Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Questing about a dll

crypto
crypto
in Programming and Coding

Featured Replies

Posted

This is a code snippet from a tutorial I was reading. It reads the IAT of a exe. 

// Globals: 
typedef void (WINAPI *ProcessEvent_typedef)(class UFunction*,void*,void*); 
ProcessEvent_typedef orgProcessEvent; 
// IAT MAJIC 
void ReDirectFunction (char* strDllName, char* strFunctionName, DWORD newFuncAddy) 
{ 
  DWORD                       dwBackup; 
  DWORD                       dwIndex; 
  DWORD                       dwOffset; 
  HMODULE                     hEng; 
  PIMAGE_DATA_DIRECTORY       pDataDirectory; 
  PIMAGE_DOS_HEADER           pDosHeader; 
  PDWORD                      pdwIAT; 
  PDWORD                      pdwINT; 
  PIMAGE_IMPORT_DESCRIPTOR    pImportDescriptor; 
  PIMAGE_IMPORT_BY_NAME       pImportName; 
  PIMAGE_OPTIONAL_HEADER      pOptionalHeader; 
  PIMAGE_NT_HEADERS           pPeHeader; 
  PSTR                        strCurrent;   hEng = GetModuleHandleA("Engine.dll");   if(!hEng) return;   pDosHeader = PIMAGE_DOS_HEADER(hEng); 
  dwOffset = pDosHeader->e_lfanew; 
  pPeHeader = PIMAGE_NT_HEADERS(long(hEng) + dwOffset); 
  pOptionalHeader = &pPeHeader->OptionalHeader; 
  pDataDirectory = pOptionalHeader->DataDirectory; 
  dwOffset = pDataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; 
  pImportDescriptor = PIMAGE_IMPORT_DESCRIPTOR(long(hEng) + dwOffset);   for(dwIndex = 0; true; dwIndex++) 
  { 
    dwOffset = pImportDescriptor[dwIndex].Name; 
    strCurrent = PSTR(long(hEng) + dwOffset); 
        if(stricmp(strCurrent, strDllName) == 0) break; 
  }   dwOffset = pImportDescriptor[dwIndex].FirstThunk; 
  pdwIAT = PDWORD(long(hEng) + dwOffset); 
  dwOffset = pImportDescriptor[dwIndex].OriginalFirstThunk; 
  pdwINT = PDWORD(long(hEng) + dwOffset);   for(dwIndex = 0; true; dwIndex++) 
  { 
    dwOffset = pdwINT[dwIndex]; 
    pImportName = PIMAGE_IMPORT_BY_NAME(long(hEng) + dwOffset); 
    strCurrent = PSTR(pImportName->Name); 
        if(stricmp(strCurrent, strFunctionName) == 0) break; 
  }   VirtualProtect(&pdwIAT[dwIndex], sizeof(DWORD), PAGE_READWRITE, &dwBackup);   orgProcessEvent = (PrEv)pdwIAT[dwIndex];   pdwIAT[dwIndex] = PtrToUlong(newFuncAddy); 
  VirtualProtect(&pdwIAT[dwIndex], sizeof(DWORD), dwBackup, &dwOffset); } 
called with:
ReDirectFunction("Core.dll", "?ProcessEvent@UObject@@UAEXPAVUFunction@@PAX1@Z", (DWORD)&xProcessEvent);

I was wondering if it is possible to read a .dll IAT from a currently running process.

Here is a example. I'm injecting a dll which is packed with themida into a process. It injects fine and then unpacks itself and I can see all of its functions in memory. I was wondering if there is a way I could pull its IAT out into a display? with vs2008...

But yes, tools like ImportRebuilder do that task.... Cannot retrieve it your dll functions?

  • Author

But yes, tools like ImportRebuilder do that task.... Cannot retrieve it your dll functions?

well i was just wondering how to write a program to do it. more of a learning thing.

i was just interested in building a program to do it.

basically wanted to do it from a new project in vs2008.

Is it possible to use this code above?

I would use search engine for this item in the forum:

CreateToolHelp32SnapShot

Probably you are getting in that way lot of info to start with.

Another useful link.

CreateToolhelp32Snapshot Function by microsoft:

http://msdn.microsoft.com/en-us/library/ms682489%28VS.85%29.aspx

Even, you can search for that function at:

http://www.codeproject.com

All that you need is there...

Good luck

Nacho_dj

Possibly something like this?


//
// IAT Dumper - by atom0s
//
#define _WIN32_WINNT 0x0501
#define WIN32_LEAN_AND_MEAN
#define _STRICT#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <time.h>
HRESULT DebugOutput( LPCSTR lpFormat, ... )
{
	char szTimeStamp[ 128 ] = { 0 };
	char szBuffer[ 1920 ]	= { 0 };
	char szOutput[ 2048 ]	= { 0 };	va_list vArgs;
	va_start( vArgs, lpFormat );	// Create Timestamp 
	_tzset();
	_strtime_s( szTimeStamp, 128 );	// Format Input String And Arguments
	_vsnprintf_s( szBuffer, 1920, _TRUNCATE, lpFormat, vArgs );	// Create Output String
	strcpy_s( szOutput, 2048, szTimeStamp );
	strcat_s( szOutput, 2048, " | " );
	strcat_s( szOutput, 2048, szBuffer );
	strcat_s( szOutput, 2048, "\r\n" );	DWORD dwWritten = 0;
	WriteConsole( GetStdHandle( STD_OUTPUT_HANDLE ), szOutput, _tcslen( szOutput ), &dwWritten, 0 );
	OutputDebugString( szOutput );	va_end( vArgs );	return S_OK;
}/*
 * ReadIAT
 *
 * Basic IAT reader, does not do any hooking
 * and dumps info to console window.
 *
 */
DWORD ReadIAT( void )
{
	MessageBox( 0, "a", "a", 0 );	TCHAR* tszModule = _T( "advapi32.dll" );	PIMAGE_DOS_HEADER pDosHeader = reinterpret_cast< PIMAGE_DOS_HEADER >( GetModuleHandle( 0 ) );
	if( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE )
		return 0;	PIMAGE_NT_HEADERS pNtHeaders = reinterpret_cast< PIMAGE_NT_HEADERS >( (DWORD)pDosHeader + (DWORD)pDosHeader->e_lfanew );
	if( pNtHeaders->Signature != IMAGE_NT_SIGNATURE )
		return 0;	PIMAGE_IMPORT_DESCRIPTOR pImportDesc = reinterpret_cast< PIMAGE_IMPORT_DESCRIPTOR >( (DWORD)pDosHeader + (DWORD)pNtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ].VirtualAddress );	while( pImportDesc->Name != 0 )
	{
		if( _tcsicmp( tszModule, PSTR( (DWORD)pDosHeader + pImportDesc->Name ) ) == 0 )
		{
			DebugOutput( "FOUND MODULE: %s", PSTR( (DWORD)pDosHeader + pImportDesc->Name ) );
			DebugOutput( "==================================" );
			DebugOutput( "      Hint | Import Name" );
			DebugOutput( "==================================" );			PIMAGE_THUNK_DATA pThunkData = reinterpret_cast< PIMAGE_THUNK_DATA >( (DWORD)pDosHeader + pImportDesc->OriginalFirstThunk );
			while( pThunkData->u1.Function )
			{
				PIMAGE_IMPORT_BY_NAME pImportName = reinterpret_cast< PIMAGE_IMPORT_BY_NAME >( (DWORD)pDosHeader + (DWORD)pThunkData->u1.AddressOfData );
				DebugOutput( "0x%08X | %s", pImportName->Hint, pImportName->Name );				pThunkData++;
			}
		}		pImportDesc++;
	}	return 0;
}BOOL WINAPI DllMain( HMODULE hModule, DWORD dwReason, LPVOID lpReserved )
{
	switch( dwReason )
	{
	case DLL_PROCESS_ATTACH:
		DisableThreadLibraryCalls( hModule );
		AllocConsole( ); /* Create output console. */
		ReadIAT( ); /* Read IAT. */
		break;
	case DLL_PROCESS_DETACH:
		FreeConsole( ); /* Free output console. */
		break;
	}
	return TRUE;
}

Injected into winmine.exe on a Windows XP Pro machine yields the following result:

Please note that the code is set to look for ADVAPI32.dll - this is not recommended inside of DllMain.

imports.png

PEiD shows:

peid.png

Simply injected with Winject, you can write your own loader for it if you wish or use something else if need be. :) Hope it helps. Also, sorry for any issues or bugs with it. I'm not a pro with the PE header format so I am not 100% sure this is fully correct.

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.