質問

I've been writing an EPO program and so far I've been able to find a call opcode and get the RVA from the following address in the binary, then parse the IAT to get names of functions that are imported and their corresponding RVA's.

I've come to a problem when trying fill arrays with the names + RVA's and going on to compare the WORD value I have from the call address against the RVA's of all the imported functions.

Here's the code I've been working with;

//Declarations.
    DWORD dwImportDirectoryVA,dwSectionCount,dwSection=0,dwRawOffset;
    PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor;
    PIMAGE_THUNK_DATA pThunkData, pFThunkData;

// Arrays to hold names + rva's
     unsigned long namearray[100];
     DWORD rvaArray[100];
     int i = 0;

And the rest:

/* Import Code: */

    dwSectionCount = pNtHeaders->FileHeader.NumberOfSections;
    dwImportDirectoryVA = pNtHeaders->OptionalHeader.DataDirectory[1].VirtualAddress;

    for(;dwSection < dwSectionCount && pSectionHeader->VirtualAddress <= dwImportDirectoryVA;pSectionHeader++,dwSection++);
     pSectionHeader--;

     dwRawOffset = (DWORD)hMap+pSectionHeader->PointerToRawData;

     pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(dwRawOffset+(dwImportDirectoryVA-pSectionHeader->VirtualAddress));

     for(;pImportDescriptor->Name!=0;pImportDescriptor++)
     {

         pThunkData = (PIMAGE_THUNK_DATA)(dwRawOffset+(pImportDescriptor->OriginalFirstThunk-pSectionHeader->VirtualAddress));
         pFThunkData = (PIMAGE_THUNK_DATA)pImportDescriptor->FirstThunk;
         for(;pThunkData->u1.AddressOfData != 0;pThunkData++)
         {
             if(!(pThunkData->u1.Ordinal & IMAGE_ORDINAL_FLAG32))
             {

                 namearray[i] = (dwRawOffset+(pThunkData->u1.AddressOfData-pSectionHeader->VirtualAddress+2));
                 rvaArray[i] = pFThunkData;

                 i++;
                 //
                 pFThunkData++;
             }

         }
     }

     printf("\nFinished.\n");


     for (i = 0 ; i <= 100 ; i++)
     {
//wRva is defined and initialized earlier in code.
         if (rvaArray[i] == wRva)
         {
             printf("Call to %s found. Address: %X\n", namearray[i], rvaArray[i]);
         }
     }

NOTE: A lot of this code has been stripped down ( printf statements to track progress.)

The problem is the types of arrays I've been using. I'm not sure how I can store pThunkData (Names) and pFThunkData (RVA's) correctly for usage later on.

I've tried a few things a messed around with the code but I'm admitting defeat and asking for your help.

役に立ちましたか?

解決

You could create a list or array of structs, containing pThunkData and pFThunkData.

#define n 100

struct pdata
{
     PIMAGE_THUNK_DATA p_thunk_data;
     PIMAGE_THUNK_DATA pf_thunk_data;
}

struct pdata pdatas[n]
ライセンス: CC-BY-SA帰属
所属していません StackOverflow
scroll top