/*
==================
GetCallerAddr
==================
*/
address_t GetCallerAddr( long _ebp ) {
long midPtPtr;
long res = 0;
__asm {
mov eax, _ebp
mov ecx, [eax] // check for end of stack frames list
test ecx, ecx // check for zero stack frame
jz label
mov eax, [eax+4] // get the ret address
test eax, eax // check for zero return address
jz label
mov midPtPtr, eax
}
res = GetFuncAddr( midPtPtr );
label:
return res;
}
int winio_init()
{
if (0 != LoadLib())
{
printf("Failed to load library.\n");
return 1;
}
if (0 != GetFuncAddr())
{
printf("Failed to get function address.\n");
return 2;
}
if (!pInitializeWinIo())
{
printf("Failed to initialize WinIo.\n");
return 3;
}
return 0;
}
void R3ApiIATScanModule(MODULEENTRY32& mod, ExeModuleImportTables& output)
{
ModuleDllImportTable moduleTable;
memcpy(&moduleTable.m_Module, &mod, sizeof(mod));
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS pNTHeaders;
PIMAGE_OPTIONAL_HEADER pOptHeader;
PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor;
PIMAGE_THUNK_DATA pThunkData, pThunkDataOrig;
PIMAGE_IMPORT_BY_NAME pImportByName;
HMODULE hMod = moduleTable.m_Module.hModule;
pDosHeader = (PIMAGE_DOS_HEADER)hMod;
pNTHeaders = (PIMAGE_NT_HEADERS)((BYTE *)hMod + pDosHeader->e_lfanew);
pOptHeader = (PIMAGE_OPTIONAL_HEADER)&(pNTHeaders->OptionalHeader);
if (pOptHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size == 0)
{
return;
}
pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((BYTE *)hMod + pOptHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
IMAGE_IMPORT_DESCRIPTOR nullDescriptor;
memset(&nullDescriptor, 0, sizeof(nullDescriptor));
IMAGE_THUNK_DATA nullThunk;
memset(&nullThunk, 0, sizeof(nullThunk));
while(memcmp(pImportDescriptor, &nullDescriptor, sizeof(nullDescriptor)) != 0)
{
char* dllname = (char *)((BYTE *)hMod + pImportDescriptor->Name);
if ( FilterModule(dllname) == true )
{
DllImportTable dllImportTable;
dllImportTable.m_DllName = dllname;
dllImportTable.m_TimeDateStamp = pImportDescriptor->TimeDateStamp;
dllImportTable.m_ForwarderChain = pImportDescriptor->ForwarderChain;
dllImportTable.m_DescriptorAddr = (unsigned long)pImportDescriptor;
dllImportTable.m_OriginalFirstThunk = pImportDescriptor->OriginalFirstThunk;
dllImportTable.m_FirstThunk = pImportDescriptor->FirstThunk;
pThunkDataOrig = (PIMAGE_THUNK_DATA)((BYTE *)hMod + pImportDescriptor->OriginalFirstThunk);
pThunkData = (PIMAGE_THUNK_DATA)((BYTE *)hMod + pImportDescriptor->FirstThunk);
int no = 1;
while( memcmp(pThunkData, &nullThunk, sizeof(nullThunk)) != 0 )
{
/*if (memcmp(pThunkDataOrig, &nullThunk, sizeof(nullThunk)) != 0)
{
wchar_t buf[1024] = {0};
swprintf(buf, L"OriginalFirstThunk and FirstThunk not equal: %p, %p\r\n", &pThunkData->u1.Function, &pThunkDataOrig->u1.Function);
OutputHookLog(buf);
}
else
{
wchar_t buf[1024] = {0};
swprintf(buf, L"OriginalFirstThunk and FirstThunk equal: %p, %p\r\n", &pThunkData->u1.Function, &pThunkDataOrig->u1.Function);
OutputHookLog(buf);
}*/
char* funname = 0;
if ((pThunkDataOrig->u1.Ordinal & IMAGE_ORDINAL_FLAG) != IMAGE_ORDINAL_FLAG)
{
pImportByName = (PIMAGE_IMPORT_BY_NAME)(pThunkDataOrig->u1.AddressOfData + (ULONG)hMod);
funname = (char*)&pImportByName->Name[0];
}
else
{
funname = 0;
}
//PDWORD lpAddr = (DWORD *)((BYTE *)hMod + (DWORD)pImportDescriptor->FirstThunk) +(no-1);
PDWORD lpAddr = (DWORD *)(pThunkData);
if (funname != 0)
{
ImportFunc funcInfo;
funcInfo.m_FuncName = funname;
funcInfo.m_NameRVA = (unsigned long)funname;
funcInfo.m_AddrImport = (unsigned long)(*(unsigned long*)lpAddr);
funcInfo.m_AddrRVA = (unsigned long)lpAddr;
funcInfo.m_AddrRaw = GetFuncAddr(dllname, funname);
dllImportTable.m_ImportFuncs.push_back(funcInfo);
}
no++;
pThunkData++;
pThunkDataOrig++;
}
moduleTable.m_IAT.push_back(dllImportTable);
}
pImportDescriptor++;
}
output.push_back(moduleTable);
}