void Win32DllLoader::OverrideImports(const std::string &dll) { std::wstring strdllW; g_charsetConverter.utf8ToW(CSpecialProtocol::TranslatePath(dll), strdllW, false); BYTE* image_base = (BYTE*)GetModuleHandleW(strdllW.c_str()); if (!image_base) { CLog::Log(LOGERROR, "%s - unable to GetModuleHandle for dll %s", __FUNCTION__, dll.c_str()); return; } PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)image_base; PIMAGE_NT_HEADERS nt_header = (PIMAGE_NT_HEADERS)(image_base + dos_header->e_lfanew); // e_lfanew = value at 0x3c PIMAGE_IMPORT_DESCRIPTOR imp_desc = (PIMAGE_IMPORT_DESCRIPTOR)( image_base + nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); if (!imp_desc) { CLog::Log(LOGERROR, "%s - unable to get import directory for dll %s", __FUNCTION__, dll.c_str()); return; } // loop over all imported dlls for (int i = 0; imp_desc[i].Characteristics != 0; i++) { char *dllName = (char*)(image_base + imp_desc[i].Name); // check whether this is one of our dll's. if (NeedsHooking(dllName)) { // this will do a loadlibrary on it, which should effectively make sure that it's hooked // Note that the library has obviously already been loaded by the OS (as it's implicitly linked) // so all this will do is insert our hook and make sure our DllLoaderContainer knows about it HMODULE hModule = dllLoadLibraryA(dllName); if (hModule) m_referencedDlls.push_back(hModule); } PIMAGE_THUNK_DATA orig_first_thunk = (PIMAGE_THUNK_DATA)(image_base + imp_desc[i].OriginalFirstThunk); PIMAGE_THUNK_DATA first_thunk = (PIMAGE_THUNK_DATA)(image_base + imp_desc[i].FirstThunk); // and then loop over all imported functions for (int j = 0; orig_first_thunk[j].u1.Function != 0; j++) { void *fixup = NULL; if (orig_first_thunk[j].u1.Function & 0x80000000) ResolveOrdinal(dllName, (orig_first_thunk[j].u1.Ordinal & 0x7fffffff), &fixup); else { // resolve by name PIMAGE_IMPORT_BY_NAME orig_imports_by_name = (PIMAGE_IMPORT_BY_NAME)( image_base + orig_first_thunk[j].u1.AddressOfData); ResolveImport(dllName, (char*)orig_imports_by_name->Name, &fixup); }/* if (!fixup) { // create a dummy function for tracking purposes PIMAGE_IMPORT_BY_NAME orig_imports_by_name = (PIMAGE_IMPORT_BY_NAME)( image_base + orig_first_thunk[j].u1.AddressOfData); fixup = CreateDummyFunction(dllName, (char*)orig_imports_by_name->Name); }*/ if (fixup) { // save the old function Import import; import.table = &first_thunk[j].u1.Function; import.function = first_thunk[j].u1.Function; m_overriddenImports.push_back(import); DWORD old_prot = 0; // change to protection settings so we can write to memory area VirtualProtect((PVOID)&first_thunk[j].u1.Function, 4, PAGE_EXECUTE_READWRITE, &old_prot); // patch the address of function to point to our overridden version first_thunk[j].u1.Function = (DWORD)fixup; // reset to old settings VirtualProtect((PVOID)&first_thunk[j].u1.Function, 4, old_prot, &old_prot); } } } }
int DllLoader::ResolveImports(void) { int bResult = 1; if ( NumOfDirectories >= 2 && Directory[IMPORT_TABLE].Size > 0 ) { ImportDirTable = (ImportDirTable_t*)RVA2Data(Directory[IMPORT_TABLE].RVA); #ifdef DUMPING_DATA PrintImportTable(ImportDirTable); #endif ImportDirTable_t *Imp = ImportDirTable; while ( Imp->ImportLookupTable_RVA != 0 || Imp->TimeStamp != 0 || Imp->ForwarderChain != 0 || Imp->Name_RVA != 0 || Imp->ImportAddressTable_RVA != 0) { const char *Name = (const char*)RVA2Data(Imp->Name_RVA); const char* FileName=ResolveReferencedDll(Name); // If possible use the dll name WITH path to resolve exports. We could have loaded // a dll with the same name as another dll but from a different directory if (FileName) Name=FileName; unsigned long *Table = (unsigned long*)RVA2Data(Imp->ImportLookupTable_RVA); unsigned long *Addr = (unsigned long*)RVA2Data(Imp->ImportAddressTable_RVA); while (*Table) { if (*Table & 0x80000000) { void *Fixup; if ( !ResolveOrdinal(Name, *Table&0x7ffffff, &Fixup) ) { bResult = 0; char szBuf[128]; CLog::Log(LOGDEBUG,"Unable to resolve ordinal %s %lu\n", Name, *Table&0x7ffffff); sprintf(szBuf, "%lu", *Table&0x7ffffff); *Addr = create_dummy_function(Name, szBuf); tracker_dll_data_track(this, *Addr); } else { *Addr = (unsigned long)Fixup; //woohoo!! } } else { // We don't handle Hint/Name tables yet!!! char *ImpName = (char*)RVA2Data(*Table + 2); void *Fixup; if ( !ResolveName(Name, ImpName, &Fixup) ) { *Addr=get_win_function_address(Name, ImpName); if(!*Addr) { CLog::Log(LOGDEBUG,"Unable to resolve %s %s\n", Name, ImpName); *Addr = create_dummy_function(Name, ImpName); tracker_dll_data_track(this, *Addr); bResult = 0; } } else { *Addr = (unsigned long)Fixup; } } Table++; Addr++; } Imp++; } } return bResult; }