Jump to content
Tuts 4 You

Get Api name from address


ragdog

Recommended Posts

Hi

I coding a function to Get Api name from address.

Now I am confused in my Iat have i this Address 74A44619

00403000   .  19467574  	DD comctl32.InitCommonControls

Ok i enum all process modules und parsing all found dll for this address for get the api name

I use LoadLibrary and GetProcAddress

with LoadLibrary and GetProcAddress get i this address 75AB1739 to the APi InitCommonControls :ermm: Why?

I use Win7

Thanks,

Edited by ragdog
Link to comment

http://blogs.msdn.com/b/rchiodo/archive/2007/04/09/the-next-level-of-dll-hell-sxs.aspx

But aside from the SxS issue, Vista and 7 use ASLR by default and trying to take addresses from system dlls such as Kernel32.dll in your process and applying them to another process is not guaranteed to work at all.


/>http://en.wikipedia.org/wiki/Address_space_layout_randomization

Use Module32First/Module32Next to find the dll in the target process, then do one of the following:

1. Use LoadLibrary to load the target dll into your own process and call GetProcAddress, subtract the local base address and apply the remote one.

Hackish, but it has worked for me.

2. Dump dll from remote process and navigate exports directory to locate API in remote process. More complicated but accurate.

HR,

Ghandi

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...