Get APi from the address

[Nacho_dj]

Wow, a lot of participation in this thread, nice

Anyway, here is second part...


Getting Name of Function and Ordinal value - Part II

We enter this routine with the handle and the name of the module that the handle belongs to.
Let's work with export table of that module.

We compare AddressOfNameOrdinals to AddressOfNames. If they are different, we start a) chapter. Otherwise, go to b) chapter.

a) We first start a loop with NumberOfNames iterations.

Within the loop, we must go through AddressOfOrdinals array. This array is composed only by Words. Each Word performs a 'number of order' in AddressOfFunction array. We take the content in the i-element of the AddresOfOrdinals array.
That content is the number of element in AddressOfFunction array, so we get the value of that component. This comes as RVA.

We compare now:
handle(our input) to RVA content + BaseAddress of the module

If they match:

1. If 'number of order' is not equal to zero, then Ordinal of that handle is:
'number of order'+ nBase(parameter in export table) OR IMAGE_ORDINAL_FLAG32(0x80000000)

2. We go through the AddressOfNameOfFunction array and read the i element. This is an RVA value. Then we read the string at that address and we get the name of the function searched.


b) If 'number of order' is zero (there is no names of functions, just ordinals), we start a loop with NumberOfFunction iterations.

For every element in the array of AddressOfFunction, we compare:
handle(our input) to value of element(RVA) + BaseAddress of the module.

If they match, ordinal for that handle is:
(i(iteration) + nBase(parameter in export table)) OR IMAGE_ORDINAL_FLAG32(0x80000000)


To be continued (solving forwarded functions)...