-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathOffsetCalc.cpp
139 lines (105 loc) · 5.27 KB
/
OffsetCalc.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
#include "OffsetCalc.h"
DWORD RvaToOffset(IMAGE_NT_HEADERS32* pNtHdr, DWORD dwRVA)
{
int i;
WORD wSections;
PIMAGE_SECTION_HEADER pSectionHdr;
pSectionHdr = IMAGE_FIRST_SECTION(pNtHdr);
wSections = pNtHdr->FileHeader.NumberOfSections;
for (i = 0; i < wSections; i++)
{
if (pSectionHdr->VirtualAddress <= dwRVA)
if ((pSectionHdr->VirtualAddress + pSectionHdr->Misc.VirtualSize) > dwRVA)
{
dwRVA -= pSectionHdr->VirtualAddress;
dwRVA += pSectionHdr->PointerToRawData;
return (dwRVA);
}
pSectionHdr++;
}
return 0;
}
void CalcOffset(char* szFileName) {
char* _szFileName = szFileName;
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS pImageHeader;
HANDLE hFile, hMap, hMapView;
PIMAGE_DATA_DIRECTORY pDataDirectory;
PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor;
PIMAGE_THUNK_DATA32 pFirstThunk;
PIMAGE_THUNK_DATA32 pOriginalFirstThunk;
PIMAGE_IMPORT_BY_NAME pNameImg;
PIMAGE_SECTION_HEADER pSecHeader;
DWORD dwName, dwTest;
BOOL bFound = FALSE;
LPVOID lpMap = NULL;
LPDWORD lpwdAddress;
const WCHAR* pwcsName; //LPCWSTR
// required size
int size = MultiByteToWideChar(CP_ACP, 0, _szFileName, -1, NULL, 0);
// allocate it
pwcsName = new WCHAR[MAX_PATH];
MultiByteToWideChar(CP_ACP, 0, _szFileName, -1, (LPWSTR)pwcsName, size);
hFile = CreateFile(pwcsName, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile != INVALID_HANDLE_VALUE) {
hMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if (hMap == INVALID_HANDLE_VALUE)
std::cout << "[-] ERROR: INVALID HANDLE VALUE hMap";
hMapView = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0); //getFileMemoryAddress
if (hMapView == INVALID_HANDLE_VALUE)
std::cout << "[-] ERROR: INVALID HANDLE VALUE hMapView";
pDosHeader = (PIMAGE_DOS_HEADER)hMapView;
if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
std::cout << "[-] ERROR: e_magic != IMAGE_DOS_SIGNATURE";
else
printf("\n%x (MZ) found, valid PE\nPE Header offset: 0x%x\n", pDosHeader->e_magic, pDosHeader->e_lfanew);
// PE Header için dosya bellek adresine DOS Header'da bulunan e_magic offseti eklenir.
pImageHeader = (PIMAGE_NT_HEADERS)((char*)pDosHeader + pDosHeader->e_lfanew); //PE file signature
if (pImageHeader->Signature != IMAGE_NT_SIGNATURE)
std::cout << "[-] ERROR : PE00 deðil";
else {
printf("\n%x (PE00) signature found\nImageBase: 0x%x\n\n", pImageHeader->Signature, pImageHeader->OptionalHeader.ImageBase);
if (pImageHeader->OptionalHeader.Subsystem == IMAGE_SUBSYSTEM_WINDOWS_GUI)
printf("\"%s\" is GUI based", szFileName);
else if (pImageHeader->OptionalHeader.Subsystem == IMAGE_SUBSYSTEM_WINDOWS_CUI)
printf("\"%s\" is CLI based", szFileName);
else
printf("\"%s\" is something else", szFileName);
}
//Text section baþlangýç adresi : entrypoint
printf("\nAddress of Entry Point: 0x%x", pImageHeader->OptionalHeader.AddressOfEntryPoint);
printf("\n\nLocating IAT\n");
pDataDirectory = &pImageHeader->OptionalHeader.DataDirectory[1];
// PE HEADER, DATADIR[1].VirtualAddres
pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((char*)pDosHeader + RvaToOffset(pImageHeader, pDataDirectory->VirtualAddress));
pOriginalFirstThunk = (PIMAGE_THUNK_DATA32)((char*)pDosHeader + RvaToOffset(pImageHeader, pImportDescriptor->OriginalFirstThunk));
pSecHeader = IMAGE_FIRST_SECTION(pImageHeader);
printf("IAT Entrypoint: 0x%x\nDumping IAT...\n", (pDataDirectory - pSecHeader->VirtualAddress) + pSecHeader->PointerToRawData);
while (pImportDescriptor->OriginalFirstThunk != 0 && !bFound)
{
dwName = (DWORD)((char*)lpMap + RvaToOffset(pImageHeader, pImportDescriptor->Name));
pOriginalFirstThunk = (PIMAGE_THUNK_DATA32)((char*)pDosHeader + RvaToOffset(pImageHeader, pImportDescriptor->OriginalFirstThunk));
pFirstThunk = (PIMAGE_THUNK_DATA32)((char*)pDosHeader + RvaToOffset(pImageHeader, pImportDescriptor->FirstThunk));
while (pOriginalFirstThunk->u1.AddressOfData != 0 && !bFound)
{
pNameImg = (PIMAGE_IMPORT_BY_NAME)((char*)pDosHeader + RvaToOffset(pImageHeader, pOriginalFirstThunk->u1.AddressOfData));
dwTest = (DWORD)pOriginalFirstThunk->u1.Function & (DWORD)IMAGE_ORDINAL_FLAG32;
printf("\nAddr: 0x%x (0x%x) - Name: %s ", pOriginalFirstThunk->u1.Function, pFirstThunk->u1.AddressOfData, (const char*)pNameImg->Name);
if (dwTest == 0)
if (strcmp("printf", (const char*)pNameImg->Name) == 0)
{
std::cout << "test";
lpwdAddress = (LPDWORD)pFirstThunk->u1.Function;
bFound = TRUE;
}
pOriginalFirstThunk++;
pFirstThunk++;
}
pImportDescriptor++;
}
printf("\n...Done");
}
else {
std::cout << "[-] ERROR : INVALID HANDLE VALUE";
}
}