);
    }
}


MODULEENTRY32 *
get_module_entry (char *process_name, DWORD pid, HWND window)
{
    HANDLE snapshot = CreateToolhelp32Snapshot(8u, pid);
    MODULEENTRY32 *me = malloc(sizeof(MODULEENTRY32));

    me->dwSize = 0;
    me->modBaseSize = 0;
    me->modBaseAddr = 0;
    me->hModule = NULL;

    if (snapshot == INVALID_HANDLE_VALUE)
    {
        warning("CreateToolhelp32Snapshot failed : GetLastError() = %d", (int) GetLastError());
        return NULL;
    }

    else
    {
        me->dwSize = sizeof(MODULEENTRY32);

        if (Module32First(snapshot, me))
        {
            while (strcmp(process_name, me->szModule))
            {
                if (!Module32Next(snapshot, me))
                {
                    warning("%s module not found !", process_name);
                    CloseHandle(snapshot);
                    return NULL;
                }
            }

            CloseHandle(snapshot);

            return me;
        }

        else
        {
            CloseHandle(snapshot);
            warning("Module32First failed: GetLastError() = %d\n", (int) GetLastError());
            return NULL;
        }
    }
}

int
set_privilege (HANDLE hToken, LPCTSTR lpszPrivilege, int bEnablePrivilege)
{
    LUID luid;
    int bRet = FALSE;

    if (LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
    {
        TOKEN_PRIVILEGES tp;

        tp.PrivilegeCount = 1;
        tp.Privileges[0].Luid = luid;
        tp.Privileges[0].Attributes = (bEnablePrivilege) ? SE_PRIVILEGE_ENABLED : 0;

        if (AdjustTokenPrivileges(hToken, FALSE, &tp, 0, (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
        {
            bRet = (GetLastError() == ERROR_SUCCESS);
        }
    }

    return bRet;
}

int
compare_pattern (const unsigned char *buffer, const unsigned char *pattern, const char *mask)
{
    for (;*mask;++mask, ++buffer, ++pattern)
    {
        if (*mask == 'x' && *buffer != *pattern)
            return 0;
    }

    return (*mask) == 0;
}

DWORD
find_pattern (const unsigned char *buffer, DWORD size, unsigned char *pattern, char *mask)
{
    for (int i = 0; i < size; i ++)
    {
        if (compare_pattern((buffer + i), pattern, mask))
            return i;
    }

    return 0;
}

int
read_memory_as_int (HANDLE process, DWORD address)
{
    unsigned char buffer[4] = {[0 ... 3] = 0};
    DWORD bytes_read;

    if (!ReadProcessMemory(process, (PVOID) address, buffer, 4, &bytes_read))
    {
        warning("read_memory_as_int> ReadProcessMemory failed.");
        return 0;
    }

    return bytes_to_int32 (buffer);
}

int
write_memory_as_int (HANDLE process, DWORD address, unsigned int value)
{
    unsigned char buffer[sizeof(int)];
    DWORD bytes_read;

    int32_to_bytes(value, buffer);

    if (!WriteProcessMemory(process, (PVOID) address, buffer, 4, &bytes_read))
    {
        warning("write_memory_as_int> WriteProcessMemory failed.");
        return 0;
    }

    return 1;
}

int
get_path_from_process (HANDLE process, char *buffer)
{
    if (GetModuleFileNameEx(process, NULL, buffer, MAX_PATH) == 0)
    {
        warning("get_full_path_from_process> GetModuleFileNameEx failed.");
        return 0;
    }

    return 1;
}


int
bytes_to_int32 (unsigned char *bytes)
{
    return (((bytes[0] | (bytes[1] << 8)) | (bytes[2] << 0x10)) | (bytes[3] << 0x18));
}

void
int32_to_bytes (unsigned int value, unsigned char *out)
{
    memcpy(out, &value, sizeof(int));
}

void
console_set_pos (int x, int y)
{
    COORD coord;
    coord.X = x;
    coord.Y = y;

    SetConsoleCursorPosition(GetStdHandle(STD_OUTPUT_HANDLE), coord);
}

void
console_stack_pos (int todo)
{
    static int x, y;
    CONSOLE_SCREEN_BUFFER_INFO SBInfo;

    switch (todo)
    {
        case PUSH_POS:
            GetConsoleScreenBufferInfo(GetStdHandle(STD_OUTPUT_HANDLE), &SBInfo);
            x = SBInfo.dwCursorPosition.X;
            y = SBInfo.dwCursorPosition.Y;
        break;

        case POP_POS:
            console_set_pos(x, y);
        break;
    }
}

void
console_set_size (int w, int h)
{
    SMALL_RECT windowSize = {0, 0, w, h};
    SetConsoleWindowInfo(GetStdHandle(STD_OUTPUT_HANDLE), TRUE, &windowSize);
}

void
console_set_col (int col)
{
    SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), col);
}

void
error (char *msg, ...)
{
    va_list args;
    console_set_col(0x0C);

    printf("[!] Error : ");

    va_start (args, msg);
        vfprintf (stdout, msg, args);
    va_end (args);

    printf("\n");

    console_set_col(0x07);
    exit(EXIT_FAILURE);
}

void
warning (char *msg, ...)
{
    va_list args;
    console_set_col(0x0E);

    printf("[*] Warning : ");

    va_start (args, msg);
        vfprintf (stdout, msg, args);
    va_end (args);

    printf("\n");

    console_set_col(0x07);
}

void
info (char *msg, ...)
{
    va_list args;
    console_set_col(0x02);

    printf("[+] Info : ");

    va_start (args, msg);
        vfprintf (stdout, msg, args);
    va_end (args);

    printf("\n");

    console_set_col(0x07);
}

DWORD
find_pattern_process (HANDLE process, DWORD start, DWORD end, unsigned char *pattern, char* mask)
/*
*   Exemple :
*   char *pattern = "\x00\xC0\xB7\x44\x00\xC0";
*   DWORD address = find_pattern_process(process, 0x800000, 0xC00000, (PBYTE) pattern, "xxx??x");
*/
{
    DWORD size = end - start;
    unsigned char *buffer = malloc(size + 1);

    if (ReadProcessMemory(process, (PVOID) start, buffer, size, NULL) == FALSE)
    {
        warning("find_pattern_process> ReadProcessMemory failed.");
        return 0;
    }

    else
    {
        DWORD address = find_pattern(buffer, size, pattern, mask);

        if (address)
            return start + address;
    }

    return 0;
}

int
hex_to_dec (char* hex)
{
    int ret = 0, t = 0, n = 0;
    const char *c = hex;

    while (*c && (n < 16))
    {
        if ((*c >= '0') && (*c <= '9'))
            t = (*c - '0');

        else if ((*c >= 'A') && (*c <= 'F'))
            t = (*c - 'A' + 10);

        else if((*c >= 'a') && (*c <= 'f'))
            t = (*c - 'a' + 10);

        else
            break;

        n++;
        ret *= 16;
        ret += t;
        c++;

        if (n >= 8)
            break;
    }

    return ret;
}

char *
create_mask_from_file (char *filename)
{
    char *data = file_get_contents(filename);
    int pos = 0;
    int flag = 1;
    int data_len = strlen(data);
    int i;

    BbQueue *strArray = NULL;
    BbQueue *strArray2 = NULL;
    char* chArray = NULL;
    char str[1024 * 100];

    while (pos <= data_len)
    {
        if (flag)
        {
            pos = str_getline(data, str, sizeof(str), pos);

            strArray = str_explode(str, " ");
            chArray = str_malloc_clear(bb_queue_get_length(strArray) + 1);

            for (i = 0; i < bb_queue_get_length(strArray); i++)
                chArray[i] = 'x';

            pos = str_getline(data, str, sizeof(str), pos);

            if (pos < data_len)
                strArray2 = str_explode(str, " ");

            else
                return chArray;

            flag = 0;
        }

        else
        {
            pos = str_getline(data, str, sizeof(str), pos);
            strArray2 = str_explode(str, " ");
        }

        if (bb_queue_get_length(strArray) != bb_queue_get_length(strArray2))
        {
            warning("create_mask_from_file > Pattern lines aren't the same length.");
            return NULL;
        }

        for (i = 1; i < bb_queue_get_length(strArray) + 1; i++)
        {
            int hex1 = hex_to_dec(bb_queue_pick_nth(strArray, i));
            int hex2 = hex_to_dec(bb_queue_pick_nth(strArray2, i));

            if ((chArray[i-1] == 'x') && (hex1 != hex2))
                chArray[i-1] = '?';
        }

        if (pos == -1 || pos >= data_len)
        {
            // End job
            bb_queue_free_all(strArray, free);
            bb_queue_free_all(strArray2, free);
            free(data);

            return chArray;
        }

        bb_queue_free_all(strArray, free);
        strArray = strArray2;
    }

    return chArray;
}

DWORD
get_module_base (char *module_name, DWORD pid)
{
    MODULEENTRY32 module_entry = {0};
    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);

    if (!snapshot)
        return 0;

    module_entry.dwSize = sizeof(module_entry);
    BOOL bModule = Module32First(snapshot, &module_entry);

    while (bModule)
    {
        if (!strcmp(module_entry.szModule, module_name))
        {
            CloseHandle(snapshot);
            return (DWORD) module_entry.modBaseAddr;
        }

        bModule = Module32Next(snapshot, &module_entry);
    }

    CloseHandle(snapshot);

    return 0;
}

static void
_clean_things (HANDLE hFile, HANDLE hMapping, PBYTE pFile, const char *pErrorMessage)
{
    if (pErrorMessage != NULL)
        printf ("%s\n", pErrorMessage);

    if (hFile != NULL)
        CloseHandle (hFile);

    if (pFile != NULL)
        UnmapViewOfFile (pFile);

    if (hMapping != NULL)
        CloseHandle (hMapping);
}

PIMAGE_SECTION_HEADER
GetEnclosingSectionHeader(DWORD rva, PIMAGE_NT_HEADERS pNTHeader)
{
    PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(pNTHeader);
    unsigned i;

    for (i = 0; i < pNTHeader->FileHeader.NumberOfSections; i++, section++)
    {
        if ((rva >= section->VirtualAddress) &&
            (rva < (section->VirtualAddress + section->Misc.VirtualSize)))
            return section;
    }

    return 0;
}


LPVOID
get_ptr_from_rva (DWORD rva, PIMAGE_NT_HEADERS pNTHeader, DWORD imageBase)
{
    PIMAGE_SECTION_HEADER pSectionHdr;
    INT delta;

    pSectionHdr = GetEnclosingSectionHeader(rva, pNTHeader);

    if (!pSectionHdr)
        return 0;

    delta = (INT)(pSectionHdr->VirtualAddress-pSectionHdr->PointerToRawData);
    return (PVOID) (imageBase + rva - delta);
}


void
dump_iat (char *filename)
{
    PIMAGE_DOS_HEADER dos_header;
    LPVOID file_mapping = map_file(filename);
    PIMAGE_NT_HEADERS pNTHeader;
    dos_header = (PIMAGE_DOS_HEADER) file_mapping;
    DWORD base = (DWORD)dos_header;

    pNTHeader = MakePtr(PIMAGE_NT_HEADERS, dos_header, dos_header->e_lfanew);

    PIMAGE_IMPORT_DESCRIPTOR importDesc;
    PIMAGE_SECTION_HEADER pSection;
    PIMAGE_THUNK_DATA thunk, thunkIAT=0;
    PIMAGE_IMPORT_BY_NAME pOrdinalName;
    DWORD importsStartRVA;
    PSTR pszTimeDate;

    importsStartRVA = GetImgDirEntryRVA(pNTHeader, IMAGE_DIRECTORY_ENTRY_IMPORT);

    if (!importsStartRVA)
        return;

    pSection = GetEnclosingSectionHeader(importsStartRVA, pNTHeader);

    if (!pSection)
        return;

    importDesc = (PIMAGE_IMPORT_DESCRIPTOR) get_ptr_from_rva(importsStartRVA,pNTHeader,base);

    if (!importDesc)
        return;

    printf("Imports Table:\n");

    while (1)
    {
        if ((importDesc->TimeDateStamp == 0)
        &&  (importDesc->Name == 0))
            break;

        printf("  %s\n", (char*) get_ptr_from_rva(importDesc->Name, pNTHeader, base) );
        printf("  OrigFirstThunk:  %08X (Unbound IAT)\n", (int) importDesc->Characteristics);

        pszTimeDate = ctime((PLONG)&importDesc->TimeDateStamp);
        printf("  TimeDateStamp:   %08X", (int) importDesc->TimeDateStamp );
        printf( pszTimeDate ?  " -> %s" : "\n", pszTimeDate );

        printf("  ForwarderChain:  %08X\n", (int) importDesc->ForwarderChain);
        printf("  First thunk RVA: %08X\n", (int) importDesc->FirstThunk);

        thunk = (PIMAGE_THUNK_DATA)importDesc->Characteristics;
        thunkIAT = (PIMAGE_THUNK_DATA)importDesc->FirstThunk;

        if (thunk == 0)
        {
            thunk = thunkIAT;

            if (thunk == 0)
                return;
        }

        // Adjust the pointer to point where the tables are in the
        // mem mapped file.
        thunk = (PIMAGE_THUNK_DATA) get_ptr_from_rva((DWORD)thunk, pNTHeader, base);

        if (!thunk )
            return;

        thunkIAT = (PIMAGE_THUNK_DATA) get_ptr_from_rva((DWORD)thunkIAT, pNTHeader, base);

        printf("  Ordn  Name\n");

        while (1)
        {
            if (thunk->u1.AddressOfData == 0)
                break;

            if (thunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
            {
                printf("  %4u", (int) IMAGE_ORDINAL(thunk->u1.Ordinal));
            }

            else
            {
                pOrdinalName = (PIMAGE_IMPORT_BY_NAME) thunk->u1.AddressOfData;
                pOrdinalName = (PIMAGE_IMPORT_BY_NAME) get_ptr_from_rva((DWORD)pOrdinalName, pNTHeader, base);

                printf("  %4u  %s", (int) pOrdinalName->Hint, pOrdinalName->Name);
            }

            // If the user explicitly asked to see the IAT entries, or
            // if it looks like the image has been bound, append the address
            if (importDesc->TimeDateStamp)
                printf(" (Bound to: %08X)", (int) thunkIAT->u1.Function);

            printf("\n");

            thunk++;            // Advance to next thunk
            thunkIAT++;         // advance to next thunk
        }

        importDesc++;   // advance to next IMAGE_IMPORT_DESCRIPTOR
        printf("\n");
    }
}

int
dump_eat (char *file_path)
{
    /* The IMAGE_EXPORT_DIRECTORY :
    DWORD   Characteristics;
    DWORD   TimeDateStamp;
    WORD    MajorVersion;
    WORD    MinorVersion;
    DWORD   Name;                   // DLL name
    DWORD   Base;                   // ordinal base
    DWORD   NumberOfFunctions;      // address table entries
    DWORD   NumberOfNames;          // number of name pointers
    DWORD   AddressOfFunctions;     // Export address table RVA
    DWORD   AddressOfNames;         // Name pointer RVA
    DWORD   AddressOfNameOrdinals;  // Ordinal table RVA */

    char buffer1[500] = {0};
    char buffer2[500] = {0};

    HANDLE hFile = 0, hMapping = 0;
    DWORD FileSize = 0, ExportTableRVA = 0, ImageBase = 0;
    PBYTE pFile = 0;
    PWORD pOrdinals = 0;
    PDWORD pFuncs = 0;
    PIMAGE_DOS_HEADER ImageDosHeader = 0;
    PIMAGE_NT_HEADERS ImageNtHeaders = 0;
    PIMAGE_EXPORT_DIRECTORY ImageExportDirectory = 0;

    hFile = CreateFile(file_path, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);

    if (hFile == INVALID_HANDLE_VALUE)
    {
        _clean_things (NULL, NULL, NULL, "Can't open the required DLL");
        return FALSE;
    }

    FileSize = GetFileSize (hFile, NULL);
    if (FileSize == 0)
    {
        _clean_things (hFile, NULL, NULL, "FileSize is 0 !");
        return FALSE;
    }

    hMapping = CreateFileMapping (hFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
    if (hMapping == NULL)
    {
        _clean_things (hFile, NULL, NULL, "Can't create the file mapping !");
        return FALSE;
    }

    pFile = (PBYTE) MapViewOfFile (hMapping, FILE_MAP_READ, 0, 0, 0);
    if (pFile == NULL)
    {
        _clean_things (hFile, hMapping, NULL, "Can't map the requested file !");
        return FALSE;
    }

    ImageBase = (DWORD)pFile;
    ImageDosHeader = (PIMAGE_DOS_HEADER) pFile;

    if (ImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
    {
        _clean_things (hFile, hMapping, pFile, "This file isn't a PE file !\n\n Wrong IMAGE_DOS_SIGNATURE");
        return FALSE;
    }

    ImageNtHeaders = (PIMAGE_NT_HEADERS)(ImageDosHeader->e_lfanew + (DWORD) ImageDosHeader);

    if (ImageNtHeaders->Signature != IMAGE_NT_SIGNATURE)
    {
        _clean_things (hFile, hMapping, pFile, "This file isn't a PE file !\n\n Wrong IMAGE_NT_SIGNATURE");
        return FALSE;
    }

    ExportTableRVA = ImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
    if (ExportTableRVA == 0)
    {
        _clean_things (hFile, hMapping, pFile, "Export table not found !");
        return FALSE;
    }

    ImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY) (ExportTableRVA + ImageBase);


    snprintf(buffer1, sizeof(buffer1), "TimeDateStamp: 0x%08lX - ", ImageExportDirectory->TimeDateStamp);
    strncat(buffer1, ctime((time_t*)&ImageExportDirectory->TimeDateStamp), sizeof(buffer1));

    snprintf(buffer2, sizeof (buffer2),
        "\r\nMajor Version: %i\r\n"
        "Minor Version: %i\r\n"
        "Name RVA: 0x%08lX - DLL Name : %s\r\n"
        "Ordinal Base: 0x%08lX\r\n"
        "Address Table Entries: %d\r\n"
        "Number of Name Pointers: %d\r\n"
        "Export Table Address RVA: 0x%08lX\r\n"
        "Name Pointer RVA: 0x%08lX\r\n"
        "Ordinal Table RVA: 0x%08lX",
        ImageExportDirectory->MajorVersion,
        ImageExportDirectory->MinorVersion,
        ImageExportDirectory->Name,
        (char *)ImageExportDirectory->Name + ImageBase,
        ImageExportDirectory->Base,
        (int) ImageExportDirectory->NumberOfFunctions,
        (int) ImageExportDirectory->NumberOfNames,
        ImageExportDirectory->AddressOfFunctions,
        ImageExportDirectory->AddressOfNames,
        ImageExportDirectory->AddressOfNameOrdinals);

    strncat (buffer1, buffer2, sizeof (buffer1));
    printf("%s\n", buffer1);

    pOrdinals = (PWORD) (ImageExportDirectory->AddressOfNameOrdinals + ImageBase);
    pFuncs = (PDWORD) (ImageExportDirectory->AddressOfFunctions + ImageBase);
    DWORD NumOfNames = ImageExportDirectory->NumberOfNames;

    DWORD ExportTableSize = ImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
    DWORD ETUpperBoundarie = ExportTableRVA + ExportTableSize;

    for (UINT i = 0; i < ImageExportDirectory->NumberOfFunctions; i++)
    {
        snprintf ((LPTSTR) buffer1, sizeof (buffer1), "Ord: %04lX (0x%08lX)", ImageExportDirectory->Base + i, pFuncs[i]);

        if (pOrdinals[i] < NumOfNames)
        {
            PDWORD pNamePointerRVA =(PDWORD)(ImageExportDirectory->AddressOfNames + ImageBase);
            PCHAR pFuncName = (PCHAR) (pNamePointerRVA[i] + (DWORD) ImageBase);
            snprintf ((LPTSTR)buffer2, sizeof (buffer2), " - %s", pFuncName);
            strncat (buffer1, buffer2, sizeof (buffer1));

            if ( (pFuncs[i] >= ExportTableRVA) && (pFuncs[i] <= ETUpperBoundarie) )
            {
                PDWORD pFwdFunc = (PDWORD) (pFuncs[i] + (DWORD)ImageBase);
                snprintf (buffer2, sizeof (buffer2), " - Fwd to: %s", (char *)pFwdFunc);
                strncat (buffer1, buffer2, sizeof (buffer1));
            }
        }

        printf("%s\n", buffer1);
    }

    _clean_things (hFile, hMapping, pFile, NULL);

    return TRUE;
}

int
is_pe (LPVOID mapping)
{
    PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER) mapping;

    if (dos_header->e_magic == IMAGE_DOS_SIGNATURE)
    {
        PIMAGE_NT_HEADERS nt_headers = (PIMAGE_NT_HEADERS) ((char*) dos_header + dos_header->e_lfanew);
        return (nt_headers->Signature == IMAGE_NT_SIGNATURE);
    }

    return 0;
}

LPVOID
map_file (char *file_path)
{
    LPVOID ptr_map = NULL;
    HANDLE handle_file = CreateFile(file_path, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

    if (handle_file != INVALID_HANDLE_VALUE)
    {
        HANDLE handle_map = CreateFileMapping(handle_file, NULL, PAGE_READONLY, 0, 0, 0);

        if (handle_map != NULL)
            ptr_map = MapViewOfFile(handle_map, FILE_MAP_READ, 0, 0, 0);
    }

    return ptr_map;
}