Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include "Win32Tools.h"
- static void _clean_things (HANDLE hFile, HANDLE hMapping, PBYTE pFile, const char *pErrorMessage);
- DWORD
- get_pid_by_name (char *proc_name)
- {
- DWORD dwPID = 0;
- PROCESSENTRY32 pe32;
- HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
- pe32.dwSize = sizeof(PROCESSENTRY32);
- if (hSnapshot == INVALID_HANDLE_VALUE)
- return 0;
- if (!Process32First(hSnapshot, &pe32))
- return 0;
- while (Process32Next(hSnapshot, &pe32))
- {
- if (!strcmp(proc_name, pe32.szExeFile))
- {
- dwPID = pe32.th32ProcessID;
- break;
- }
- }
- CloseHandle(hSnapshot);
- return dwPID;
- }
- int
- inject_dll_in_process (DWORD pid, char *dll_path)
- {
- int pathSize;
- HANDLE hProcess;
- LPVOID hMemory;
- LPTHREAD_START_ROUTINE hLoadLibraryA;
- HANDLE hRemoteThread;
- DWORD lpThreadId;
- info("Ouverture du process.");
- pathSize = strlen(dll_path) + 1;
- hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); // We open the process
- if (!hProcess)
- {
- warning("Le process n'a pas pu etre ouvert.");
- return -1;
- }
- info("Reservation et ecriture dans la memoire du processus.");
- hMemory = VirtualAllocEx(hProcess, NULL, pathSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); // We allocate memory IN the process
- if(!hMemory)
- {
- warning("VirtualAlloc failed");
- return -1;
- }
- if (!WriteProcessMemory(hProcess, hMemory, dll_path, pathSize, 0)) // We write the DLL full path in the memory allocated (it will be the argument of LoadLibraryA)
- {
- warning("WriteProcessMemory failed");
- return -1;
- }
- info("Creation du thread dans le processus.");
- hLoadLibraryA = (LPTHREAD_START_ROUTINE) GetProcAddress(LoadLibrary("kernel32"), "LoadLibraryA"); // We get the address of LoadLibraryA function
- hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, hLoadLibraryA, hMemory, 0, &lpThreadId); // We execute LoadLibraryA function with the DLL full path as argument in the remote process through a new remote thread
- if (!hRemoteThread)
- {
- warning("CreateRemoteThread failed.");
- return -1;
- }
- WaitForSingleObject(hRemoteThread, INFINITE);
- VirtualFreeEx(hProcess, hMemory, 0, MEM_DECOMMIT);
- CloseHandle(hProcess);
- CloseHandle(hRemoteThread);
- return 0;
- }
- HANDLE
- get_handle_from_pid (DWORD pid, DWORD flags)
- // flags = PROCESS_ALL_ACCESS generarly
- {
- HANDLE hHandle = INVALID_HANDLE_VALUE;
- if (flags == -1)
- flags = PROCESS_ALL_ACCESS;
- while (hHandle == INVALID_HANDLE_VALUE)
- {
- hHandle = OpenProcess (
- flags,
- FALSE, pid
- );
- Sleep(1);
- }
- return hHandle;
- }
- void
- exit_process (HANDLE handle)
- {
- DWORD code;
- GetExitCodeProcess(handle, &code);
- TerminateProcess(handle, code);
- }
- void
- error_exit (LPTSTR lpszFunction)
- {
- LPTSTR error;
- error = 0;
- FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
- NULL, GetLastError(), 0, (LPTSTR)&error, 0, NULL);
- MessageBoxA(NULL, error, lpszFunction, MB_OK | MB_ICONWARNING);
- exit(EXIT_FAILURE);
- }
- void
- enable_debug_privileges (void)
- {
- HANDLE hProcess = GetCurrentProcess();
- HANDLE hToken;
- int res;
- if (OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken))
- {
- res = set_privilege(hToken, SE_DEBUG_NAME, FALSE);
- if (res == 1)
- info("Debug privilege granted.");
- else
- warning("Debug privilege ERROR.");
- CloseHandle(hToken);
- }
- }
- MODULEENTRY32 *
- get_module_entry (char *process_name, DWORD pid, HWND window)
- {
- HANDLE snapshot = CreateToolhelp32Snapshot(8u, pid);
- MODULEENTRY32 *me = malloc(sizeof(MODULEENTRY32));
- me->dwSize = 0;
- me->modBaseSize = 0;
- me->modBaseAddr = 0;
- me->hModule = NULL;
- if (snapshot == INVALID_HANDLE_VALUE)
- {
- warning("CreateToolhelp32Snapshot failed : GetLastError() = %d", (int) GetLastError());
- return NULL;
- }
- else
- {
- me->dwSize = sizeof(MODULEENTRY32);
- if (Module32First(snapshot, me))
- {
- while (strcmp(process_name, me->szModule))
- {
- if (!Module32Next(snapshot, me))
- {
- warning("%s module not found !", process_name);
- CloseHandle(snapshot);
- return NULL;
- }
- }
- CloseHandle(snapshot);
- return me;
- }
- else
- {
- CloseHandle(snapshot);
- warning("Module32First failed: GetLastError() = %d\n", (int) GetLastError());
- return NULL;
- }
- }
- }
- int
- set_privilege (HANDLE hToken, LPCTSTR lpszPrivilege, int bEnablePrivilege)
- {
- LUID luid;
- int bRet = FALSE;
- if (LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
- {
- TOKEN_PRIVILEGES tp;
- tp.PrivilegeCount = 1;
- tp.Privileges[0].Luid = luid;
- tp.Privileges[0].Attributes = (bEnablePrivilege) ? SE_PRIVILEGE_ENABLED : 0;
- if (AdjustTokenPrivileges(hToken, FALSE, &tp, 0, (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
- {
- bRet = (GetLastError() == ERROR_SUCCESS);
- }
- }
- return bRet;
- }
- int
- compare_pattern (const unsigned char *buffer, const unsigned char *pattern, const char *mask)
- {
- for (;*mask;++mask, ++buffer, ++pattern)
- {
- if (*mask == 'x' && *buffer != *pattern)
- return 0;
- }
- return (*mask) == 0;
- }
- DWORD
- find_pattern (const unsigned char *buffer, DWORD size, unsigned char *pattern, char *mask)
- {
- for (int i = 0; i < size; i ++)
- {
- if (compare_pattern((buffer + i), pattern, mask))
- return i;
- }
- return 0;
- }
- int
- read_memory_as_int (HANDLE process, DWORD address)
- {
- unsigned char buffer[4] = {[0 ... 3] = 0};
- DWORD bytes_read;
- if (!ReadProcessMemory(process, (PVOID) address, buffer, 4, &bytes_read))
- {
- warning("read_memory_as_int> ReadProcessMemory failed.");
- return 0;
- }
- return bytes_to_int32 (buffer);
- }
- int
- write_memory_as_int (HANDLE process, DWORD address, unsigned int value)
- {
- unsigned char buffer[sizeof(int)];
- DWORD bytes_read;
- int32_to_bytes(value, buffer);
- if (!WriteProcessMemory(process, (PVOID) address, buffer, 4, &bytes_read))
- {
- warning("write_memory_as_int> WriteProcessMemory failed.");
- return 0;
- }
- return 1;
- }
- int
- get_path_from_process (HANDLE process, char *buffer)
- {
- if (GetModuleFileNameEx(process, NULL, buffer, MAX_PATH) == 0)
- {
- warning("get_full_path_from_process> GetModuleFileNameEx failed.");
- return 0;
- }
- return 1;
- }
- int
- bytes_to_int32 (unsigned char *bytes)
- {
- return (((bytes[0] | (bytes[1] << 8)) | (bytes[2] << 0x10)) | (bytes[3] << 0x18));
- }
- void
- int32_to_bytes (unsigned int value, unsigned char *out)
- {
- memcpy(out, &value, sizeof(int));
- }
- void
- console_set_pos (int x, int y)
- {
- COORD coord;
- coord.X = x;
- coord.Y = y;
- SetConsoleCursorPosition(GetStdHandle(STD_OUTPUT_HANDLE), coord);
- }
- void
- console_stack_pos (int todo)
- {
- static int x, y;
- CONSOLE_SCREEN_BUFFER_INFO SBInfo;
- switch (todo)
- {
- case PUSH_POS:
- GetConsoleScreenBufferInfo(GetStdHandle(STD_OUTPUT_HANDLE), &SBInfo);
- x = SBInfo.dwCursorPosition.X;
- y = SBInfo.dwCursorPosition.Y;
- break;
- case POP_POS:
- console_set_pos(x, y);
- break;
- }
- }
- void
- console_set_size (int w, int h)
- {
- SMALL_RECT windowSize = {0, 0, w, h};
- SetConsoleWindowInfo(GetStdHandle(STD_OUTPUT_HANDLE), TRUE, &windowSize);
- }
- void
- console_set_col (int col)
- {
- SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), col);
- }
- void
- error (char *msg, ...)
- {
- va_list args;
- console_set_col(0x0C);
- printf("[!] Error : ");
- va_start (args, msg);
- vfprintf (stdout, msg, args);
- va_end (args);
- printf("\n");
- console_set_col(0x07);
- exit(EXIT_FAILURE);
- }
- void
- warning (char *msg, ...)
- {
- va_list args;
- console_set_col(0x0E);
- printf("[*] Warning : ");
- va_start (args, msg);
- vfprintf (stdout, msg, args);
- va_end (args);
- printf("\n");
- console_set_col(0x07);
- }
- void
- info (char *msg, ...)
- {
- va_list args;
- console_set_col(0x02);
- printf("[+] Info : ");
- va_start (args, msg);
- vfprintf (stdout, msg, args);
- va_end (args);
- printf("\n");
- console_set_col(0x07);
- }
- DWORD
- find_pattern_process (HANDLE process, DWORD start, DWORD end, unsigned char *pattern, char* mask)
- /*
- * Exemple :
- * char *pattern = "\x00\xC0\xB7\x44\x00\xC0";
- * DWORD address = find_pattern_process(process, 0x800000, 0xC00000, (PBYTE) pattern, "xxx??x");
- */
- {
- DWORD size = end - start;
- unsigned char *buffer = malloc(size + 1);
- if (ReadProcessMemory(process, (PVOID) start, buffer, size, NULL) == FALSE)
- {
- warning("find_pattern_process> ReadProcessMemory failed.");
- return 0;
- }
- else
- {
- DWORD address = find_pattern(buffer, size, pattern, mask);
- if (address)
- return start + address;
- }
- return 0;
- }
- int
- hex_to_dec (char* hex)
- {
- int ret = 0, t = 0, n = 0;
- const char *c = hex;
- while (*c && (n < 16))
- {
- if ((*c >= '0') && (*c <= '9'))
- t = (*c - '0');
- else if ((*c >= 'A') && (*c <= 'F'))
- t = (*c - 'A' + 10);
- else if((*c >= 'a') && (*c <= 'f'))
- t = (*c - 'a' + 10);
- else
- break;
- n++;
- ret *= 16;
- ret += t;
- c++;
- if (n >= 8)
- break;
- }
- return ret;
- }
- char *
- create_mask_from_file (char *filename)
- {
- char *data = file_get_contents(filename);
- int pos = 0;
- int flag = 1;
- int data_len = strlen(data);
- int i;
- BbQueue *strArray = NULL;
- BbQueue *strArray2 = NULL;
- char* chArray = NULL;
- char str[1024 * 100];
- while (pos <= data_len)
- {
- if (flag)
- {
- pos = str_getline(data, str, sizeof(str), pos);
- strArray = str_explode(str, " ");
- chArray = str_malloc_clear(bb_queue_get_length(strArray) + 1);
- for (i = 0; i < bb_queue_get_length(strArray); i++)
- chArray[i] = 'x';
- pos = str_getline(data, str, sizeof(str), pos);
- if (pos < data_len)
- strArray2 = str_explode(str, " ");
- else
- return chArray;
- flag = 0;
- }
- else
- {
- pos = str_getline(data, str, sizeof(str), pos);
- strArray2 = str_explode(str, " ");
- }
- if (bb_queue_get_length(strArray) != bb_queue_get_length(strArray2))
- {
- warning("create_mask_from_file > Pattern lines aren't the same length.");
- return NULL;
- }
- for (i = 1; i < bb_queue_get_length(strArray) + 1; i++)
- {
- int hex1 = hex_to_dec(bb_queue_pick_nth(strArray, i));
- int hex2 = hex_to_dec(bb_queue_pick_nth(strArray2, i));
- if ((chArray[i-1] == 'x') && (hex1 != hex2))
- chArray[i-1] = '?';
- }
- if (pos == -1 || pos >= data_len)
- {
- // End job
- bb_queue_free_all(strArray, free);
- bb_queue_free_all(strArray2, free);
- free(data);
- return chArray;
- }
- bb_queue_free_all(strArray, free);
- strArray = strArray2;
- }
- return chArray;
- }
- DWORD
- get_module_base (char *module_name, DWORD pid)
- {
- MODULEENTRY32 module_entry = {0};
- HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
- if (!snapshot)
- return 0;
- module_entry.dwSize = sizeof(module_entry);
- BOOL bModule = Module32First(snapshot, &module_entry);
- while (bModule)
- {
- if (!strcmp(module_entry.szModule, module_name))
- {
- CloseHandle(snapshot);
- return (DWORD) module_entry.modBaseAddr;
- }
- bModule = Module32Next(snapshot, &module_entry);
- }
- CloseHandle(snapshot);
- return 0;
- }
- static void
- _clean_things (HANDLE hFile, HANDLE hMapping, PBYTE pFile, const char *pErrorMessage)
- {
- if (pErrorMessage != NULL)
- printf ("%s\n", pErrorMessage);
- if (hFile != NULL)
- CloseHandle (hFile);
- if (pFile != NULL)
- UnmapViewOfFile (pFile);
- if (hMapping != NULL)
- CloseHandle (hMapping);
- }
- PIMAGE_SECTION_HEADER
- GetEnclosingSectionHeader(DWORD rva, PIMAGE_NT_HEADERS pNTHeader)
- {
- PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(pNTHeader);
- unsigned i;
- for (i = 0; i < pNTHeader->FileHeader.NumberOfSections; i++, section++)
- {
- if ((rva >= section->VirtualAddress) &&
- (rva < (section->VirtualAddress + section->Misc.VirtualSize)))
- return section;
- }
- return 0;
- }
- LPVOID
- get_ptr_from_rva (DWORD rva, PIMAGE_NT_HEADERS pNTHeader, DWORD imageBase)
- {
- PIMAGE_SECTION_HEADER pSectionHdr;
- INT delta;
- pSectionHdr = GetEnclosingSectionHeader(rva, pNTHeader);
- if (!pSectionHdr)
- return 0;
- delta = (INT)(pSectionHdr->VirtualAddress-pSectionHdr->PointerToRawData);
- return (PVOID) (imageBase + rva - delta);
- }
- void
- dump_iat (char *filename)
- {
- PIMAGE_DOS_HEADER dos_header;
- LPVOID file_mapping = map_file(filename);
- PIMAGE_NT_HEADERS pNTHeader;
- dos_header = (PIMAGE_DOS_HEADER) file_mapping;
- DWORD base = (DWORD)dos_header;
- pNTHeader = MakePtr(PIMAGE_NT_HEADERS, dos_header, dos_header->e_lfanew);
- PIMAGE_IMPORT_DESCRIPTOR importDesc;
- PIMAGE_SECTION_HEADER pSection;
- PIMAGE_THUNK_DATA thunk, thunkIAT=0;
- PIMAGE_IMPORT_BY_NAME pOrdinalName;
- DWORD importsStartRVA;
- PSTR pszTimeDate;
- importsStartRVA = GetImgDirEntryRVA(pNTHeader, IMAGE_DIRECTORY_ENTRY_IMPORT);
- if (!importsStartRVA)
- return;
- pSection = GetEnclosingSectionHeader(importsStartRVA, pNTHeader);
- if (!pSection)
- return;
- importDesc = (PIMAGE_IMPORT_DESCRIPTOR) get_ptr_from_rva(importsStartRVA,pNTHeader,base);
- if (!importDesc)
- return;
- printf("Imports Table:\n");
- while (1)
- {
- if ((importDesc->TimeDateStamp == 0)
- && (importDesc->Name == 0))
- break;
- printf(" %s\n", (char*) get_ptr_from_rva(importDesc->Name, pNTHeader, base) );
- printf(" OrigFirstThunk: %08X (Unbound IAT)\n", (int) importDesc->Characteristics);
- pszTimeDate = ctime((PLONG)&importDesc->TimeDateStamp);
- printf(" TimeDateStamp: %08X", (int) importDesc->TimeDateStamp );
- printf( pszTimeDate ? " -> %s" : "\n", pszTimeDate );
- printf(" ForwarderChain: %08X\n", (int) importDesc->ForwarderChain);
- printf(" First thunk RVA: %08X\n", (int) importDesc->FirstThunk);
- thunk = (PIMAGE_THUNK_DATA)importDesc->Characteristics;
- thunkIAT = (PIMAGE_THUNK_DATA)importDesc->FirstThunk;
- if (thunk == 0)
- {
- thunk = thunkIAT;
- if (thunk == 0)
- return;
- }
- // Adjust the pointer to point where the tables are in the
- // mem mapped file.
- thunk = (PIMAGE_THUNK_DATA) get_ptr_from_rva((DWORD)thunk, pNTHeader, base);
- if (!thunk )
- return;
- thunkIAT = (PIMAGE_THUNK_DATA) get_ptr_from_rva((DWORD)thunkIAT, pNTHeader, base);
- printf(" Ordn Name\n");
- while (1)
- {
- if (thunk->u1.AddressOfData == 0)
- break;
- if (thunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
- {
- printf(" %4u", (int) IMAGE_ORDINAL(thunk->u1.Ordinal));
- }
- else
- {
- pOrdinalName = (PIMAGE_IMPORT_BY_NAME) thunk->u1.AddressOfData;
- pOrdinalName = (PIMAGE_IMPORT_BY_NAME) get_ptr_from_rva((DWORD)pOrdinalName, pNTHeader, base);
- printf(" %4u %s", (int) pOrdinalName->Hint, pOrdinalName->Name);
- }
- // If the user explicitly asked to see the IAT entries, or
- // if it looks like the image has been bound, append the address
- if (importDesc->TimeDateStamp)
- printf(" (Bound to: %08X)", (int) thunkIAT->u1.Function);
- printf("\n");
- thunk++; // Advance to next thunk
- thunkIAT++; // advance to next thunk
- }
- importDesc++; // advance to next IMAGE_IMPORT_DESCRIPTOR
- printf("\n");
- }
- }
- int
- dump_eat (char *file_path)
- {
- /* The IMAGE_EXPORT_DIRECTORY :
- DWORD Characteristics;
- DWORD TimeDateStamp;
- WORD MajorVersion;
- WORD MinorVersion;
- DWORD Name; // DLL name
- DWORD Base; // ordinal base
- DWORD NumberOfFunctions; // address table entries
- DWORD NumberOfNames; // number of name pointers
- DWORD AddressOfFunctions; // Export address table RVA
- DWORD AddressOfNames; // Name pointer RVA
- DWORD AddressOfNameOrdinals; // Ordinal table RVA */
- char buffer1[500] = {0};
- char buffer2[500] = {0};
- HANDLE hFile = 0, hMapping = 0;
- DWORD FileSize = 0, ExportTableRVA = 0, ImageBase = 0;
- PBYTE pFile = 0;
- PWORD pOrdinals = 0;
- PDWORD pFuncs = 0;
- PIMAGE_DOS_HEADER ImageDosHeader = 0;
- PIMAGE_NT_HEADERS ImageNtHeaders = 0;
- PIMAGE_EXPORT_DIRECTORY ImageExportDirectory = 0;
- hFile = CreateFile(file_path, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
- if (hFile == INVALID_HANDLE_VALUE)
- {
- _clean_things (NULL, NULL, NULL, "Can't open the required DLL");
- return FALSE;
- }
- FileSize = GetFileSize (hFile, NULL);
- if (FileSize == 0)
- {
- _clean_things (hFile, NULL, NULL, "FileSize is 0 !");
- return FALSE;
- }
- hMapping = CreateFileMapping (hFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
- if (hMapping == NULL)
- {
- _clean_things (hFile, NULL, NULL, "Can't create the file mapping !");
- return FALSE;
- }
- pFile = (PBYTE) MapViewOfFile (hMapping, FILE_MAP_READ, 0, 0, 0);
- if (pFile == NULL)
- {
- _clean_things (hFile, hMapping, NULL, "Can't map the requested file !");
- return FALSE;
- }
- ImageBase = (DWORD)pFile;
- ImageDosHeader = (PIMAGE_DOS_HEADER) pFile;
- if (ImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
- {
- _clean_things (hFile, hMapping, pFile, "This file isn't a PE file !\n\n Wrong IMAGE_DOS_SIGNATURE");
- return FALSE;
- }
- ImageNtHeaders = (PIMAGE_NT_HEADERS)(ImageDosHeader->e_lfanew + (DWORD) ImageDosHeader);
- if (ImageNtHeaders->Signature != IMAGE_NT_SIGNATURE)
- {
- _clean_things (hFile, hMapping, pFile, "This file isn't a PE file !\n\n Wrong IMAGE_NT_SIGNATURE");
- return FALSE;
- }
- ExportTableRVA = ImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
- if (ExportTableRVA == 0)
- {
- _clean_things (hFile, hMapping, pFile, "Export table not found !");
- return FALSE;
- }
- ImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY) (ExportTableRVA + ImageBase);
- snprintf(buffer1, sizeof(buffer1), "TimeDateStamp: 0x%08lX - ", ImageExportDirectory->TimeDateStamp);
- strncat(buffer1, ctime((time_t*)&ImageExportDirectory->TimeDateStamp), sizeof(buffer1));
- snprintf(buffer2, sizeof (buffer2),
- "\r\nMajor Version: %i\r\n"
- "Minor Version: %i\r\n"
- "Name RVA: 0x%08lX - DLL Name : %s\r\n"
- "Ordinal Base: 0x%08lX\r\n"
- "Address Table Entries: %d\r\n"
- "Number of Name Pointers: %d\r\n"
- "Export Table Address RVA: 0x%08lX\r\n"
- "Name Pointer RVA: 0x%08lX\r\n"
- "Ordinal Table RVA: 0x%08lX",
- ImageExportDirectory->MajorVersion,
- ImageExportDirectory->MinorVersion,
- ImageExportDirectory->Name,
- (char *)ImageExportDirectory->Name + ImageBase,
- ImageExportDirectory->Base,
- (int) ImageExportDirectory->NumberOfFunctions,
- (int) ImageExportDirectory->NumberOfNames,
- ImageExportDirectory->AddressOfFunctions,
- ImageExportDirectory->AddressOfNames,
- ImageExportDirectory->AddressOfNameOrdinals);
- strncat (buffer1, buffer2, sizeof (buffer1));
- printf("%s\n", buffer1);
- pOrdinals = (PWORD) (ImageExportDirectory->AddressOfNameOrdinals + ImageBase);
- pFuncs = (PDWORD) (ImageExportDirectory->AddressOfFunctions + ImageBase);
- DWORD NumOfNames = ImageExportDirectory->NumberOfNames;
- DWORD ExportTableSize = ImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
- DWORD ETUpperBoundarie = ExportTableRVA + ExportTableSize;
- for (UINT i = 0; i < ImageExportDirectory->NumberOfFunctions; i++)
- {
- snprintf ((LPTSTR) buffer1, sizeof (buffer1), "Ord: %04lX (0x%08lX)", ImageExportDirectory->Base + i, pFuncs[i]);
- if (pOrdinals[i] < NumOfNames)
- {
- PDWORD pNamePointerRVA =(PDWORD)(ImageExportDirectory->AddressOfNames + ImageBase);
- PCHAR pFuncName = (PCHAR) (pNamePointerRVA[i] + (DWORD) ImageBase);
- snprintf ((LPTSTR)buffer2, sizeof (buffer2), " - %s", pFuncName);
- strncat (buffer1, buffer2, sizeof (buffer1));
- if ( (pFuncs[i] >= ExportTableRVA) && (pFuncs[i] <= ETUpperBoundarie) )
- {
- PDWORD pFwdFunc = (PDWORD) (pFuncs[i] + (DWORD)ImageBase);
- snprintf (buffer2, sizeof (buffer2), " - Fwd to: %s", (char *)pFwdFunc);
- strncat (buffer1, buffer2, sizeof (buffer1));
- }
- }
- printf("%s\n", buffer1);
- }
- _clean_things (hFile, hMapping, pFile, NULL);
- return TRUE;
- }
- int
- is_pe (LPVOID mapping)
- {
- PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER) mapping;
- if (dos_header->e_magic == IMAGE_DOS_SIGNATURE)
- {
- PIMAGE_NT_HEADERS nt_headers = (PIMAGE_NT_HEADERS) ((char*) dos_header + dos_header->e_lfanew);
- return (nt_headers->Signature == IMAGE_NT_SIGNATURE);
- }
- return 0;
- }
- LPVOID
- map_file (char *file_path)
- {
- LPVOID ptr_map = NULL;
- HANDLE handle_file = CreateFile(file_path, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- if (handle_file != INVALID_HANDLE_VALUE)
- {
- HANDLE handle_map = CreateFileMapping(handle_file, NULL, PAGE_READONLY, 0, 0, 0);
- if (handle_map != NULL)
- ptr_map = MapViewOfFile(handle_map, FILE_MAP_READ, 0, 0, 0);
- }
- return ptr_map;
- }
Add Comment
Please, Sign In to add comment