HRESULT PE_PrintImport(PBYTE pBase, IMAGE_DATA_DIRECTORY DataImport, BOOL bImport)
{
HRESULT result = S_OK;
PIMAGE_IMPORT_DESCRIPTOR pImportBlack = NULL;
PIMAGE_THUNK_DATA32 pFirstThunkData32 = NULL;
PIMAGE_THUNK_DATA32 pOriginalThunkData32 = NULL;
PIMAGE_IMPORT_BY_NAME pImageImportByName = NULL;
pImportBlack = PIMAGE_IMPORT_DESCRIPTOR(pBase + DataImport.VirtualAddress);
if (!pImportBlack || !DataImport.Size)
{
dprintf("没有导入表 \n");
return S_OK ;
}
char *pDllName = NULL;
if (bImport)
{
while (pImportBlack->Name != 0 && pImportBlack->Characteristics != 0)
{
pFirstThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG)pBase + (ULONG)(pImportBlack->FirstThunk));
pOriginalThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG)pBase + (ULONG)(pImportBlack->OriginalFirstThunk));
pDllName = (PCHAR)((ULONG_PTR)pBase + (ULONG_PTR)pImportBlack->Name);
dprintf("DLL name is %s\n", pDllName);
dprintf("序号 相对偏移 函数地址 函数名称 \n");
while (pOriginalThunkData32->u1.Ordinal != 0)
{
if (IMAGE_SNAP_BY_ORDINAL32(pOriginalThunkData32->u1.Ordinal))
{
dprintf("%04d 0x%08x 0x%08x 无\n", IMAGE_ORDINAL32(pOriginalThunkData32->u1.Ordinal), (ULONG_PTR)pOriginalThunkData32 - (ULONG_PTR)pBase, *pFirstThunkData32);
}
else
{
pImageImportByName = (PIMAGE_IMPORT_BY_NAME)((UCHAR*)pBase + pOriginalThunkData32->u1.AddressOfData);
dprintf("%04d 0x%08x 0x%08x %s\n", pImageImportByName->Hint, (ULONG_PTR)pOriginalThunkData32->u1.AddressOfData, *pFirstThunkData32, pImageImportByName->Name);
}
pOriginalThunkData32++;
pFirstThunkData32++;
}
pImportBlack++;
}
}
return result;
}
FARPROC PatchImportOld(char* sourceModule, char* importModule, LPCSTR name, void* patchFunction)
{
if ( !name )
return NULL;
HMODULE tempModule = GetModuleHandleA(sourceModule);
if ( !tempModule )
return NULL;
IMAGE_THUNK_DATA32* importOrigin = _GetImportsList(sourceModule, importModule);
if ( !importOrigin )
return NULL;
DWORD* importFunction = _GetFunctionsList(sourceModule, importModule);
if ( !importFunction )
return NULL;
for (u32 i = 0; importOrigin[i].u1.Ordinal != 0; i++)
{
if ((DWORD)name < 0xFFFF)
{
if (IMAGE_SNAP_BY_ORDINAL32(importOrigin[i].u1.Ordinal) && IMAGE_ORDINAL32(importOrigin[i].u1.Ordinal) == IMAGE_ORDINAL32((DWORD)name))
{
FARPROC oldFxn = (FARPROC)importFunction[i];
WriteMem(&importFunction[i], &patchFunction, 4);
return oldFxn;
}
}
else
{
#pragma warning(suppress: 6387)
if (_strcmpi(name, (const char*)((PIMAGE_IMPORT_BY_NAME)((u32)importOrigin[i].u1.AddressOfData + (u32)tempModule))->Name) == 0)
{
FARPROC oldFxn = (FARPROC)importFunction[i];
WriteMem(&importFunction[i], &patchFunction, 4);
return oldFxn;
}
}
}
return NULL;
}
enum statut_t rebase_import_directory(
IMAGE_DOS_HEADER *dos_hdr,
IMAGE_NT_HEADERS32 *nt_hdr,
IMAGE_FILE_HEADER *file_hdr,
IMAGE_OPTIONAL_HEADER32 *opt_hdr)
{
(void) dos_hdr;
(void) file_hdr;
uint32_t offset = rva_to_rphys(opt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
if(offset == 0)
return ERROR;
/* for each DLL */
IMAGE_IMPORT_DESCRIPTOR *imports = (IMAGE_IMPORT_DESCRIPTOR *)(g_buf + offset);
for(size_t i = 0; i < imports[i].Name; i++)
{
/* rebase DLL name and thunk pointers */
fix_rva(&imports[i].Name);
IMAGE_THUNK_DATA32 *iat_table = (IMAGE_THUNK_DATA32 *)(g_buf + rva_to_rphys(imports[i].FirstThunk));
IMAGE_THUNK_DATA32 *int_table = (IMAGE_THUNK_DATA32 *)(g_buf + rva_to_rphys(imports[i].u.OriginalFirstThunk));
if(imports[i].FirstThunk)
fix_rva(&imports[i].FirstThunk);
if(imports[i].u.OriginalFirstThunk)
fix_rva(&imports[i].u.OriginalFirstThunk);
if(imports[i].ForwarderChain)
fix_rva(&imports[i].ForwarderChain);
/* rebase each name */
while(iat_table->u1.Ordinal)
{
//fix_rva(&iat_table->u1.Function);
if(!IMAGE_SNAP_BY_ORDINAL32(int_table->u1.Ordinal))
fix_rva(&int_table->u1.AddressOfData);
*iat_table = *int_table;
int_table++;
iat_table++;
}
}
return MODIFIED;
}
//修复导入表IAT
BOOL FixImportTable(BYTE *ImageBase,DWORD ExistImageBase,PDRIVER_OBJECT DriverObject)
{
PIMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor=NULL;
PIMAGE_THUNK_DATA ImageThunkData,FirstThunk;
PIMAGE_IMPORT_BY_NAME ImortByName;
DWORD ImportSize;
PVOID ModuleBase;
char ModuleName[260];
DWORD FunctionAddress;
ImageImportDescriptor=(PIMAGE_IMPORT_DESCRIPTOR)A_Protect_RtlImageDirectoryEntryToData(ImageBase,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&ImportSize);
if (ImageImportDescriptor==NULL)
{
return FALSE;
}
while (ImageImportDescriptor->OriginalFirstThunk && ImageImportDescriptor->Name)
{
strcpy(ModuleName,(char*)(ImageBase+ImageImportDescriptor->Name));
//ntoskrnl.exe(NTKRNLPA.exe、ntkrnlmp.exe、ntkrpamp.exe):
if (_stricmp(ModuleName,"ntkrnlpa.exe")==0||
_stricmp(ModuleName,"ntoskrnl.exe")==0||
_stricmp(ModuleName,"ntkrnlmp.exe")==0||
_stricmp(ModuleName,"ntkrpamp.exe")==0)
{
//bakup module name
memset(NtosModuleName,0,sizeof(NtosModuleName));
memcpy(NtosModuleName,ModuleName,strlen(ModuleName));
ModuleBase=GetKernelModuleBase(DriverObject,"ntkrnlpa.exe");
if (ModuleBase==NULL)
{
ModuleBase=GetKernelModuleBase(DriverObject,"ntoskrnl.exe");
if (ModuleBase==NULL)
{
ModuleBase=GetKernelModuleBase(DriverObject,"ntkrnlmp.exe");
if (ModuleBase==NULL)
{
ModuleBase=GetKernelModuleBase(DriverObject,"ntkrpamp.exe");
}
}
}
}
else
{
ModuleBase=GetKernelModuleBase(DriverObject,ModuleName);
}
if (ModuleBase==NULL)
{
FirstThunk=(PIMAGE_THUNK_DATA)(ImageBase+ImageImportDescriptor->FirstThunk);
InsertOriginalFirstThunk((DWORD)ImageBase,ExistImageBase,FirstThunk);
ImageImportDescriptor++;
continue;
}
ImageThunkData=(PIMAGE_THUNK_DATA)(ImageBase+ImageImportDescriptor->OriginalFirstThunk);
FirstThunk=(PIMAGE_THUNK_DATA)(ImageBase+ImageImportDescriptor->FirstThunk);
while(ImageThunkData->u1.Ordinal)
{
//序号导入
if(IMAGE_SNAP_BY_ORDINAL32(ImageThunkData->u1.Ordinal))
{
FunctionAddress=(DWORD)MiFindExportedRoutine(ModuleBase,FALSE,NULL,ImageThunkData->u1.Ordinal & ~IMAGE_ORDINAL_FLAG32);
if (FunctionAddress==0)
{
break;
}
FirstThunk->u1.Function=FunctionAddress;
}
//函数名导入
else
{
//
ImortByName=(PIMAGE_IMPORT_BY_NAME)(ImageBase+ImageThunkData->u1.AddressOfData);
FunctionAddress=(DWORD)MiFindExportedRoutine(ModuleBase,TRUE,ImortByName->Name,0);
if (FunctionAddress==0)
{
break;
}
FirstThunk->u1.Function=FunctionAddress;
}
FirstThunk++;
ImageThunkData++;
}
ImageImportDescriptor++;
}
return TRUE;
}
