crypto Posted October 3, 2009 Posted October 3, 2009 This is a code snippet from a tutorial I was reading. It reads the IAT of a exe. // Globals: typedef void (WINAPI *ProcessEvent_typedef)(class UFunction*,void*,void*); ProcessEvent_typedef orgProcessEvent; // IAT MAJIC void ReDirectFunction (char* strDllName, char* strFunctionName, DWORD newFuncAddy) { DWORD dwBackup; DWORD dwIndex; DWORD dwOffset; HMODULE hEng; PIMAGE_DATA_DIRECTORY pDataDirectory; PIMAGE_DOS_HEADER pDosHeader; PDWORD pdwIAT; PDWORD pdwINT; PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor; PIMAGE_IMPORT_BY_NAME pImportName; PIMAGE_OPTIONAL_HEADER pOptionalHeader; PIMAGE_NT_HEADERS pPeHeader; PSTR strCurrent; hEng = GetModuleHandleA("Engine.dll"); if(!hEng) return; pDosHeader = PIMAGE_DOS_HEADER(hEng); dwOffset = pDosHeader->e_lfanew; pPeHeader = PIMAGE_NT_HEADERS(long(hEng) + dwOffset); pOptionalHeader = &pPeHeader->OptionalHeader; pDataDirectory = pOptionalHeader->DataDirectory; dwOffset = pDataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; pImportDescriptor = PIMAGE_IMPORT_DESCRIPTOR(long(hEng) + dwOffset); for(dwIndex = 0; true; dwIndex++) { dwOffset = pImportDescriptor[dwIndex].Name; strCurrent = PSTR(long(hEng) + dwOffset); if(stricmp(strCurrent, strDllName) == 0) break; } dwOffset = pImportDescriptor[dwIndex].FirstThunk; pdwIAT = PDWORD(long(hEng) + dwOffset); dwOffset = pImportDescriptor[dwIndex].OriginalFirstThunk; pdwINT = PDWORD(long(hEng) + dwOffset); for(dwIndex = 0; true; dwIndex++) { dwOffset = pdwINT[dwIndex]; pImportName = PIMAGE_IMPORT_BY_NAME(long(hEng) + dwOffset); strCurrent = PSTR(pImportName->Name); if(stricmp(strCurrent, strFunctionName) == 0) break; } VirtualProtect(&pdwIAT[dwIndex], sizeof(DWORD), PAGE_READWRITE, &dwBackup); orgProcessEvent = (PrEv)pdwIAT[dwIndex]; pdwIAT[dwIndex] = PtrToUlong(newFuncAddy); VirtualProtect(&pdwIAT[dwIndex], sizeof(DWORD), dwBackup, &dwOffset); } called with:ReDirectFunction("Core.dll", "?ProcessEvent@UObject@@UAEXPAVUFunction@@PAX1@Z", (DWORD)&xProcessEvent);I was wondering if it is possible to read a .dll IAT from a currently running process.Here is a example. I'm injecting a dll which is packed with themida into a process. It injects fine and then unpacks itself and I can see all of its functions in memory. I was wondering if there is a way I could pull its IAT out into a display? with vs2008...
Nacho_dj Posted October 3, 2009 Posted October 3, 2009 But yes, tools like ImportRebuilder do that task.... Cannot retrieve it your dll functions?
crypto Posted October 3, 2009 Author Posted October 3, 2009 But yes, tools like ImportRebuilder do that task.... Cannot retrieve it your dll functions?well i was just wondering how to write a program to do it. more of a learning thing. i was just interested in building a program to do it.basically wanted to do it from a new project in vs2008.Is it possible to use this code above?
Nacho_dj Posted October 3, 2009 Posted October 3, 2009 I would use search engine for this item in the forum:CreateToolHelp32SnapShotProbably you are getting in that way lot of info to start with.Another useful link.CreateToolhelp32Snapshot Function by microsoft:http://msdn.microsoft.com/en-us/library/ms682489%28VS.85%29.aspxEven, you can search for that function at:http://www.codeproject.comAll that you need is there...Good luckNacho_dj
atom0s Posted October 4, 2009 Posted October 4, 2009 Possibly something like this? //// IAT Dumper - by atom0s//#define _WIN32_WINNT 0x0501#define WIN32_LEAN_AND_MEAN#define _STRICT#include <windows.h>#include <tchar.h>#include <stdio.h>#include <time.h>HRESULT DebugOutput( LPCSTR lpFormat, ... ){ char szTimeStamp[ 128 ] = { 0 }; char szBuffer[ 1920 ] = { 0 }; char szOutput[ 2048 ] = { 0 }; va_list vArgs; va_start( vArgs, lpFormat ); // Create Timestamp _tzset(); _strtime_s( szTimeStamp, 128 ); // Format Input String And Arguments _vsnprintf_s( szBuffer, 1920, _TRUNCATE, lpFormat, vArgs ); // Create Output String strcpy_s( szOutput, 2048, szTimeStamp ); strcat_s( szOutput, 2048, " | " ); strcat_s( szOutput, 2048, szBuffer ); strcat_s( szOutput, 2048, "\r\n" ); DWORD dwWritten = 0; WriteConsole( GetStdHandle( STD_OUTPUT_HANDLE ), szOutput, _tcslen( szOutput ), &dwWritten, 0 ); OutputDebugString( szOutput ); va_end( vArgs ); return S_OK;}/* * ReadIAT * * Basic IAT reader, does not do any hooking * and dumps info to console window. * */DWORD ReadIAT( void ){ MessageBox( 0, "a", "a", 0 ); TCHAR* tszModule = _T( "advapi32.dll" ); PIMAGE_DOS_HEADER pDosHeader = reinterpret_cast< PIMAGE_DOS_HEADER >( GetModuleHandle( 0 ) ); if( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE ) return 0; PIMAGE_NT_HEADERS pNtHeaders = reinterpret_cast< PIMAGE_NT_HEADERS >( (DWORD)pDosHeader + (DWORD)pDosHeader->e_lfanew ); if( pNtHeaders->Signature != IMAGE_NT_SIGNATURE ) return 0; PIMAGE_IMPORT_DESCRIPTOR pImportDesc = reinterpret_cast< PIMAGE_IMPORT_DESCRIPTOR >( (DWORD)pDosHeader + (DWORD)pNtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ].VirtualAddress ); while( pImportDesc->Name != 0 ) { if( _tcsicmp( tszModule, PSTR( (DWORD)pDosHeader + pImportDesc->Name ) ) == 0 ) { DebugOutput( "FOUND MODULE: %s", PSTR( (DWORD)pDosHeader + pImportDesc->Name ) ); DebugOutput( "==================================" ); DebugOutput( " Hint | Import Name" ); DebugOutput( "==================================" ); PIMAGE_THUNK_DATA pThunkData = reinterpret_cast< PIMAGE_THUNK_DATA >( (DWORD)pDosHeader + pImportDesc->OriginalFirstThunk ); while( pThunkData->u1.Function ) { PIMAGE_IMPORT_BY_NAME pImportName = reinterpret_cast< PIMAGE_IMPORT_BY_NAME >( (DWORD)pDosHeader + (DWORD)pThunkData->u1.AddressOfData ); DebugOutput( "0x%08X | %s", pImportName->Hint, pImportName->Name ); pThunkData++; } } pImportDesc++; } return 0;}BOOL WINAPI DllMain( HMODULE hModule, DWORD dwReason, LPVOID lpReserved ){ switch( dwReason ) { case DLL_PROCESS_ATTACH: DisableThreadLibraryCalls( hModule ); AllocConsole( ); /* Create output console. */ ReadIAT( ); /* Read IAT. */ break; case DLL_PROCESS_DETACH: FreeConsole( ); /* Free output console. */ break; } return TRUE;} Injected into winmine.exe on a Windows XP Pro machine yields the following result: Please note that the code is set to look for ADVAPI32.dll - this is not recommended inside of DllMain. PEiD shows: Simply injected with Winject, you can write your own loader for it if you wish or use something else if need be. Hope it helps. Also, sorry for any issues or bugs with it. I'm not a pro with the PE header format so I am not 100% sure this is fully correct.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now