API tools faq
paste
Advertisement
Souhail_Hammou

GetExportedFunctionAddress

Souhail_Hammou
Apr 6th, 2014
561
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.34 KB | None | 0 0
raw download clone embed print report
  1. // Souhail Hammou : rce4fun.blogspot.com
  2. // Twitter : @Dark_Puzzle
  3. #include <Windows.h>
  4. #include <winternl.h>
  5. #include <stdio.h>
  6. #include <conio.h>
  7. #include <iostream>
  8. void main(){
  9.     PLDR_DATA_TABLE_ENTRY LDR_TE;
  10.     PLIST_ENTRY i;
  11.     PPEB ProcPEB;
  12.     PLIST_ENTRY ModListHead;
  13.     PIMAGE_DOS_HEADER pDOS;
  14.     PIMAGE_OPTIONAL_HEADER pOptionalHeader;
  15.     PIMAGE_EXPORT_DIRECTORY Export_Dir;
  16.     PWCHAR YourDLL;
  17.     PCHAR FunctionName;
  18.     YourDLL = (PWCHAR) malloc(sizeof(WCHAR)*20);
  19.     FunctionName = (PCHAR) malloc(sizeof(CHAR)*70);
  20.     __asm {
  21.         mov eax,fs:[0x30]
  22.         mov ProcPEB,eax
  23.     }
  24.    
  25.     printf("Specify The Module Name : ");
  26.     std::wcin >> YourDLL;
  27.     ModListHead = &(ProcPEB->Ldr->InMemoryOrderModuleList);
  28.     //Walk through the circular doubly linked list until finding the target Module name
  29.     for(i = ModListHead->Flink; i != ModListHead ; i = i->Flink){
  30.         LDR_TE = (LDR_DATA_TABLE_ENTRY*) i;
  31.         if(!(wcscmp(YourDLL,LDR_TE->FullDllName.Buffer))){
  32.             break;
  33.         }
  34.     }
  35.     if(i == ModListHead){
  36.         printf("Sorry ! The chosen module wasn't found");
  37.         _getch();
  38.         return;
  39.     }
  40.     std::wcout << LDR_TE->FullDllName.Buffer << L" is at : " << LDR_TE->Reserved2[0] << std::endl;
  41.     pDOS = (PIMAGE_DOS_HEADER) LDR_TE->Reserved2[0];
  42.     pOptionalHeader = (PIMAGE_OPTIONAL_HEADER) ((long)pDOS + pDOS->e_lfanew);
  43.     Export_Dir = (PIMAGE_EXPORT_DIRECTORY)((long)pOptionalHeader->DataDirectory[0x3].VirtualAddress + (long)pDOS);
  44.     printf("Export Table at : %p\n",Export_Dir);   
  45.     char** Names = (char**)((long)(Export_Dir->AddressOfNames) + (long)pDOS);
  46.     printf("Please Specify a function name exported by the module: ");
  47.     scanf("%s",FunctionName);
  48.     int k;
  49.     for(k = 0 ; k < Export_Dir->NumberOfNames ; k++){
  50.         if(!(strcmp(Names[k] + (long)pDOS,FunctionName)))
  51.             break;
  52.     }
  53.     if(k == Export_Dir->NumberOfNames){
  54.         printf("Sorry ! Not Found");
  55.         _getch();
  56.         return;
  57.     }
  58.     // If the exported function name was found in AddrOfNames, we'll use its index to access the AddrOfNameOrdinals array.
  59.     //The value (Ordinal) that we'll from AddrOfNameOrdinals extract will be used to access the AddressOfFunctions Array.
  60.     WORD Ordinal = *((WORD*)((long)Export_Dir->AddressOfNameOrdinals + (long)pDOS + k*2));
  61.     DWORD FunctionRVA = *((DWORD*)((long)(Export_Dir->AddressOfFunctions) + (long)pDOS + Ordinal*4));
  62.     printf("The Function is at :  0x%p\n",FunctionRVA + (long)pDOS);
  63.     printf("Press a key to exit");
  64.     _getch();
  65. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!