Get APi from the address

[Jay]

Quote:

Originally Posted by V0ldemAr

My implementation in CPP

neat V0ldemAr, never thought of that.
cheers.

[Nacho_dj]

Wow, a lot of participation in this thread, nice

Anyway, here is second part...


Getting Name of Function and Ordinal value - Part II

We enter this routine with the handle and the name of the module that the handle belongs to.
Let's work with export table of that module.

We compare AddressOfNameOrdinals to AddressOfNames. If they are different, we start a) chapter. Otherwise, go to b) chapter.

a) We first start a loop with NumberOfNames iterations.

Within the loop, we must go through AddressOfOrdinals array. This array is composed only by Words. Each Word performs a 'number of order' in AddressOfFunction array. We take the content in the i-element of the AddresOfOrdinals array.
That content is the number of element in AddressOfFunction array, so we get the value of that component. This comes as RVA.

We compare now:
handle(our input) to RVA content + BaseAddress of the module

If they match:

1. If 'number of order' is not equal to zero, then Ordinal of that handle is:
'number of order'+ nBase(parameter in export table) OR IMAGE_ORDINAL_FLAG32(0x80000000)

2. We go through the AddressOfNameOfFunction array and read the i element. This is an RVA value. Then we read the string at that address and we get the name of the function searched.


b) If 'number of order' is zero (there is no names of functions, just ordinals), we start a loop with NumberOfFunction iterations.

For every element in the array of AddressOfFunction, we compare:
handle(our input) to value of element(RVA) + BaseAddress of the module.

If they match, ordinal for that handle is:
(i(iteration) + nBase(parameter in export table)) OR IMAGE_ORDINAL_FLAG32(0x80000000)


To be continued (solving forwarded functions)...

Some tips:

1) Don't forget about forwarded exports ( they point inside of export table )
2) There may be more than one function with same RVA
Examples:
SetHandleCount = LockResource
NtOpenFile = ZwOpenFile
3) Optimization, need to build lookup tables with name of functions and need to sort table with RVA then simply apply binary search by rva but be aware if you sort rva's standard CRT binary search won't return you pointer to the first function( in other words if you have 3 functions with same rva bsearch may return to you any 1 of 3) so you will need to find first and last by going backward and forward increasing pointer in table.

Good luck.

[ahmadmansoor]

@V0ldemAr and Bob and Nacho_dj's : thanks for nice code .
@V0ldemAr : can u modify ur function so it could accept another parameter

Quote:

GetApiNameFromAddress( LPVOID address , PID of the process )

PID of the process which I could attach it or debug it .

Thanks in adv

[dila]

Hmm, I suspect Bob's IsValidPtr loop would be way to slow for me. I should make some notes of the things V0ldemAr mentioned (two api's with the same address is a major one).

It seems one of the main differences between all these techniques is whether they depend on runtime API's. I was really only interested in static analysis.

[BoB]

The only Api I used is in the loop to check for imagebase, in fact it's not really needed at all unless you somehow miss the real imagebase address. Originally I had Imagebase as a separate param, using no Apis, but Ahmadmansoor wanted just one input

Quote:

Originally Posted by ahmadmansoor

@V0ldemAr : can u modify ur function so it could accept another parameter
PID of the process which I could attach it or debug it .

This is quite hard because code was used in dll that is in same process that i want to inspect so i dont need to call ReadProcessMemory etc., so everything goes in same address space of process, since it's fastest way and easier to work with memory of target process.