API tools faq
paste
Advertisement
yorath

DisplayIAT

yorath
Sep 24th, 2012
53
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 4.71 KB | None | 0 0
raw download clone embed print report
  1. #include <windows.h>
  2. #include <stdio.h>
  3.  
  4. DWORD_PTR rva2offset(DWORD_PTR lpBaseAddress, DWORD rva, PIMAGE_NT_HEADERS pNtHeader)
  5. {
  6.     DWORD dwIndex = 0;
  7.     DWORD_PTR dwOffset = 0;
  8.     DWORD dwNumberOfSections = pNtHeader->FileHeader.NumberOfSections;
  9.     PIMAGE_SECTION_HEADER pSectionHeader = IMAGE_FIRST_SECTION(pNtHeader);
  10.    
  11.     for (dwIndex = 0; dwIndex < dwNumberOfSections; ++pSectionHeader)
  12.     {
  13.         DWORD dwLow = pSectionHeader->VirtualAddress;
  14.         DWORD dwHigh = dwLow + pSectionHeader->Misc.VirtualSize;
  15.  
  16.         if (rva >= dwLow && rva < dwHigh)
  17.         {
  18.             dwOffset = lpBaseAddress + rva - dwLow + pSectionHeader->PointerToRawData;
  19.             break;
  20.         }
  21.     }
  22.     return dwOffset;
  23. }
  24.  
  25. BOOL dumpImports(LPVOID lpBaseAddress)
  26. {
  27.     PIMAGE_DOS_HEADER pDosHeader;
  28.     PIMAGE_NT_HEADERS pNtHeader;
  29.     IMAGE_OPTIONAL_HEADER optionalHeader;
  30.     IMAGE_DATA_DIRECTORY importDirectory;
  31.     DWORD dwImpotStartRVA;
  32.     PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor;
  33.  
  34.     pDosHeader = (PIMAGE_DOS_HEADER)lpBaseAddress;
  35.     if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
  36.         return FALSE;
  37.     printf("DOS signature: 0x%04X\tVerified\n", pDosHeader->e_magic);
  38.  
  39.     pNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)lpBaseAddress + pDosHeader->e_lfanew);
  40.     if (pNtHeader->Signature != IMAGE_NT_SIGNATURE)
  41.         return FALSE;
  42.     printf("PE signature: 0x%08X\tVerified\n", pNtHeader->Signature);
  43.  
  44.     optionalHeader = pNtHeader->OptionalHeader;
  45.     if (optionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC && optionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR64_MAGIC)
  46.         return FALSE;
  47.     printf("OptionalHeader magic: 0x%04X\tVerified\n", optionalHeader.Magic);
  48.  
  49.     importDirectory = optionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
  50.     dwImpotStartRVA = importDirectory.VirtualAddress;
  51.     pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)rva2offset((DWORD_PTR)lpBaseAddress, importDirectory.VirtualAddress, pNtHeader);
  52.     if (pImportDescriptor == NULL)
  53.     {
  54.         printf("First import descriptor is NULL\n");
  55.         return FALSE;
  56.     }
  57.  
  58.     DWORD dwIndex = -1;
  59.     while (pImportDescriptor[++dwIndex].Characteristics != 0)
  60.     {
  61.         PIMAGE_THUNK_DATA pINT;
  62.         PIMAGE_THUNK_DATA pIAT;
  63.         PIMAGE_IMPORT_BY_NAME pNameData;
  64.         DWORD nFunctions = 0;
  65.         DWORD nOrdinalFunctions = 0;
  66.  
  67.         char *dllName = (char *)rva2offset((DWORD_PTR)lpBaseAddress, pImportDescriptor[dwIndex].Name, pNtHeader);
  68.  
  69.         if (dllName == NULL)
  70.             printf("\nImported DLL[%d]\tNULL name\n", dwIndex);
  71.         else
  72.             printf("\nImported DLL[%d]\t%s\n", dwIndex, dllName);
  73.  
  74.         printf("-------------------------------------------\n");
  75.  
  76.         pINT = (PIMAGE_THUNK_DATA)(pImportDescriptor[dwIndex].OriginalFirstThunk);
  77.         pIAT = (PIMAGE_THUNK_DATA)(pImportDescriptor[dwIndex].FirstThunk);
  78.         if (pINT == NULL)
  79.         {
  80.             printf("Empty INT pointer\n");
  81.             return FALSE;
  82.         }
  83.         if (pIAT == NULL)
  84.         {
  85.             printf("Empty IAT pointer\n");
  86.             return FALSE;
  87.         }
  88.  
  89.         pINT = (PIMAGE_THUNK_DATA)rva2offset((DWORD_PTR)lpBaseAddress, pImportDescriptor[dwIndex].OriginalFirstThunk, pNtHeader);
  90.         pIAT = (PIMAGE_THUNK_DATA)rva2offset((DWORD_PTR)lpBaseAddress, pImportDescriptor[dwIndex].FirstThunk, pNtHeader);
  91.         if (pINT == NULL)
  92.         {
  93.             printf("Empty INT\n");
  94.             return FALSE;
  95.         }
  96.         if (pIAT == NULL)
  97.         {
  98.             printf("Empty IAT\n");
  99.             return FALSE;
  100.         }
  101.  
  102.         while (pINT->u1.AddressOfData != 0)
  103.         {
  104.             if (!(pINT->u1.Ordinal & IMAGE_ORDINAL_FLAG))
  105.             {
  106.                 pNameData = (PIMAGE_IMPORT_BY_NAME)(pINT->u1.AddressOfData);
  107.                 pNameData = (PIMAGE_IMPORT_BY_NAME)rva2offset((DWORD_PTR)lpBaseAddress, (DWORD)pNameData, pNtHeader);
  108.                 printf("%s", pNameData->Name);
  109.                 printf("\tAddress: 0x%p\n", pIAT->u1.Function);
  110.             }
  111.             else
  112.             {
  113.                 nOrdinalFunctions++;
  114.             }
  115.             pIAT++;
  116.             pINT++;
  117.             nFunctions++;
  118.         }
  119.         printf("%d functions imported (%d ordinal)\n", nFunctions, nOrdinalFunctions);
  120.     }
  121.     return TRUE;
  122. }
  123.  
  124. int main(int argc, char *argv[])
  125. {
  126.     char *fileName;
  127.     HANDLE hFile;
  128.     HANDLE hFileMapping;
  129.     LPVOID lpBaseAddress;
  130.  
  131.     if (argc < 2)
  132.     {
  133.         printf("not enough arguments\n");
  134.         return -1;
  135.     }
  136.     fileName = argv[1];
  137.  
  138.     hFile = CreateFileA(fileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
  139.     if (hFile == INVALID_HANDLE_VALUE)
  140.     {
  141.         printf("CreateFile() failed\n");
  142.         return -1;
  143.     }
  144.  
  145.     hFileMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
  146.     if (hFileMapping == NULL)
  147.     {
  148.         CloseHandle(hFile);
  149.         printf("CreateFileMapping() failed\n");
  150.         return -1;
  151.     }
  152.  
  153.     lpBaseAddress = MapViewOfFile(hFileMapping, FILE_MAP_READ, 0, 0, 0);
  154.     if (lpBaseAddress == NULL)
  155.     {
  156.         CloseHandle(hFile);
  157.         CloseHandle(hFileMapping);
  158.         printf("MapViewOfFile() failed\n");
  159.         return -1;
  160.     }
  161.  
  162.     if (!dumpImports(lpBaseAddress))
  163.         printf("Failed to dump imports\n");
  164.  
  165.     CloseHandle(hFile);
  166.     CloseHandle(hFileMapping);
  167.     UnmapViewOfFile(lpBaseAddress);
  168.  
  169.     return 0;
  170. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!