Questing about a dll

[crypto]

This is a code snippet from a tutorial I was reading. It reads the IAT of a exe.

// Globals: 
typedef void (WINAPI *ProcessEvent_typedef)(class UFunction*,void*,void*); 
ProcessEvent_typedef orgProcessEvent; 
// IAT MAJIC 
void ReDirectFunction (char* strDllName, char* strFunctionName, DWORD newFuncAddy) 
{ 
  DWORD                       dwBackup; 
  DWORD                       dwIndex; 
  DWORD                       dwOffset; 
  HMODULE                     hEng; 
  PIMAGE_DATA_DIRECTORY       pDataDirectory; 
  PIMAGE_DOS_HEADER           pDosHeader; 
  PDWORD                      pdwIAT; 
  PDWORD                      pdwINT; 
  PIMAGE_IMPORT_DESCRIPTOR    pImportDescriptor; 
  PIMAGE_IMPORT_BY_NAME       pImportName; 
  PIMAGE_OPTIONAL_HEADER      pOptionalHeader; 
  PIMAGE_NT_HEADERS           pPeHeader; 
  PSTR                        strCurrent;   hEng = GetModuleHandleA("Engine.dll");   if(!hEng) return;   pDosHeader = PIMAGE_DOS_HEADER(hEng); 
  dwOffset = pDosHeader->e_lfanew; 
  pPeHeader = PIMAGE_NT_HEADERS(long(hEng) + dwOffset); 
  pOptionalHeader = &pPeHeader->OptionalHeader; 
  pDataDirectory = pOptionalHeader->DataDirectory; 
  dwOffset = pDataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; 
  pImportDescriptor = PIMAGE_IMPORT_DESCRIPTOR(long(hEng) + dwOffset);   for(dwIndex = 0; true; dwIndex++) 
  { 
    dwOffset = pImportDescriptor[dwIndex].Name; 
    strCurrent = PSTR(long(hEng) + dwOffset); 
        if(stricmp(strCurrent, strDllName) == 0) break; 
  }   dwOffset = pImportDescriptor[dwIndex].FirstThunk; 
  pdwIAT = PDWORD(long(hEng) + dwOffset); 
  dwOffset = pImportDescriptor[dwIndex].OriginalFirstThunk; 
  pdwINT = PDWORD(long(hEng) + dwOffset);   for(dwIndex = 0; true; dwIndex++) 
  { 
    dwOffset = pdwINT[dwIndex]; 
    pImportName = PIMAGE_IMPORT_BY_NAME(long(hEng) + dwOffset); 
    strCurrent = PSTR(pImportName->Name); 
        if(stricmp(strCurrent, strFunctionName) == 0) break; 
  }   VirtualProtect(&pdwIAT[dwIndex], sizeof(DWORD), PAGE_READWRITE, &dwBackup);   orgProcessEvent = (PrEv)pdwIAT[dwIndex];   pdwIAT[dwIndex] = PtrToUlong(newFuncAddy); 
  VirtualProtect(&pdwIAT[dwIndex], sizeof(DWORD), dwBackup, &dwOffset); } 
called with:
ReDirectFunction("Core.dll", "?ProcessEvent@UObject@@UAEXPAVUFunction@@PAX1@Z", (DWORD)&xProcessEvent);

I was wondering if it is possible to read a .dll IAT from a currently running process.

Here is a example. I'm injecting a dll which is packed with themida into a process. It injects fine and then unpacks itself and I can see all of its functions in memory. I was wondering if there is a way I could pull its IAT out into a display? with vs2008...

[Nacho_dj]

But yes, tools like ImportRebuilder do that task.... Cannot retrieve it your dll functions?

[crypto]

But yes, tools like ImportRebuilder do that task.... Cannot retrieve it your dll functions?

well i was just wondering how to write a program to do it. more of a learning thing.

i was just interested in building a program to do it.

basically wanted to do it from a new project in vs2008.

Is it possible to use this code above?

[Nacho_dj]

I would use search engine for this item in the forum:

CreateToolHelp32SnapShot

Probably you are getting in that way lot of info to start with.

Another useful link.

CreateToolhelp32Snapshot Function by microsoft:

http://msdn.microsoft.com/en-us/library/ms682489%28VS.85%29.aspx

Even, you can search for that function at:

http://www.codeproject.com

All that you need is there...

Good luck

Nacho_dj

[atom0s]

Possibly something like this?

//
// IAT Dumper - by atom0s
//
#define _WIN32_WINNT 0x0501
#define WIN32_LEAN_AND_MEAN
#define _STRICT#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <time.h>
HRESULT DebugOutput( LPCSTR lpFormat, ... )
{
	char szTimeStamp[ 128 ] = { 0 };
	char szBuffer[ 1920 ]	= { 0 };
	char szOutput[ 2048 ]	= { 0 };	va_list vArgs;
	va_start( vArgs, lpFormat );	// Create Timestamp 
	_tzset();
	_strtime_s( szTimeStamp, 128 );	// Format Input String And Arguments
	_vsnprintf_s( szBuffer, 1920, _TRUNCATE, lpFormat, vArgs );	// Create Output String
	strcpy_s( szOutput, 2048, szTimeStamp );
	strcat_s( szOutput, 2048, " | " );
	strcat_s( szOutput, 2048, szBuffer );
	strcat_s( szOutput, 2048, "\r\n" );	DWORD dwWritten = 0;
	WriteConsole( GetStdHandle( STD_OUTPUT_HANDLE ), szOutput, _tcslen( szOutput ), &dwWritten, 0 );
	OutputDebugString( szOutput );	va_end( vArgs );	return S_OK;
}/*
 * ReadIAT
 *
 * Basic IAT reader, does not do any hooking
 * and dumps info to console window.
 *
 */
DWORD ReadIAT( void )
{
	MessageBox( 0, "a", "a", 0 );	TCHAR* tszModule = _T( "advapi32.dll" );	PIMAGE_DOS_HEADER pDosHeader = reinterpret_cast< PIMAGE_DOS_HEADER >( GetModuleHandle( 0 ) );
	if( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE )
		return 0;	PIMAGE_NT_HEADERS pNtHeaders = reinterpret_cast< PIMAGE_NT_HEADERS >( (DWORD)pDosHeader + (DWORD)pDosHeader->e_lfanew );
	if( pNtHeaders->Signature != IMAGE_NT_SIGNATURE )
		return 0;	PIMAGE_IMPORT_DESCRIPTOR pImportDesc = reinterpret_cast< PIMAGE_IMPORT_DESCRIPTOR >( (DWORD)pDosHeader + (DWORD)pNtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ].VirtualAddress );	while( pImportDesc->Name != 0 )
	{
		if( _tcsicmp( tszModule, PSTR( (DWORD)pDosHeader + pImportDesc->Name ) ) == 0 )
		{
			DebugOutput( "FOUND MODULE: %s", PSTR( (DWORD)pDosHeader + pImportDesc->Name ) );
			DebugOutput( "==================================" );
			DebugOutput( "      Hint | Import Name" );
			DebugOutput( "==================================" );			PIMAGE_THUNK_DATA pThunkData = reinterpret_cast< PIMAGE_THUNK_DATA >( (DWORD)pDosHeader + pImportDesc->OriginalFirstThunk );
			while( pThunkData->u1.Function )
			{
				PIMAGE_IMPORT_BY_NAME pImportName = reinterpret_cast< PIMAGE_IMPORT_BY_NAME >( (DWORD)pDosHeader + (DWORD)pThunkData->u1.AddressOfData );
				DebugOutput( "0x%08X | %s", pImportName->Hint, pImportName->Name );				pThunkData++;
			}
		}		pImportDesc++;
	}	return 0;
}BOOL WINAPI DllMain( HMODULE hModule, DWORD dwReason, LPVOID lpReserved )
{
	switch( dwReason )
	{
	case DLL_PROCESS_ATTACH:
		DisableThreadLibraryCalls( hModule );
		AllocConsole( ); /* Create output console. */
		ReadIAT( ); /* Read IAT. */
		break;
	case DLL_PROCESS_DETACH:
		FreeConsole( ); /* Free output console. */
		break;
	}
	return TRUE;
}

Injected into winmine.exe on a Windows XP Pro machine yields the following result:

Please note that the code is set to look for ADVAPI32.dll - this is not recommended inside of DllMain.

PEiD shows:

Simply injected with Winject, you can write your own loader for it if you wish or use something else if need be. Hope it helps. Also, sorry for any issues or bugs with it. I'm not a pro with the PE header format so I am not 100% sure this is fully correct.