static int import(void *image, IMAGE_IMPORT_DESCRIPTOR *dirent, char *dll)
{
ULONG_PTR *lookup_tbl, *address_tbl;
char *symname = NULL;
int i;
int ret = 0;
void *adr;
lookup_tbl = RVA2VA(image, dirent->u.OriginalFirstThunk, ULONG_PTR *);
address_tbl = RVA2VA(image, dirent->FirstThunk, ULONG_PTR *);
for (i = 0; lookup_tbl[i]; i++) {
if (IMAGE_SNAP_BY_ORDINAL(lookup_tbl[i])) {
ERROR("ordinal import not supported: %Lu",
(uint64_t)lookup_tbl[i]);
return -1;
}
else {
symname = RVA2VA(image,
((lookup_tbl[i] &
~IMAGE_ORDINAL_FLAG) + 2), char *);
}
adr = get_export(symname);
if (adr == NULL) {
ERROR("unknown symbol: %s:'%s'", dll, symname);
ret = -1;
} else {
DBGLINKER("found symbol: %s:%s: addr: %p, rva = %Lu",
dll, symname, adr, (uint64_t)address_tbl[i]);
address_tbl[i] = (ULONG_PTR)adr;
}
}
return ret;
}
//------------------------------------------------------------------------------
static void* get_proc_addr(const char* dll, const char* func_name)
{
void* base;
base = LoadLibraryA(dll);
if (base == NULL)
{
LOG_INFO("Failed to load library '%s'", dll);
return NULL;
}
return get_export(base, func_name);
}
//------------------------------------------------------------------------------
int set_hook_trap(const char* dll, const char* func_name, int (*trap)())
{
void* base;
void* addr;
unsigned char to_write;
// If there's a debugger attached, we can't use VEH.
if (IsDebuggerPresent())
{
return trap();
}
base = GetModuleHandle(dll);
if (base == NULL)
{
LOG_INFO("Failed to find base for %s.", dll);
return 0;
}
addr = get_export(base, func_name);
if (addr == NULL)
{
LOG_INFO("Unable to resolve address for %s in %s", dll, func_name);
return 0;
}
g_hook_trap = trap;
g_hook_trap_addr = addr;
g_hook_trap_value = *g_hook_trap_addr;
AddVectoredExceptionHandler(1, hook_trap_veh);
// Write a HALT instruction to force an exception.
to_write = 0xf4;
write_vm(g_current_proc, addr, &to_write, sizeof(to_write));
return 1;
}
static int import(void *image, struct coffpe_import_dirent *dirent, char *dll)
{
cu32 *lookup_tbl, *address_tbl;
char *symname = 0;
int i;
int ret = 0;
void *adr;
lookup_tbl = RVA2VA(image, dirent->import_lookup_tbl, cu32 *);
address_tbl = RVA2VA(image, dirent->import_address_table, cu32 *);
for (i = 0; lookup_tbl[i]; i++) {
if (lookup_tbl[i] & 0x80000000) {
ERROR("ordinal import not supported: %d",
(int) lookup_tbl[i]);
return -1;
}
else {
symname = RVA2VA(image,
((lookup_tbl[i] & 0x7fffffff) + 2),
char*);
}
adr = get_export(symname);
if (adr != NULL)
DBGTRACE1("found symbol: %s:%s, rva = %08X",
dll, symname, (unsigned int)address_tbl[i]);
if (adr == NULL) {
ERROR("Unknown symbol: %s:%s", dll, symname);
ret = -1;
}
DBGTRACE1("Importing rva %08x: %s : %s",
(int)(&address_tbl[i]) - (int)image, dll, symname);
address_tbl[i] = (cu32)adr;
}
return ret;
}
