API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 18th, 2019
107
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.98 KB | None | 0 0
raw download clone embed print report
  1. uint64_t get_module_export(uintptr_t module_handle, const char* function_ordinal, DWORD pid) //poluchaem address exporta
  2. {
  3. IMAGE_NT_HEADERS64 nt_header = *nt_headers;
  4. drv_read(pid, (void*)module_handle, &dos_header,sizeof(dos_header));
  5. drv_read(pid, (void*)(module_handle + dos_header.e_lfanew), &nt_header, sizeof(nt_header));
  6.  
  7. auto export_base = nt_header.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
  8. auto export_base_size = nt_header.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
  9. if (export_base) // CONTAINS EXPORTED FUNCTIONS
  10. {
  11. std::unique_ptr<IMAGE_EXPORT_DIRECTORY> export_data_raw(reinterpret_cast<IMAGE_EXPORT_DIRECTORY*>(malloc(export_base_size)));
  12. auto export_data = export_data_raw.get();
  13.  
  14. // READ EXPORTED DATA FROM TARGET PROCESS FOR LATER PROCESSING
  15. drv_read(pid, (void*)(module_handle + export_base), export_data, export_base_size);
  16.  
  17. // BLACKBONE PASTE, NEVER EXPERIENCED THIS BUT WHO KNOWS?
  18. if (export_base_size <= sizeof(IMAGE_EXPORT_DIRECTORY))
  19. {
  20. export_base_size = static_cast<DWORD>(export_data->AddressOfNameOrdinals - export_base
  21. + max(export_data->NumberOfFunctions, export_data->NumberOfNames) * 255);
  22.  
  23. export_data_raw.reset(reinterpret_cast<IMAGE_EXPORT_DIRECTORY*>(malloc(export_base_size)));
  24. export_data = export_data_raw.get();
  25.  
  26. drv_read(pid, (void*)(module_handle + export_base), export_data, export_base_size);
  27. }
  28.  
  29. // GET DATA FROM READ MEMORY
  30. auto delta = reinterpret_cast<uintptr_t>(export_data) - export_base;
  31. auto address_of_ordinals = reinterpret_cast<WORD*>(export_data->AddressOfNameOrdinals + delta);
  32. auto address_of_names = reinterpret_cast<DWORD*>(export_data->AddressOfNames + delta);
  33. auto address_of_functions = reinterpret_cast<DWORD*>(export_data->AddressOfFunctions + delta);
  34.  
  35. // NO EXPORTED FUNCTIONS? DID WE FUCK UP?
  36.  
  37. /*logger::log_error("No exports found!");*/
  38.  
  39. for (size_t i = 0; i < export_data->NumberOfFunctions; i++)
  40. {
  41. WORD ordinal;
  42. std::string function_name;
  43. auto is_import_by_ordinal = reinterpret_cast<uintptr_t>(function_ordinal) <= 0xFFFF;
  44.  
  45. // GET EXPORT INFORMATION
  46. ordinal = static_cast<WORD>(is_import_by_ordinal ? i : address_of_ordinals[i]);
  47. function_name = reinterpret_cast<char*>(address_of_names[i] + delta);
  48.  
  49. //logger::log_formatted("Ordinal", ordinal);
  50. //logger::log_formatted("Name", function_name);
  51.  
  52. // IS IT THE FUNCTION WE ASKED FOR?
  53. auto found_via_ordinal = is_import_by_ordinal && (WORD)((uintptr_t)function_ordinal) == (ordinal + export_data->Base);
  54. auto found_via_name = !is_import_by_ordinal && function_name == function_ordinal;
  55.  
  56. if (found_via_ordinal || found_via_name)
  57. {
  58. auto function_pointer = module_handle + address_of_functions[ordinal];
  59.  
  60. // FORWARDED EXPORT?
  61. // IF FUNCTION POINTER IS INSIDE THE EXPORT DIRECTORY, IT IS *NOT* A FUNCTION POINTER!
  62. // FUCKING SHIT MSVCP140 FUCK YOU
  63.  
  64. return function_pointer;
  65. }
  66. }
  67. }
  68.  
  69. return 0;
  70. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!