flat assembler
Message board for the users of flat assembler.
Index
> High Level Languages > [C++] IMAGE_EXPORT_DIRECTORY wrong values |
Author |
|
revolution 12 Nov 2012, 18:02
Moved to High Level Languages
|
|||
12 Nov 2012, 18:02 |
|
Overflowz 12 Nov 2012, 20:24
Oh, don't knew about that section Sorry.
|
|||
12 Nov 2012, 20:24 |
|
dancho 12 Nov 2012, 21:39
this value nt_headers->OptionalHeader.DataDirectory[0].VirtualAddress is rva , but if you loaded file in memory ( not start the process itself ) and you want to find where image_export_direc is you have to find pointer to raw data for that directory ,
little help , find in what image_section_header that rva fits in ,( that is betweent rva of the section + its virtual size ) , find that section pointer to raw data and you have the raw start from where to look further check peview numbers , its all there ... |
|||
12 Nov 2012, 21:39 |
|
Overflowz 12 Nov 2012, 21:52
Hi, thanks for reply. I already know that VirtualAddress is RVA, I'm adding to it ImageBase there as you can see (DWORD)dos_header. I'm using ReadFile to buffer instead of LoadLibrary, etc..
P.S it works fine with kernel32.dll but not with user32.dll |
|||
12 Nov 2012, 21:52 |
|
Overflowz 12 Nov 2012, 23:03
How stupid I am.. Example I showed, is searching when library loaded in memory, not on disk. I know now what's the problem. Thank you!
|
|||
12 Nov 2012, 23:03 |
|
Overflowz 12 Nov 2012, 23:24
But wait, there's something wrong!!! Tried now on kernel32.dll and it just fails... I'm just damn confused!
Code: //assume base address for both is 0. user32->DataDirectory[0].VirtualAddress = 0x00001000 user32->PointerToRawData = 0x00001000 user32->IMAGE_EXPORT_DIRECTORY = 0x00001000 --- kernel32->DataDirectory[0].VirtualAddress = 0x000CDA48 kernel32->PointerToRawData = 0x00001000 kernel32->IMAGE_EXPORT_DIRECTORY = 0x000CDA48 How could it be like this ? |
|||
12 Nov 2012, 23:24 |
|
Overflowz 13 Nov 2012, 01:39
I have also attached images. user32.dll with raw address calculation, kernel32.dll directly with EXPORT_TABLE[0].VirtualAddress...
|
||||||||||||||||||||||||||||
13 Nov 2012, 01:39 |
|
dancho 13 Nov 2012, 10:56
ok , this are the steps for 32bit dlls that will help you to find pointer to raw data of image_export_direc ( later you can easy translet this
steps/method to your app ): /* here image_export_direc raw data start at 0x2d00 */ 1.) dl PEview from http://www.magma.ca/~wjr/ ( my peviewer isnt ready yet ) 2.) with peview open some dll ( lets say user32.dll ) 3.) set view->address to file offset 4.) in image_optional_header find rva of export table ( 0x3900 ) 5.) check all image_section_header to find out where this rva fits ( so here it is in .text section because 0x3900 is between section rva 0x1000 + virtual size 0x5f283 ) 6.) save pointer to raw data of that section ( 0x400 ) 7.) calc 3900 -1000 ------- 2900 + 400 ------- 2d00 8.) add 2d00 start of the file ( pointer you get from reading file in mem ) 9.) you are at begging of image_export_direc structure have fun btw there are a few exception for the calc part but Im leaving that to you to find out... |
|||
13 Nov 2012, 10:56 |
|
Overflowz 13 Nov 2012, 11:18
as I guess, it should be calculated like this?
Code: BaseAddress + DataDirectory[0].VirtualAddress - SectionHeader.VirtualAddress + SectionHeader.PointerToRawData I have to find also not VirtualAddress, but if it is greater or equal to virtual address right? |
|||
13 Nov 2012, 11:18 |
|
Overflowz 13 Nov 2012, 12:05
Yeah, it's like that, thank you I'm failing now to get names from there... I hate C! with ASM it's easier!
Code: IMAGE_EXPORT_DIRECTORY *export_directory = NULL; IMAGE_SECTION_HEADER *section = (IMAGE_SECTION_HEADER*)((DWORD)nt_headers + sizeof(IMAGE_NT_HEADERS)); for(unsigned int i = 0; i < nt_headers->FileHeader.NumberOfSections; i++) { if(section->VirtualAddress <= nt_headers->OptionalHeader.DataDirectory[0].VirtualAddress) { export_directory = (IMAGE_EXPORT_DIRECTORY*)((DWORD)hMem + nt_headers->OptionalHeader.DataDirectory[0].VirtualAddress - section->VirtualAddress + section->PointerToRawData); break; } } if(export_directory == NULL) { printf("Export Directory not found.\n"); return 0; } DWORD AddressOfNames = (DWORD)(export_directory->AddressOfNames + (DWORD)hMem); DWORD NumberOfNames = export_directory->NumberOfNames; for(unsigned int i = 0; i < NumberOfNames; i++) { char *pName = *((char**)AddressOfNames + i) + (DWORD)hMem; } Trying to understand how pointers and references work, but I just can't get it.. is there any tutorial which explains it as assembly level ? |
|||
13 Nov 2012, 12:05 |
|
mindcooler 15 Nov 2012, 06:40
this is what I use:
Code: if defined edata dd edata-imgbase dd edata.end-edata else dd 0 dd 0 end if _________________ This is a block of text that can be added to posts you make. |
|||
15 Nov 2012, 06:40 |
|
mindcooler 15 Nov 2012, 06:46
...or are you having troubles finding the optional header?
|
|||
15 Nov 2012, 06:46 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.