DWORD_PTR IATSearch::findAPIAddressInIAT(DWORD_PTR startAddress)
{
const size_t MEMORY_READ_SIZE = 200;
BYTE dataBuffer[MEMORY_READ_SIZE];
DWORD_PTR iatPointer = 0;
int counter = 0;
// to detect stolen api
memoryAddress = 0;
memorySize = 0;
do
{
counter++;
if (!readMemoryFromProcess(startAddress, sizeof(dataBuffer), dataBuffer))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"findAPIAddressInIAT :: error reading memory " PRINTF_DWORD_PTR_FULL, startAddress);
#endif
return 0;
}
if (decomposeMemory(dataBuffer, sizeof(dataBuffer), startAddress))
{
iatPointer = findIATPointer();
if (iatPointer)
{
if (isIATPointerValid(iatPointer, true))
{
return iatPointer;
}
}
}
startAddress = findNextFunctionAddress();
//printf("startAddress %08X\n",startAddress);
} while (startAddress != 0 && counter != 8);
return 0;
}
void IATSearch::filterIATPointersList( std::set<DWORD_PTR> & iatPointers )
{
std::set<DWORD_PTR>::iterator iter;
if (iatPointers.size() <= 2)
{
return;
}
iter = iatPointers.begin();
std::advance(iter, iatPointers.size() / 2); //start in the middle, important!
DWORD_PTR lastPointer = *iter;
iter++;
for (; iter != iatPointers.end(); iter++)
{
if ((*iter - lastPointer) > 0x100) //check difference
{
if (isIATPointerValid(lastPointer, false) == false || isIATPointerValid(*iter, false) == false)
{
iatPointers.erase(iter, iatPointers.end());
break;
}
else
{
lastPointer = *iter;
}
}
else
{
lastPointer = *iter;
}
}
bool erased = true;
while(erased)
{
iter = iatPointers.begin();
lastPointer = *iter;
iter++;
for (; iter != iatPointers.end(); iter++)
{
if ((*iter - lastPointer) > 0x100) //check difference
{
if (isIATPointerValid(lastPointer, false) == false || isIATPointerValid(*iter, false) == false)
{
iter--;
iatPointers.erase(iter);
erased = true;
break;
}
else
{
erased = false;
lastPointer = *iter;
}
}
else
{
erased = false;
lastPointer = *iter;
}
}
}
}
void IATSearch::filterIATPointersList( std::set<DWORD_PTR> & iatPointers )
{
std::set<DWORD_PTR>::iterator iter;
if (iatPointers.size() <= 2)
{
return;
}
iter = iatPointers.begin();
std::advance(iter, iatPointers.size() / 2); //start in the middle, important!
DWORD_PTR lastPointer = *iter;
iter++;
for (; iter != iatPointers.end(); iter++)
{
if ((*iter - lastPointer) > 0x100) //check difference
{
if (isIATPointerValid(lastPointer, false) == false || isIATPointerValid(*iter, false) == false)
{
iatPointers.erase(iter, iatPointers.end());
break;
}
else
{
lastPointer = *iter;
}
}
else
{
lastPointer = *iter;
}
}
if (iatPointers.empty()) {
return;
}
//delete bad code pointers.
bool erased = true;
while(erased)
{
if (iatPointers.size() <= 1)
break;
iter = iatPointers.begin();
lastPointer = *iter;
iter++;
for (; iter != iatPointers.end(); iter++)
{
if ((*iter - lastPointer) > 0x100) //check pointer difference, a typical difference is 4 on 32bit systems
{
bool isLastValid = isIATPointerValid(lastPointer, false);
bool isCurrentValid = isIATPointerValid(*iter, false);
if (isLastValid == false || isCurrentValid == false)
{
if (isLastValid == false)
{
iter--;
}
iatPointers.erase(iter);
erased = true;
break;
}
else
{
erased = false;
lastPointer = *iter;
}
}
else
{
erased = false;
lastPointer = *iter;
}
}
}
}
