Jump to content
Tuts 4 You

Questing about a dll

crypto

By crypto
in Programming and Coding

Recommended Posts

crypto

crypto

Posted
Posted

This is a code snippet from a tutorial I was reading. It reads the IAT of a exe. 

// Globals: 
typedef void (WINAPI *ProcessEvent_typedef)(class UFunction*,void*,void*); 
ProcessEvent_typedef orgProcessEvent; 
// IAT MAJIC 
void ReDirectFunction (char* strDllName, char* strFunctionName, DWORD newFuncAddy) 
{ 
  DWORD                       dwBackup; 
  DWORD                       dwIndex; 
  DWORD                       dwOffset; 
  HMODULE                     hEng; 
  PIMAGE_DATA_DIRECTORY       pDataDirectory; 
  PIMAGE_DOS_HEADER           pDosHeader; 
  PDWORD                      pdwIAT; 
  PDWORD                      pdwINT; 
  PIMAGE_IMPORT_DESCRIPTOR    pImportDescriptor; 
  PIMAGE_IMPORT_BY_NAME       pImportName; 
  PIMAGE_OPTIONAL_HEADER      pOptionalHeader; 
  PIMAGE_NT_HEADERS           pPeHeader; 
  PSTR                        strCurrent;   hEng = GetModuleHandleA("Engine.dll");   if(!hEng) return;   pDosHeader = PIMAGE_DOS_HEADER(hEng); 
  dwOffset = pDosHeader->e_lfanew; 
  pPeHeader = PIMAGE_NT_HEADERS(long(hEng) + dwOffset); 
  pOptionalHeader = &pPeHeader->OptionalHeader; 
  pDataDirectory = pOptionalHeader->DataDirectory; 
  dwOffset = pDataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; 
  pImportDescriptor = PIMAGE_IMPORT_DESCRIPTOR(long(hEng) + dwOffset);   for(dwIndex = 0; true; dwIndex++) 
  { 
    dwOffset = pImportDescriptor[dwIndex].Name; 
    strCurrent = PSTR(long(hEng) + dwOffset); 
        if(stricmp(strCurrent, strDllName) == 0) break; 
  }   dwOffset = pImportDescriptor[dwIndex].FirstThunk; 
  pdwIAT = PDWORD(long(hEng) + dwOffset); 
  dwOffset = pImportDescriptor[dwIndex].OriginalFirstThunk; 
  pdwINT = PDWORD(long(hEng) + dwOffset);   for(dwIndex = 0; true; dwIndex++) 
  { 
    dwOffset = pdwINT[dwIndex]; 
    pImportName = PIMAGE_IMPORT_BY_NAME(long(hEng) + dwOffset); 
    strCurrent = PSTR(pImportName->Name); 
        if(stricmp(strCurrent, strFunctionName) == 0) break; 
  }   VirtualProtect(&pdwIAT[dwIndex], sizeof(DWORD), PAGE_READWRITE, &dwBackup);   orgProcessEvent = (PrEv)pdwIAT[dwIndex];   pdwIAT[dwIndex] = PtrToUlong(newFuncAddy); 
  VirtualProtect(&pdwIAT[dwIndex], sizeof(DWORD), dwBackup, &dwOffset); } 
called with:
ReDirectFunction("Core.dll", "?ProcessEvent@UObject@@UAEXPAVUFunction@@PAX1@Z", (DWORD)&xProcessEvent);

I was wondering if it is possible to read a .dll IAT from a currently running process.

Here is a example. I'm injecting a dll which is packed with themida into a process. It injects fine and then unpacks itself and I can see all of its functions in memory. I was wondering if there is a way I could pull its IAT out into a display? with vs2008...

Nacho_dj

Nacho_dj

Posted
Posted

But yes, tools like ImportRebuilder do that task.... Cannot retrieve it your dll functions?

crypto

crypto

Posted
  • Author
Posted

But yes, tools like ImportRebuilder do that task.... Cannot retrieve it your dll functions?

well i was just wondering how to write a program to do it. more of a learning thing.

i was just interested in building a program to do it.

basically wanted to do it from a new project in vs2008.

Is it possible to use this code above?

Nacho_dj

Nacho_dj

Posted
Posted

I would use search engine for this item in the forum:

CreateToolHelp32SnapShot

Probably you are getting in that way lot of info to start with.

Another useful link.

CreateToolhelp32Snapshot Function by microsoft:

http://msdn.microsoft.com/en-us/library/ms682489%28VS.85%29.aspx

Even, you can search for that function at:

http://www.codeproject.com

All that you need is there...

Good luck

Nacho_dj

atom0s

atom0s

Posted
Posted

Possibly something like this?


//
// IAT Dumper - by atom0s
//
#define _WIN32_WINNT 0x0501
#define WIN32_LEAN_AND_MEAN
#define _STRICT#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <time.h>
HRESULT DebugOutput( LPCSTR lpFormat, ... )
{
	char szTimeStamp[ 128 ] = { 0 };
	char szBuffer[ 1920 ]	= { 0 };
	char szOutput[ 2048 ]	= { 0 };	va_list vArgs;
	va_start( vArgs, lpFormat );	// Create Timestamp 
	_tzset();
	_strtime_s( szTimeStamp, 128 );	// Format Input String And Arguments
	_vsnprintf_s( szBuffer, 1920, _TRUNCATE, lpFormat, vArgs );	// Create Output String
	strcpy_s( szOutput, 2048, szTimeStamp );
	strcat_s( szOutput, 2048, " | " );
	strcat_s( szOutput, 2048, szBuffer );
	strcat_s( szOutput, 2048, "\r\n" );	DWORD dwWritten = 0;
	WriteConsole( GetStdHandle( STD_OUTPUT_HANDLE ), szOutput, _tcslen( szOutput ), &dwWritten, 0 );
	OutputDebugString( szOutput );	va_end( vArgs );	return S_OK;
}/*
 * ReadIAT
 *
 * Basic IAT reader, does not do any hooking
 * and dumps info to console window.
 *
 */
DWORD ReadIAT( void )
{
	MessageBox( 0, "a", "a", 0 );	TCHAR* tszModule = _T( "advapi32.dll" );	PIMAGE_DOS_HEADER pDosHeader = reinterpret_cast< PIMAGE_DOS_HEADER >( GetModuleHandle( 0 ) );
	if( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE )
		return 0;	PIMAGE_NT_HEADERS pNtHeaders = reinterpret_cast< PIMAGE_NT_HEADERS >( (DWORD)pDosHeader + (DWORD)pDosHeader->e_lfanew );
	if( pNtHeaders->Signature != IMAGE_NT_SIGNATURE )
		return 0;	PIMAGE_IMPORT_DESCRIPTOR pImportDesc = reinterpret_cast< PIMAGE_IMPORT_DESCRIPTOR >( (DWORD)pDosHeader + (DWORD)pNtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ].VirtualAddress );	while( pImportDesc->Name != 0 )
	{
		if( _tcsicmp( tszModule, PSTR( (DWORD)pDosHeader + pImportDesc->Name ) ) == 0 )
		{
			DebugOutput( "FOUND MODULE: %s", PSTR( (DWORD)pDosHeader + pImportDesc->Name ) );
			DebugOutput( "==================================" );
			DebugOutput( "      Hint | Import Name" );
			DebugOutput( "==================================" );			PIMAGE_THUNK_DATA pThunkData = reinterpret_cast< PIMAGE_THUNK_DATA >( (DWORD)pDosHeader + pImportDesc->OriginalFirstThunk );
			while( pThunkData->u1.Function )
			{
				PIMAGE_IMPORT_BY_NAME pImportName = reinterpret_cast< PIMAGE_IMPORT_BY_NAME >( (DWORD)pDosHeader + (DWORD)pThunkData->u1.AddressOfData );
				DebugOutput( "0x%08X | %s", pImportName->Hint, pImportName->Name );				pThunkData++;
			}
		}		pImportDesc++;
	}	return 0;
}BOOL WINAPI DllMain( HMODULE hModule, DWORD dwReason, LPVOID lpReserved )
{
	switch( dwReason )
	{
	case DLL_PROCESS_ATTACH:
		DisableThreadLibraryCalls( hModule );
		AllocConsole( ); /* Create output console. */
		ReadIAT( ); /* Read IAT. */
		break;
	case DLL_PROCESS_DETACH:
		FreeConsole( ); /* Free output console. */
		break;
	}
	return TRUE;
}

Injected into winmine.exe on a Windows XP Pro machine yields the following result:

Please note that the code is set to look for ADVAPI32.dll - this is not recommended inside of DllMain.

imports.png

PEiD shows:

peid.png

Simply injected with Winject, you can write your own loader for it if you wish or use something else if need be. :) Hope it helps. Also, sorry for any issues or bugs with it. I'm not a pro with the PE header format so I am not 100% sure this is fully correct.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...