Jump to content
Tuts 4 You

Questing about a dll


crypto

Recommended Posts

Posted

This is a code snippet from a tutorial I was reading. It reads the IAT of a exe.

// Globals: 
typedef void (WINAPI *ProcessEvent_typedef)(class UFunction*,void*,void*);
ProcessEvent_typedef orgProcessEvent;
// IAT MAJIC
void ReDirectFunction (char* strDllName, char* strFunctionName, DWORD newFuncAddy)
{
DWORD dwBackup;
DWORD dwIndex;
DWORD dwOffset;
HMODULE hEng;
PIMAGE_DATA_DIRECTORY pDataDirectory;
PIMAGE_DOS_HEADER pDosHeader;
PDWORD pdwIAT;
PDWORD pdwINT;
PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor;
PIMAGE_IMPORT_BY_NAME pImportName;
PIMAGE_OPTIONAL_HEADER pOptionalHeader;
PIMAGE_NT_HEADERS pPeHeader;
PSTR strCurrent; hEng = GetModuleHandleA("Engine.dll"); if(!hEng) return; pDosHeader = PIMAGE_DOS_HEADER(hEng);
dwOffset = pDosHeader->e_lfanew;
pPeHeader = PIMAGE_NT_HEADERS(long(hEng) + dwOffset);
pOptionalHeader = &pPeHeader->OptionalHeader;
pDataDirectory = pOptionalHeader->DataDirectory;
dwOffset = pDataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
pImportDescriptor = PIMAGE_IMPORT_DESCRIPTOR(long(hEng) + dwOffset); for(dwIndex = 0; true; dwIndex++)
{
dwOffset = pImportDescriptor[dwIndex].Name;
strCurrent = PSTR(long(hEng) + dwOffset);
if(stricmp(strCurrent, strDllName) == 0) break;
} dwOffset = pImportDescriptor[dwIndex].FirstThunk;
pdwIAT = PDWORD(long(hEng) + dwOffset);
dwOffset = pImportDescriptor[dwIndex].OriginalFirstThunk;
pdwINT = PDWORD(long(hEng) + dwOffset); for(dwIndex = 0; true; dwIndex++)
{
dwOffset = pdwINT[dwIndex];
pImportName = PIMAGE_IMPORT_BY_NAME(long(hEng) + dwOffset);
strCurrent = PSTR(pImportName->Name);
if(stricmp(strCurrent, strFunctionName) == 0) break;
} VirtualProtect(&pdwIAT[dwIndex], sizeof(DWORD), PAGE_READWRITE, &dwBackup); orgProcessEvent = (PrEv)pdwIAT[dwIndex]; pdwIAT[dwIndex] = PtrToUlong(newFuncAddy);
VirtualProtect(&pdwIAT[dwIndex], sizeof(DWORD), dwBackup, &dwOffset); }
called with:
ReDirectFunction("Core.dll", "?ProcessEvent@UObject@@UAEXPAVUFunction@@PAX1@Z", (DWORD)&xProcessEvent);

I was wondering if it is possible to read a .dll IAT from a currently running process.

Here is a example. I'm injecting a dll which is packed with themida into a process. It injects fine and then unpacks itself and I can see all of its functions in memory. I was wondering if there is a way I could pull its IAT out into a display? with vs2008...

Posted

But yes, tools like ImportRebuilder do that task.... Cannot retrieve it your dll functions?

Posted

But yes, tools like ImportRebuilder do that task.... Cannot retrieve it your dll functions?

well i was just wondering how to write a program to do it. more of a learning thing.

i was just interested in building a program to do it.

basically wanted to do it from a new project in vs2008.

Is it possible to use this code above?

Posted

I would use search engine for this item in the forum:

CreateToolHelp32SnapShot

Probably you are getting in that way lot of info to start with.

Another useful link.

CreateToolhelp32Snapshot Function by microsoft:

http://msdn.microsoft.com/en-us/library/ms682489%28VS.85%29.aspx

Even, you can search for that function at:

http://www.codeproject.com

All that you need is there...

Good luck

Nacho_dj

Posted

Possibly something like this?


//
// IAT Dumper - by atom0s
//
#define _WIN32_WINNT 0x0501
#define WIN32_LEAN_AND_MEAN
#define _STRICT#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <time.h>
HRESULT DebugOutput( LPCSTR lpFormat, ... )
{
char szTimeStamp[ 128 ] = { 0 };
char szBuffer[ 1920 ] = { 0 };
char szOutput[ 2048 ] = { 0 }; va_list vArgs;
va_start( vArgs, lpFormat ); // Create Timestamp
_tzset();
_strtime_s( szTimeStamp, 128 ); // Format Input String And Arguments
_vsnprintf_s( szBuffer, 1920, _TRUNCATE, lpFormat, vArgs ); // Create Output String
strcpy_s( szOutput, 2048, szTimeStamp );
strcat_s( szOutput, 2048, " | " );
strcat_s( szOutput, 2048, szBuffer );
strcat_s( szOutput, 2048, "\r\n" ); DWORD dwWritten = 0;
WriteConsole( GetStdHandle( STD_OUTPUT_HANDLE ), szOutput, _tcslen( szOutput ), &dwWritten, 0 );
OutputDebugString( szOutput ); va_end( vArgs ); return S_OK;
}/*
* ReadIAT
*
* Basic IAT reader, does not do any hooking
* and dumps info to console window.
*
*/
DWORD ReadIAT( void )
{
MessageBox( 0, "a", "a", 0 ); TCHAR* tszModule = _T( "advapi32.dll" ); PIMAGE_DOS_HEADER pDosHeader = reinterpret_cast< PIMAGE_DOS_HEADER >( GetModuleHandle( 0 ) );
if( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE )
return 0; PIMAGE_NT_HEADERS pNtHeaders = reinterpret_cast< PIMAGE_NT_HEADERS >( (DWORD)pDosHeader + (DWORD)pDosHeader->e_lfanew );
if( pNtHeaders->Signature != IMAGE_NT_SIGNATURE )
return 0; PIMAGE_IMPORT_DESCRIPTOR pImportDesc = reinterpret_cast< PIMAGE_IMPORT_DESCRIPTOR >( (DWORD)pDosHeader + (DWORD)pNtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ].VirtualAddress ); while( pImportDesc->Name != 0 )
{
if( _tcsicmp( tszModule, PSTR( (DWORD)pDosHeader + pImportDesc->Name ) ) == 0 )
{
DebugOutput( "FOUND MODULE: %s", PSTR( (DWORD)pDosHeader + pImportDesc->Name ) );
DebugOutput( "==================================" );
DebugOutput( " Hint | Import Name" );
DebugOutput( "==================================" ); PIMAGE_THUNK_DATA pThunkData = reinterpret_cast< PIMAGE_THUNK_DATA >( (DWORD)pDosHeader + pImportDesc->OriginalFirstThunk );
while( pThunkData->u1.Function )
{
PIMAGE_IMPORT_BY_NAME pImportName = reinterpret_cast< PIMAGE_IMPORT_BY_NAME >( (DWORD)pDosHeader + (DWORD)pThunkData->u1.AddressOfData );
DebugOutput( "0x%08X | %s", pImportName->Hint, pImportName->Name ); pThunkData++;
}
} pImportDesc++;
} return 0;
}BOOL WINAPI DllMain( HMODULE hModule, DWORD dwReason, LPVOID lpReserved )
{
switch( dwReason )
{
case DLL_PROCESS_ATTACH:
DisableThreadLibraryCalls( hModule );
AllocConsole( ); /* Create output console. */
ReadIAT( ); /* Read IAT. */
break;
case DLL_PROCESS_DETACH:
FreeConsole( ); /* Free output console. */
break;
}
return TRUE;
}

Injected into winmine.exe on a Windows XP Pro machine yields the following result:

Please note that the code is set to look for ADVAPI32.dll - this is not recommended inside of DllMain.

imports.png

PEiD shows:

peid.png

Simply injected with Winject, you can write your own loader for it if you wish or use something else if need be. :) Hope it helps. Also, sorry for any issues or bugs with it. I'm not a pro with the PE header format so I am not 100% sure this is fully correct.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...