Wednesday, December 07, 2005
DEEPDOWN in the SHIT
I thought it might be useful / handy for the one or other it's part of my driver routine to "GetProcAddress"... simple lookup via ExportTable scanning, so it's really nothing special nor optimized.... take it or let it be ;)
example -> ULONG Blub = GetAddress ("NtDeviceIoControlFile",base_of_ntoskrnl);
ULONG GetAddress (char * ApiAscii,ULONG ModuleBase)
{
PIMAGE_DOS_HEADER DosHdr;
PIMAGE_NT_HEADERS32 NTHdr;
PIMAGE_EXPORT_DIRECTORY ExportTable;
PIMAGE_THUNK_DATA32 ThunkData;
BYTE * AddressNameOrd;
BYTE * AddressFns;
ULONG ApiOffset;
unsigned int ApiCounter;
DosHdr = (PIMAGE_DOS_HEADER) ModuleBase;
NTHdr = (PIMAGE_NT_HEADERS32) (BYTE *)(ModuleBase+DosHdr->e_lfanew);
ExportTable = (PIMAGE_EXPORT_DIRECTORY) (BYTE *)(ModuleBase+*(ULONG*)(NTHdr->OptionalHeader.DataDirectory));
ThunkData = (PIMAGE_THUNK_DATA32) (BYTE *)(ExportTable->AddressOfNames+ModuleBase);
AddressNameOrd = (BYTE *)(ExportTable->AddressOfNameOrdinals+ModuleBase);
AddressFns = (BYTE *)(ExportTable->AddressOfFunctions+ModuleBase);
for (ApiCounter=1;ApiCounter <= ExportTable->NumberOfNames;ApiCounter++)
{
if (strcmp (ApiAscii,(const char *)ThunkData->Ascii+ModuleBase) == 0)
{
ApiOffset = (*(ULONG*)(AddressNameOrd+ApiCounter*2)) & 0xFFFF;
return (ULONG)((ApiOffset-1)*4+AddressFns);
}
ThunkData++;
}
return 0;
}
example -> ULONG Blub = GetAddress ("NtDeviceIoControlFile",base_of_ntoskrnl);
ULONG GetAddress (char * ApiAscii,ULONG ModuleBase)
{
PIMAGE_DOS_HEADER DosHdr;
PIMAGE_NT_HEADERS32 NTHdr;
PIMAGE_EXPORT_DIRECTORY ExportTable;
PIMAGE_THUNK_DATA32 ThunkData;
BYTE * AddressNameOrd;
BYTE * AddressFns;
ULONG ApiOffset;
unsigned int ApiCounter;
DosHdr = (PIMAGE_DOS_HEADER) ModuleBase;
NTHdr = (PIMAGE_NT_HEADERS32) (BYTE *)(ModuleBase+DosHdr->e_lfanew);
ExportTable = (PIMAGE_EXPORT_DIRECTORY) (BYTE *)(ModuleBase+*(ULONG*)(NTHdr->OptionalHeader.DataDirectory));
ThunkData = (PIMAGE_THUNK_DATA32) (BYTE *)(ExportTable->AddressOfNames+ModuleBase);
AddressNameOrd = (BYTE *)(ExportTable->AddressOfNameOrdinals+ModuleBase);
AddressFns = (BYTE *)(ExportTable->AddressOfFunctions+ModuleBase);
for (ApiCounter=1;ApiCounter <= ExportTable->NumberOfNames;ApiCounter++)
{
if (strcmp (ApiAscii,(const char *)ThunkData->Ascii+ModuleBase) == 0)
{
ApiOffset = (*(ULONG*)(AddressNameOrd+ApiCounter*2)) & 0xFFFF;
return (ULONG)((ApiOffset-1)*4+AddressFns);
}
ThunkData++;
}
return 0;
}
# posted by ^DAEMON^ : 1:15 PM
