Ah but Dila, that only works if the Imports.OrigFirstThunk array is valid
Code:
//-----------------------------------------------------------------------//
// Get Api Name from address .. (Reverse GetProcAddress)
Function GetProcAddressName(Const ApiAddress : DWord) : String;
Var
I,
Base, // Module base address ..
Rva : DWord; // Rva of Api ..
FA, // Pointer to Functions Array ..
NA : PDWord; // Pointer to Names Array ..
Exp : PImageExportDirectory; // Export Table ..
Dos : PImageDosHeader; // Dos Header ..
Nt : PImageNtHeaders; // Nt Headers ..
Begin
Result := 'Error';
// Calc module base address from API address ..
Base := ApiAddress;
Repeat
NT := Nil;
Dec(Base);
Base := Base And $FFFFF000; // Align to page size ..
If (Not IsBadReadPtr(Pointer(Base), 4)) Then Begin
Dos := Pointer(Base);
If (Dos^.Magic = IMAGE_DOS_SIGNATURE) Then Nt := Pointer(Base + Dos^.OffsetPE);
End;
Until (Not IsBadReadPtr(NT, 4)) And (NT^.Signature = IMAGE_NT_SIGNATURE);
// Search for the Rva in the Function Array of the export table ..
Exp := Pointer(Base + NT^.OptionalHeader.DataDirectory[0].Rva);
Rva := ApiAddress - Base;
FA := Pointer(Base + Exp^.RvaOfFunctions);
NA := Pointer(Base + Exp^.RvaOfNames);
For I := 0 To Exp^.NumberOfFunctions-1 Do Begin
If (Rva = FA^) Then Begin
// Return name or ordinal string ..
Result := PAnsiChar(Base + Exp^.Name) + '!';
If (I < Exp^.NumberOfNames) Then Result := Result + PAnsiChar(Base + NA^)
Else Result := Result + '#' + IntToStr(Exp^.Base + I);
Break;
End;
Inc(FA);
Inc(NA);
End;
End;
Simple usage like this:
Code:
Api := DWord(GetProcAddress(KernelBase, 'HeapCreate'));
MessageBox(0, PChar(GetProcAddressName(Api)), Nil, MB_OK);
Would show:
Code:
KERNEL32.dll!HeapCreate
Ahmadmansoor: If you want it rewriting in Asm or anything let me know.
Excuse any weird code, it's 6:30 am and I need to sleep
BoB