函数名是想起了以前看过的哪个大牛的文章想到的.这两天把PeCancer的IAT处理部分代码重新写过了,从代码里提取出了这个函数,实际壳中函数比这个复杂,不过都是用于壳完成功能所以去掉了.
大家共同学习,也希望能帮找找bug
DWORD GetFunctionAddress( HMODULE phModule,char* pProcName )
{
if (!phModule)
return 0;
PIMAGE_DOS_HEADER pimDH = (PIMAGE_DOS_HEADER)phModule;
PIMAGE_NT_HEADERS pimNH = (PIMAGE_NT_HEADERS)((char*)phModule+pimDH->e_lfanew);
PIMAGE_EXPORT_DIRECTORY pimED = (PIMAGE_EXPORT_DIRECTORY)((DWORD)phModule+pimNH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
DWORD pExportSize = pimNH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
DWORD pResult = 0;
if ((DWORD)pProcName < 0x10000)
{
if ((DWORD)pProcName >= pimED->NumberOfFunctions+pimED->Base || (DWORD)pProcName < pimED->Base)
return 0;
pResult = (DWORD)phModule+((DWORD*)((DWORD)phModule+pimED->AddressOfFunctions))[(DWORD)pProcName-pimED->Base];
}else
{
DWORD* pAddressOfNames = (DWORD*)((DWORD)phModule+pimED->AddressOfNames);
for (int i=0;i<pimED->NumberOfNames;i++)
{
char* pExportName = (char*)(pAddressOfNames[i]+(DWORD)phModule);
if (strcmp(pProcName,pExportName) == 0)
{
WORD* pAddressOfNameOrdinals = (WORD*)((DWORD)phModule+pimED->AddressOfNameOrdinals);
pResult = (DWORD)phModule+((DWORD*)((DWORD)phModule+pimED->AddressOfFunctions))[pAddressOfNameOrdinals[i]];
break;
}
}
}
if (pResult != 0 && pResult >= (DWORD)pimED && pResult < (DWORD)pimED+pExportSize)
{
char* pDirectStr = (char*)pResult;
bool pstrok = false;
while (*pDirectStr)
{
if (*pDirectStr == '.')
{
pstrok = true;
break;
}
pDirectStr++;
}
if (!pstrok)
return 0;
char pdllname[MAX_PATH];
int pnamelen = pDirectStr-(char*)pResult;
if (pnamelen <= 0)
return 0;
memcpy(pdllname,(char*)pResult,pnamelen);
pdllname[pnamelen] = 0;
HMODULE phexmodule = GetModuleHandle(pdllname);
pResult = GetFunctionAddress(phexmodule,pDirectStr+1);
}
return pResult;
}
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!