#1
|
|||
|
|||
how to get the address of the entry point in an API
I read the microsoft docs about PE and tried to understand how to get the address of the entry point in an API but i still don't got it.I know how to get each imported dll and imported functions for each dll but don't know how to get the [xxxx] address from jmp dword ptr [xxxx] that is used to call an import function.
Can someone enlight me ... I know only the RVA's to the names of the functions // Get a pointer to the found module's import address table (IAT) // =====IMAGE_THUNK_DATA *pThunk; pThunk = MakePtr(PIMAGE_THUNK_DATA, pDosHeader, pImportDesc->FirstThunk); //This is what i was talkin about earlier... //In pThunk, if it was image loaded in memory, you'll get the address to //entry point of functions //but in a disk file, It's a function name |
#2
|
|||
|
|||
I think you might be wanting: LoadLibrary yourdll and then GetProcAddress the api you want. It will return the entry point of an api. Check out an api help file or search for these commands.
|
#3
|
||||
|
||||
Hello:
Just spend a little time reading these tutorials, sure you are finding there your answer: http://spiff.tripnet.se/~iczelion/tutorials.html In that web, go to "PE tutorials", and there, "Import table" and "Export table". You can find some tools to test all that these tutorials are teaching you. Good luck! Nacho_dj |
#4
|
|||
|
|||
Look at this code. It part of programm
which takes ntdll.dll(on disk file) and generates something like this /*w2k3callx.h*/ MagicFoo (NtAcceptConnectPort, 24) //0 MagicFoo (NtAccessCheck, 32) //1 MagicFoo (NtAccessCheckAndAuditAlarm, 44) //2 MagicFoo (NtAccessCheckByType, 44) //3 MagicFoo (NtAccessCheckByTypeAndAuditAlarm, 64) //4 MagicFoo (NtAccessCheckByTypeResultList, 44) //5 MagicFoo (NtAccessCheckByTypeResultListAndAuditAlarm, 64) //6 MagicFoo (NtAccessCheckByTypeResultListAndAuditAlarmByHandle, 68) //7 MagicFoo (NtAddAtom, 12) //8 .... ##################################### ... #define MAKESECTVA(rva,sectva) (DWORD)rva-(DWORD)sectva #define MAKERAW(rva,sraw,setcva) (DWORD)sraw+MAKESECTVA(rva,setcva) ... void Export :: processdll(std::string dllname) { FILE *f_dll= fopen(dllname.c_str(),"rb"); struct pe_header_t hdr; DWORD sectVA=0; IMAGE_DOS_HEADER ddh; IMAGE_NT_HEADERS32 hdr2; char *sectdata; char *exportData; if(f_dll) { fread(&ddh,sizeof(ddh),1,f_dll); fseek(f_dll,ddh.e_lfanew,FILE_BEGIN); fread(&hdr2,sizeof(hdr2),1,f_dll); #ifdef INFORMATE printf("\n\tINFO:export va=%x(hex) ",hdr2.OptionalHeader.DataDirectory[0].VirtualAddress); printf("\tsize=%d(decimal)",hdr2.OptionalHeader.DataDirectory[0].Size); #endif sectdata=(char *)malloc(sizeof(IMAGE_SECTION_HEADER)*hdr2.FileHeader.NumberOfSections); fread(sectdata,sizeof(IMAGE_SECTION_HEADER)*hdr2.FileHeader.NumberOfSections,1,f_dll); //PIMAGE_SECTION_HEADER sects = IMAGE_FIRST_SECTION32(&hdr2); PIMAGE_SECTION_HEADER sects=(PIMAGE_SECTION_HEADER)sectdata; BOOL wasfound=FALSE; for(int i=0;i<hdr2.FileHeader.NumberOfSections;i++) { if(sects->VirtualAddress<=hdr2.OptionalHeader.DataDirectory[0].VirtualAddress && sects->VirtualAddress+sects->Misc.VirtualSize>hdr2.OptionalHeader.DataDirectory[0].VirtualAddress) { wasfound=TRUE; break; } sects++; } if(wasfound) { exportData=(char *)malloc(hdr2.OptionalHeader.DataDirectory[0].Size); if(exportData) { fseek(f_dll, sects->PointerToRawData+ hdr2.OptionalHeader.DataDirectory[0].VirtualAddress- sects->VirtualAddress ,FILE_BEGIN); fread(exportData, hdr2.OptionalHeader.DataDirectory[0].Size, 1, f_dll); PIMAGE_EXPORT_DIRECTORY pexp=(PIMAGE_EXPORT_DIRECTORY)exportData; #ifdef INFORMATE printf("\n\tINFO:exports number=%d(decimal)",pexp->NumberOfFunctions); #endif PDWORD address_t,name_t; unsigned short *ordinal_t; PDWORD raddress_t,rname_t; unsigned short *rordinal_t; raddress_t=address_t=(PDWORD)malloc(pexp->NumberOfFunctions*sizeof(DWORD)); fseek(f_dll, MAKERAW(pexp->AddressOfFunctions, sects->PointerToRawData, sects->VirtualAddress ) ,FILE_BEGIN); fread(address_t,pexp->NumberOfFunctions*sizeof(DWORD),1,f_dll); rname_t=name_t=(PDWORD)malloc(pexp->NumberOfNames*sizeof(DWORD)); int offset=MAKERAW(pexp->AddressOfNames, sects->PointerToRawData, sects->VirtualAddress); fseek(f_dll, offset ,FILE_BEGIN); fread(name_t,pexp->NumberOfNames*sizeof(DWORD),1,f_dll); rordinal_t=ordinal_t=(unsigned short *)malloc(pexp->NumberOfNames*sizeof(DWORD)); offset=MAKERAW(pexp->AddressOfNameOrdinals, sects->PointerToRawData, sects->VirtualAddress); fseek(f_dll, offset ,FILE_BEGIN); fread(ordinal_t,pexp->NumberOfNames*sizeof(unsigned short),1,f_dll); for(int i=0;i<pexp->NumberOfFunctions;i++,address_t++,name_t++,ordinal_t++) { int ianumber=0; unsigned char funcdata[15]; char funcname[1024]; std::string funcname2; //(*address_t) fseek(f_dll, MAKERAW((*name_t), sects->PointerToRawData, sects->VirtualAddress) ,FILE_BEGIN); fread(funcname,1024,1,f_dll); if(used->find(dllname,funcname)) { printf("\n\tFound %s",funcname); //磬 滂耜?铕滂磬臌 脲驵?raw, ?? 徨?OrdinalBase DWORD ordinal=*ordinal_t; PIMAGE_SECTION_HEADER sects2=(PIMAGE_SECTION_HEADER)sectdata; BOOL wasfound=FALSE; for(int i=0;i<hdr2.FileHeader.NumberOfSections;i++) { if(sects2->VirtualAddress<=(raddress_t[ordinal]) && sects2->VirtualAddress+sects2->Misc.VirtualSize>(raddress_t[ordinal])) { wasfound=TRUE; break; } sects2++; } if(wasfound) { fseek(f_dll, MAKERAW(raddress_t[ordinal], sects2->PointerToRawData, sects2->VirtualAddress) ,FILE_BEGIN); fread(funcdata,15,1,f_dll); printf("\n\t"); /*for(int j=0;j<8;j++) printf("%x ",funcdata[j]);*/ DWORD api_num=*((PDWORD)(&funcdata[1])); DWORD ret_size=0x666; if(funcdata[0xc]==(unsigned char)0xc2) { ret_size=*((unsigned short *)(&funcdata[13])); } else if(funcdata[0xc]==(unsigned char)0xc3) ret_size=0; if(ret_size!=0x666) used->output(dllname,funcname,api_num,ret_size); else used->outputAlarm(dllname,funcname,api_num,ret_size); } #ifdef INFORMATE else { printf("\nERROR:Section with function was not found in - %s",dllname.c_str()); } #endif //funcdata 耦溴疰栩 RVA 磬 趔黻鲨? } memset(funcname,0,strlen(funcname)); //(_dlldata [dllname])[funcname]=ianumber; } free(rordinal_t); free(raddress_t); free(rname_t); free(exportData); } } #ifdef INFORMATE else { printf("\nERROR:Section with export data was not found in - %s",dllname.c_str()); } #endif free(sectdata); fclose(f_dll); } #ifdef INFORMATE else { printf("\nERROR:File access error - %s",dllname.c_str()); } #endif } Last edited by oxagen; 08-24-2005 at 08:14. |
#5
|
|||
|
|||
When the program is executed it looks for the IAT wich contains the address of the names of the apis to be imported, then the dlls are loaded with loadlibrary and the address of the apis are replaced with the result of getprocaddress.
|
#6
|
|||
|
|||
nice source of code ..can you share it where you found it??
bye nEO |
#7
|
|||
|
|||
Quote:
I wrote it some time ago. I wanted to port strace to w2k3 |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Can I move Entry Point to the middle of the codz ? | netxman | General Discussion | 11 | 11-23-2005 08:51 |
Stupid question: module has entry point outside of code??? | yaa | General Discussion | 7 | 04-12-2004 11:56 |
Is it possable breakpoint on entry point of DLL | jadesk99 | General Discussion | 17 | 01-18-2004 12:08 |
How to make sure this is really the Entry Point | merursinecury | General Discussion | 7 | 04-13-2003 08:20 |