-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathgetmod.cpp
287 lines (262 loc) · 11 KB
/
getmod.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
/***
* GetModuleFunc.h, rev.1
* GetModuleFunc function retrieves the address of exported function for loaded module without using any available API on either x86, x64 or ARM architecture Windows systems.
*
*
* Copyright 2014 Dragana R. <trancexx at yahoo dot com>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
****/
/* Alteration from original rev.1 by Dragana R.
* is inherited GPLv3 Kiljector project's license
*/
#include "antis.h"
#define MAX_ORDINAL 0xffff
LPVOID GetModuleFunc(LPCSTR csModuleName, LPCSTR sFuncName)
{
const size_t size = strlen(csModuleName) + 1;
wchar_t* sModuleName = new wchar_t[size];
mbstowcs(sModuleName,csModuleName, size);
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef struct _PEB_LDR_DATA {
BYTE Reserved1[8];
PVOID Reserved2[3];
LIST_ENTRY InMemoryOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _RTL_USER_PROCESS_PARAMETERS {
BYTE Reserved1[16];
PVOID Reserved2[10];
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID Reserved4[3];
PVOID AtlThunkSListPtr;
PVOID Reserved5;
ULONG Reserved6;
PVOID Reserved7;
ULONG Reserved8;
ULONG AtlThunkSListPtr32;
PVOID Reserved9[45];
BYTE Reserved10[96];
PVOID PostProcessInitRoutine;
BYTE Reserved11[128];
PVOID Reserved12[1];
ULONG SessionId;
} PEB, *PPEB;
typedef struct _TEB {
PVOID Reserved1[12];
PPEB ProcessEnvironmentBlock;
PVOID Reserved2[399];
BYTE Reserved3[1952];
PVOID TlsSlots[64];
BYTE Reserved4[8];
PVOID Reserved5[26];
PVOID ReservedForOle; // Windows 2000 only
PVOID Reserved6[4];
PVOID TlsExpansionSlots;
} TEB, *PTEB;
// Modified LDR_DATA_TABLE_ENTRY definition (this one includes BaseDllName field and has InMemoryOrderLinks at the top for easier processing)
typedef struct _LDR_DATA_TABLE_ENTRY {
/*LIST_ENTRY InLoadOrderLinks;*/
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderList;
PVOID DllBase;
PVOID EntryPoint;
PVOID Reserved3;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
/*
// Get pointer to the TEB
#if defined(_M_X64) // x64
auto pTeb = reinterpret_cast<PTEB>(__readgsqword(reinterpret_cast<DWORD>(&static_cast<PNT_TIB>(nullptr)->Self)));
#elif defined(_M_ARM) // ARM
auto pTeb = reinterpret_cast<PTEB>(_MoveFromCoprocessor(15, 0, 13, 0, 2)); // CP15_TPIDRURW
#else // x86
auto pTeb = reinterpret_cast<PTEB>(__readfsdword(reinterpret_cast<DWORD>(&static_cast<PNT_TIB>(nullptr)->Self)));
#endif*/
// printf("A1\n");
// Get pointer to the PEB
PEB * pPeb =( PEB *) GetPEB(); //pTeb->ProcessEnvironmentBlock;
//printf("A: %p\n",pPeb);
// Now get pointer to the PEB loader list data
auto pLdrData = pPeb->Ldr;
// printf("A1: %p\n",pLdrData);
// And then pointer to the in-memory-order loader list
auto pModListHdr = &pLdrData->InMemoryOrderModuleList;
// printf("A1: %p\n",pModListHdr);
// Calculate the size of the input string
int iLenModule = 0;
for (; sModuleName[iLenModule]; ++iLenModule)
;
// printf("A2\n");
PLDR_DATA_TABLE_ENTRY pModEntry;
// Loop over all modules in list
for (auto pModListCurrent = pModListHdr->Flink; pModListCurrent != pModListHdr; pModListCurrent = pModListCurrent->Flink)
{
// Get current module in list
pModEntry = reinterpret_cast<PLDR_DATA_TABLE_ENTRY>(pModListCurrent);
for (int i = 0; i < pModEntry->BaseDllName.Length / 2 /* length is in bytes */; ++i)
{
if (sModuleName[i] == '\0') // the end of the string
break;
else if ((sModuleName[i] & ~' ') != (pModEntry->BaseDllName.Buffer[i] & ~' ')) // all upper case for case-insensitive comparisson
break;
else if (i == iLenModule - 1) // gone through all characters and they all matched
{
int iLenFuncName = 0;
DWORD iOrdinal = reinterpret_cast<DWORD>(sFuncName);
if (iOrdinal > MAX_ORDINAL) // check to see if passed data is really an ordinal value. Otherwise it's function name
{
iOrdinal = 0; // it's not ordinal then
// Calculate the size of the wanted function's name
for (; sFuncName[iLenFuncName]; ++iLenFuncName);
}
// Parse the PE in order to find exports section
auto pImageDOSHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(pModEntry->DllBase);
auto pImageNtHeader = reinterpret_cast<PIMAGE_NT_HEADERS>(reinterpret_cast<ULONG_PTR>(pImageDOSHeader) + pImageDOSHeader->e_lfanew);
auto pExport = reinterpret_cast<PIMAGE_DATA_DIRECTORY>(&pImageNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
// Maybe there aren't any exports?
if (pExport->VirtualAddress == 0 || pExport->Size == 0)
return nullptr;
// Finally
auto pExports = reinterpret_cast<PIMAGE_EXPORT_DIRECTORY>(reinterpret_cast<ULONG_PTR>(pImageDOSHeader) + pExport->VirtualAddress);
//printf("A3\n");
// Check to see if there are exports, or someone is being smart ass
if (pExports->NumberOfFunctions && pExports->AddressOfFunctions && (iOrdinal || (pExports->NumberOfNames && pExports->AddressOfNames && pExports->AddressOfNameOrdinals)))
{
// Oky-Doky, now reinterpret offsets (RVAs).
// Array of functions addresses
auto pdwBufferAddress = reinterpret_cast<LPDWORD>(reinterpret_cast<ULONG_PTR>(pImageDOSHeader) + pExports->AddressOfFunctions);
DWORD dwExportRVA = 0; // to save the exported function's RVA to
if (iOrdinal) // function is wanted by its ordinal value
{
// Check to see if valid ordinal value is specified
if (iOrdinal >= pExports->Base && iOrdinal < pExports->Base + pExports->NumberOfFunctions)
dwExportRVA = pdwBufferAddress[iOrdinal - pExports->Base];
}
else // function is wanted by its name
{
// Array of functions names
auto pdwBufferNames = reinterpret_cast<LPDWORD>(reinterpret_cast<ULONG_PTR>(pImageDOSHeader) + pExports->AddressOfNames);
// Array of functions indexes into array of addresses
auto pwBufferNamesOrdinals = reinterpret_cast<LPWORD>(reinterpret_cast<ULONG_PTR>(pImageDOSHeader) + pExports->AddressOfNameOrdinals);
// Loop through all functions exported by name
for (DWORD j = 0; j < pExports->NumberOfNames; ++j)
{
// Read the listed function name
auto sFunc = reinterpret_cast<LPCSTR>(reinterpret_cast<ULONG_PTR>(pImageDOSHeader) + pdwBufferNames[j]);
// Calculate the size of the listed function's name
int iLenFunc = 0;
for (; sFunc[iLenFunc]; ++iLenFunc);
// Check only if the length of the names matches, otherwise the function is wrong for sure
if (iLenFuncName == iLenFunc)
{
for (int k = 0; k < iLenFuncName; ++k)
{
if (sFuncName[k] != sFunc[k])
break;
else if (k == iLenFuncName - 1)
{
// Excellent! This is the function, read RVA
dwExportRVA = pdwBufferAddress[pwBufferNamesOrdinals[j]];
break;
}
}
}
if (dwExportRVA) break; // found, get out of the loop
}
}
// printf("A4\n");
if (dwExportRVA) // if function is found
{
//Check if export is forwarded (the hint is that address points to a place inside the exports)
if (dwExportRVA > pExport->VirtualAddress && dwExportRVA < pExport->VirtualAddress + pExport->Size)
{
// Read forwarded data. Null-terminated ASCII string in format of ModuleName.FunctionName or ModuleName.#OrdinalValue
auto sForwarder = reinterpret_cast<LPCSTR>(reinterpret_cast<ULONG_PTR>(pImageDOSHeader) + dwExportRVA);
// Allocate big enough buffer for the new module name
WCHAR sForwarderDll[MAX_PATH];
char cFord[MAX_PATH];
LPCSTR sForwarderFunc = nullptr;
DWORD dwForwarderOrdinal = 0;
// Reinterpret WCHAR buffer as CHAR one
auto sForwarderDll_A = reinterpret_cast<CHAR*>(sForwarderDll);
// Now go through all characters
for (int iPos = 0; sForwarder[iPos]; ++iPos)
{
// Fill WCHAR buffer reading/copying from CHAR one (someone could call this way lame)
sForwarderDll_A[2 * iPos] = sForwarder[iPos]; // copy character
sForwarderDll_A[2 * iPos + 1] = '\0';
if (sForwarder[iPos] == '.')
{
sForwarderDll[iPos] = '\0'; // null-terminate the ModuleName string
++iPos; // skip . character
if (sForwarder[iPos] == '#')
{
++iPos; // skip # character
// OrdinalValue is hashtag, convert ASCII string to integer value
for (; sForwarder[iPos]; ++iPos)
{
dwForwarderOrdinal *= 10;
dwForwarderOrdinal += (sForwarder[iPos] - '0');
}
if (dwForwarderOrdinal > MAX_ORDINAL) // something is wrong
return nullptr;
// Reinterpret the ordinal value as string
sForwarderFunc = reinterpret_cast<LPSTR>(dwForwarderOrdinal);
break;
}
else
{
sForwarderFunc = &sForwarder[iPos]; // FunctionName follows the dot
break;
}
}
}
// Call again with forwarded data
delete[] sModuleName;
wcstombs(cFord,sForwarderDll,wcslen(sForwarderDll));
return GetModuleFunc(cFord, sForwarderFunc);
}
else{
delete[] sModuleName;
// That's pretty much it. Return address of the function
return reinterpret_cast<LPVOID>(reinterpret_cast<ULONG_PTR>(pImageDOSHeader) + dwExportRVA);
}
}
delete[] sModuleName;
// Wanted export in this module doesn't exist
return nullptr;
}
delete[] sModuleName;
// No exports
return nullptr;
}
}
}
delete[] sModuleName;
// Not such module found
return nullptr;
}