///api functions
bool apienumexports(uint base, EXPORTENUMCALLBACK cbEnum)
{
MEMORY_BASIC_INFORMATION mbi;
VirtualQueryEx(fdProcessInfo->hProcess, (const void*)base, &mbi, sizeof(mbi));
uint size = mbi.RegionSize;
Memory<void*> buffer(size, "apienumexports:buffer");
if(!MemRead((void*)base, buffer, size, 0))
return false;
IMAGE_NT_HEADERS* pnth = (IMAGE_NT_HEADERS*)((uint)buffer + GetPE32DataFromMappedFile((ULONG_PTR)buffer, 0, UE_PE_OFFSET));
uint export_dir_rva = pnth->OptionalHeader.DataDirectory[0].VirtualAddress;
uint export_dir_size = pnth->OptionalHeader.DataDirectory[0].Size;
IMAGE_EXPORT_DIRECTORY export_dir;
memset(&export_dir, 0, sizeof(export_dir));
MemRead((void*)(export_dir_rva + base), &export_dir, sizeof(export_dir), 0);
unsigned int NumberOfNames = export_dir.NumberOfNames;
if(!export_dir.NumberOfFunctions or !NumberOfNames) //no named exports
return false;
char modname[MAX_MODULE_SIZE] = "";
ModNameFromAddr(base, modname, true);
uint original_name_va = export_dir.Name + base;
char original_name[deflen] = "";
memset(original_name, 0, sizeof(original_name));
MemRead((void*)original_name_va, original_name, deflen, 0);
char* AddrOfFunctions_va = (char*)(export_dir.AddressOfFunctions + base);
char* AddrOfNames_va = (char*)(export_dir.AddressOfNames + base);
char* AddrOfNameOrdinals_va = (char*)(export_dir.AddressOfNameOrdinals + base);
for(DWORD i = 0; i < NumberOfNames; i++)
{
DWORD curAddrOfName = 0;
MemRead(AddrOfNames_va + sizeof(DWORD)*i, &curAddrOfName, sizeof(DWORD), 0);
char* cur_name_va = (char*)(curAddrOfName + base);
char cur_name[deflen] = "";
memset(cur_name, 0, deflen);
MemRead(cur_name_va, cur_name, deflen, 0);
WORD curAddrOfNameOrdinals = 0;
MemRead(AddrOfNameOrdinals_va + sizeof(WORD)*i, &curAddrOfNameOrdinals, sizeof(WORD), 0);
DWORD curFunctionRva = 0;
MemRead(AddrOfFunctions_va + sizeof(DWORD)*curAddrOfNameOrdinals, &curFunctionRva, sizeof(DWORD), 0);
if(curFunctionRva >= export_dir_rva and curFunctionRva < export_dir_rva + export_dir_size)
{
char forwarded_api[deflen] = "";
memset(forwarded_api, 0, deflen);
MemRead((void*)(curFunctionRva + base), forwarded_api, deflen, 0);
int len = (int)strlen(forwarded_api);
int j = 0;
while(forwarded_api[j] != '.' and j < len)
j++;
if(forwarded_api[j] == '.')
{
forwarded_api[j] = 0;
HINSTANCE hTempDll = LoadLibraryExA(forwarded_api, 0, DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE);
if(hTempDll)
{
uint local_addr = (uint)GetProcAddress(hTempDll, forwarded_api + j + 1);
if(local_addr)
{
uint remote_addr = ImporterGetRemoteAPIAddress(fdProcessInfo->hProcess, local_addr);
cbEnum(base, modname, cur_name, remote_addr);
}
}
}
}
else
{
cbEnum(base, modname, cur_name, curFunctionRva + base);
}
}
return true;
}
void IH_GetImportTableAddresses() //Retrieve basic import data
{
HINSTANCE kernel32; // Handle to kernel32
unsigned int VirtualProtect_Addr; // VirtualProtect Address
unsigned int OutputDebugStringA_Addr; // OutputDebugStringA Address
unsigned int WriteProcessMemory_Addr; // WriteProcessMemory Address
unsigned int GetEnvironmentVariableA_Addr; // GetEnvironmentVariableA Address
unsigned int SetEnvironmentVariableA_Addr; // SetEnvironmentVariableA Address
unsigned int LoadLibraryA_Addr; // LoadLibraryA Address
unsigned int GetProcAddress_Addr; // GetProcAddress address
DeleteFile("loaded_binary.mem");
DumpProcess(IH_fdProcessInfo->hProcess, (void*)g_fdImageBase, (char*)"loaded_binary.mem", g_fdEntryPoint);
kernel32=GetModuleHandleA("kernel32");
VirtualProtect_Addr=ImporterGetRemoteAPIAddress(IH_fdProcessInfo->hProcess, (unsigned int)GetProcAddress(kernel32, "VirtualProtect"));
OutputDebugStringA_Addr=ImporterGetRemoteAPIAddress(IH_fdProcessInfo->hProcess, (unsigned int)GetProcAddress(kernel32, "OutputDebugStringA"));
GetEnvironmentVariableA_Addr=ImporterGetRemoteAPIAddress(IH_fdProcessInfo->hProcess, (unsigned int)GetProcAddress(kernel32, "GetEnvironmentVariableA"));
SetEnvironmentVariableA_Addr=ImporterGetRemoteAPIAddress(IH_fdProcessInfo->hProcess, (unsigned int)GetProcAddress(kernel32, "SetEnvironmentVariableA"));
LoadLibraryA_Addr=ImporterGetRemoteAPIAddress(IH_fdProcessInfo->hProcess, (unsigned int)GetProcAddress(kernel32, "LoadLibraryA"));
GetProcAddress_Addr=ImporterGetRemoteAPIAddress(IH_fdProcessInfo->hProcess, (unsigned int)GetProcAddress(kernel32, "GetProcAddress"));
WriteProcessMemory_Addr=ImporterGetRemoteAPIAddress(IH_fdProcessInfo->hProcess, (unsigned int)GetProcAddress(kernel32, "WriteProcessMemory"));
HANDLE hFile=CreateFileA("loaded_binary.mem", GENERIC_ALL, 0, 0, OPEN_EXISTING, 0, 0);
DWORD high=0,filesize=GetFileSize(hFile, &high);
BYTE* dump_addr=(BYTE*)VirtualAlloc(VirtualAlloc(0, filesize+0x1000, MEM_RESERVE, PAGE_EXECUTE_READWRITE), filesize+0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
ReadFile(hFile, dump_addr, filesize, &high, 0);
CloseHandle(hFile);
unsigned int result_addr=0;
// Find VirtualProtect address
result_addr=FindDwordInMemory(dump_addr, VirtualProtect_Addr, filesize);
if(result_addr)
VirtualProtect_Addr=(unsigned int)(result_addr+g_fdImageBase);
else
VirtualProtect_Addr=0;
g_PtrTargetData->VirtualProtect_Addr=VirtualProtect_Addr;
// Find OutputDebugStringA address
result_addr=FindDwordInMemory(dump_addr, OutputDebugStringA_Addr, filesize);
if(result_addr)
OutputDebugStringA_Addr=(unsigned int)(result_addr+g_fdImageBase);
else
OutputDebugStringA_Addr=0;
g_PtrTargetData->OutputDebugStringA_Addr=OutputDebugStringA_Addr;
// Find GetEnvironmentVariableA address
result_addr=FindDwordInMemory(dump_addr, GetEnvironmentVariableA_Addr, filesize);
if(result_addr)
GetEnvironmentVariableA_Addr=(unsigned int)(result_addr+g_fdImageBase);
else
GetEnvironmentVariableA_Addr=0;
g_PtrTargetData->GetEnvironmentVariableA_Addr=GetEnvironmentVariableA_Addr;
// Find SetEnvironmentVariableA address
result_addr=FindDwordInMemory(dump_addr, SetEnvironmentVariableA_Addr, filesize);
if(result_addr)
SetEnvironmentVariableA_Addr=(unsigned int)(result_addr+g_fdImageBase);
else
SetEnvironmentVariableA_Addr=0;
g_PtrTargetData->SetEnvironmentVariableA_Addr=SetEnvironmentVariableA_Addr;
// Find LoadLibraryA address
result_addr=FindDwordInMemory(dump_addr, LoadLibraryA_Addr, filesize);
if(result_addr)
LoadLibraryA_Addr=(unsigned int)(result_addr+g_fdImageBase);
else
LoadLibraryA_Addr=0;
g_PtrTargetData->LoadLibraryA_Addr=LoadLibraryA_Addr;
// Find GetProcAddress address
result_addr=FindDwordInMemory(dump_addr, GetProcAddress_Addr, filesize);
if(result_addr)
GetProcAddress_Addr=(unsigned int)(result_addr+g_fdImageBase);
else
GetProcAddress_Addr=0;
g_PtrTargetData->GetProcAddress_Addr=GetProcAddress_Addr;
// Find WriteProcessMemory address
result_addr=FindDwordInMemory(dump_addr, WriteProcessMemory_Addr, filesize);
if(result_addr)
WriteProcessMemory_Addr=(unsigned int)(result_addr+g_fdImageBase);
else
WriteProcessMemory_Addr=0;
g_PtrTargetData->WriteProcessMemory_Addr=WriteProcessMemory_Addr;
// Free the memory and close the handle
VirtualFree(dump_addr, filesize+0x1000, MEM_DECOMMIT);
}
