flat assembler
Message board for the users of flat assembler.

Index > High Level Languages > [C++] IMAGE_EXPORT_DIRECTORY wrong values

Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 12 Nov 2012, 15:52
Hi, I think method is the same when people are trying to get headers from PE file. I don't know where else should I post it, because nobody knows the right answer..

I'm having trouble with IMAGE_EXPORT_DIRECTORY values, whenever I'm calculating address of it, it gives me wrong values (like Name, NumberOfNames, AddressOfNames, etc..). I'm calculating it by the following code.

Code:
IMAGE_EXPORT_DIRECTORY *export_directory = (IMAGE_EXPORT_DIRECTORY*)(nt_headers->OptionalHeader.DataDirectory[0].VirtualAddress + (DWORD)dos_header);    

Following in debugger, the address is right, there must be a IMAGE_EXPORT_DIRECTORY, but why it gives me wrong results? Can't access any of the elements from it, because it says bad ptr.. Tried and works fine with kernel32.dll, but fails on user32.dll when extracting names from AddressOfNames.

Using Windows 8 x86.
Post 12 Nov 2012, 15:52
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20458
Location: In your JS exploiting you and your system
revolution 12 Nov 2012, 18:02
Moved to High Level Languages
Post 12 Nov 2012, 18:02
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 12 Nov 2012, 20:24
Oh, don't knew about that section Very Happy Sorry.
Post 12 Nov 2012, 20:24
View user's profile Send private message Reply with quote
dancho



Joined: 06 Mar 2011
Posts: 74
dancho 12 Nov 2012, 21:39
this value nt_headers->OptionalHeader.DataDirectory[0].VirtualAddress is rva , but if you loaded file in memory ( not start the process itself ) and you want to find where image_export_direc is you have to find pointer to raw data for that directory ,
little help , find in what image_section_header that rva fits in ,( that is betweent rva of the section + its virtual size ) , find that section pointer to raw data and you have the raw start from where to look further Smile

check peview numbers , its all there ...
Post 12 Nov 2012, 21:39
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 12 Nov 2012, 21:52
Hi, thanks for reply. I already know that VirtualAddress is RVA, I'm adding to it ImageBase there as you can see (DWORD)dos_header. I'm using ReadFile to buffer instead of LoadLibrary, etc..
P.S it works fine with kernel32.dll but not with user32.dll
Post 12 Nov 2012, 21:52
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 12 Nov 2012, 23:03
How stupid I am.. Example I showed, is searching when library loaded in memory, not on disk. I know now what's the problem. Thank you!
Post 12 Nov 2012, 23:03
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 12 Nov 2012, 23:24
But wait, there's something wrong!!! Tried now on kernel32.dll and it just fails... I'm just damn confused!
Code:
//assume base address for both is 0.
user32->DataDirectory[0].VirtualAddress = 0x00001000
user32->PointerToRawData = 0x00001000
user32->IMAGE_EXPORT_DIRECTORY = 0x00001000
---
kernel32->DataDirectory[0].VirtualAddress = 0x000CDA48
kernel32->PointerToRawData = 0x00001000
kernel32->IMAGE_EXPORT_DIRECTORY = 0x000CDA48    

How could it be like this ? Sad
Post 12 Nov 2012, 23:24
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 13 Nov 2012, 01:39
I have also attached images. user32.dll with raw address calculation, kernel32.dll directly with EXPORT_TABLE[0].VirtualAddress...


Description: IMAGE_EXPORT_DIRECTORY
Filesize: 133.15 KB
Viewed: 20412 Time(s)

ExportDirectory.JPG


Description: IMAGE_SECTION_HEADER
Filesize: 68.89 KB
Viewed: 20411 Time(s)

SectionHeader.JPG


Description: IMAGE_DATA_DIRECTORY
Filesize: 56.11 KB
Viewed: 20411 Time(s)

DataDirectory.JPG


Post 13 Nov 2012, 01:39
View user's profile Send private message Reply with quote
dancho



Joined: 06 Mar 2011
Posts: 74
dancho 13 Nov 2012, 10:56
ok , this are the steps for 32bit dlls that will help you to find pointer to raw data of image_export_direc ( later you can easy translet this
steps/method to your app ):
/* here image_export_direc raw data start at 0x2d00 */

1.) dl PEview from http://www.magma.ca/~wjr/ ( my peviewer isnt ready yet Smile )
2.) with peview open some dll ( lets say user32.dll )
3.) set view->address to file offset
4.) in image_optional_header find rva of export table ( 0x3900 )
5.) check all image_section_header to find out where this rva fits
( so here it is in .text section because 0x3900 is between section rva 0x1000 + virtual size 0x5f283 )
6.) save pointer to raw data of that section ( 0x400 )
7.) calc
3900
-1000
-------
2900
+ 400
-------
2d00

8.) add 2d00 start of the file ( pointer you get from reading file in mem )
9.) you are at begging of image_export_direc structure

have fun Cool
btw there are a few exception for the calc part but Im leaving that to you to find out... Very Happy
Post 13 Nov 2012, 10:56
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 13 Nov 2012, 11:18
as I guess, it should be calculated like this?
Code:
BaseAddress + DataDirectory[0].VirtualAddress - SectionHeader.VirtualAddress + SectionHeader.PointerToRawData    

Question
I have to find also not VirtualAddress, but if it is greater or equal to virtual address right?
Post 13 Nov 2012, 11:18
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 13 Nov 2012, 12:05
Yeah, it's like that, thank you Smile I'm failing now to get names from there... I hate C! with ASM it's easier!
Code:
IMAGE_EXPORT_DIRECTORY *export_directory = NULL;
IMAGE_SECTION_HEADER *section = (IMAGE_SECTION_HEADER*)((DWORD)nt_headers + sizeof(IMAGE_NT_HEADERS));
   
    for(unsigned int i = 0; i < nt_headers->FileHeader.NumberOfSections; i++)
     {
              if(section->VirtualAddress <= nt_headers->OptionalHeader.DataDirectory[0].VirtualAddress)
          {
                      export_directory = (IMAGE_EXPORT_DIRECTORY*)((DWORD)hMem + nt_headers->OptionalHeader.DataDirectory[0].VirtualAddress - section->VirtualAddress + section->PointerToRawData);
                      break;
              }
      }

  if(export_directory == NULL)
        {
              printf("Export Directory not found.\n");
         return 0;
   }
DWORD AddressOfNames = (DWORD)(export_directory->AddressOfNames + (DWORD)hMem);
DWORD NumberOfNames = export_directory->NumberOfNames;

    for(unsigned int i = 0; i < NumberOfNames; i++)
      {
             char *pName = *((char**)AddressOfNames + i) + (DWORD)hMem;
      }    

Trying to understand how pointers and references work, but I just can't get it.. is there any tutorial which explains it as assembly level ?
Post 13 Nov 2012, 12:05
View user's profile Send private message Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler 15 Nov 2012, 06:40
this is what I use:

Code:
if defined edata
    dd edata-imgbase
    dd edata.end-edata
else
    dd 0
    dd 0
end if    

_________________
This is a block of text that can be added to posts you make.
Post 15 Nov 2012, 06:40
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler 15 Nov 2012, 06:46
...or are you having troubles finding the optional header?
Post 15 Nov 2012, 06:46
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.