PeInjectorSyscall/helpers.cpp at master · maxDcb/PeInjectorSyscall · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

#include "helpers.h"
#include "PEstructs.h"


HMODULE WINAPI hlpGetModuleHandle(LPCWSTR sModuleName)
{
	// get the offset of Process Environment Block
#ifdef _M_IX86
	PEB * ProcEnvBlk = (PEB *) __readfsdword(0x30);
#else
	PEB * ProcEnvBlk = (PEB *)__readgsqword(0x60);
#endif
	PEB_LDR_DATA * Ldr = ProcEnvBlk->Ldr;

	// return base address of a calling module
	if (sModuleName == NULL)
		return (HMODULE) (ProcEnvBlk->ImageBaseAddress);

	LIST_ENTRY * ModuleList = &Ldr->InMemoryOrderModuleList;
	LIST_ENTRY *  pStartListEntry = ModuleList->Flink;
	LIST_ENTRY *  px;
	for (px  = pStartListEntry;	px != ModuleList; px  = px->Flink)
	{
		LDR_DATA_TABLE_ENTRY * pe = (LDR_DATA_TABLE_ENTRY *) ((BYTE *) px - sizeof(LIST_ENTRY));

		const char * pbuff = (const char *) pe->BaseDllName.Buffer;
		const char * pm = (const char *)sModuleName;

		if (strcmp(pbuff, pm) == 0)
			return (HMODULE) pe->DllBase;
	}

	// otherwise:
	return NULL;
}


FARPROC WINAPI hlpGetProcAddress(HMODULE hMod, char * sProcName)
{
	char * pBaseAddr = (char *) hMod;

	// get pointers to main headers/structures
	IMAGE_DOS_HEADER * pDosHdr = (IMAGE_DOS_HEADER *) pBaseAddr;
	IMAGE_NT_HEADERS * pNTHdr = (IMAGE_NT_HEADERS *) (pBaseAddr + pDosHdr->e_lfanew);
	IMAGE_OPTIONAL_HEADER * pOptionalHdr = &pNTHdr->OptionalHeader;
	IMAGE_DATA_DIRECTORY * pExportDataDir = (IMAGE_DATA_DIRECTORY *) (&pOptionalHdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
	IMAGE_EXPORT_DIRECTORY * pExportDirAddr = (IMAGE_EXPORT_DIRECTORY *) (pBaseAddr + pExportDataDir->VirtualAddress);

	// function address we're looking for
	void *pProcAddr;

	// resolve function by ordinal
	if (((DWORD_PTR)sProcName >> 16) == 0)
	{
		DWORD * pEAT = (DWORD *) (pBaseAddr + pExportDirAddr->AddressOfFunctions);

		WORD ordinal = (WORD)(sProcName[0]) & 0xFFFF;	// convert to WORD
		DWORD Base = pExportDirAddr->Base;			// first ordinal number

		// check if ordinal is not out of scope
		if (ordinal < Base || ordinal >= Base + pExportDirAddr->NumberOfFunctions)
			return NULL;

		// get the function virtual address = RVA + BaseAddr
		pProcAddr = (void*) (pBaseAddr + (DWORD_PTR) pEAT[ordinal - Base]);
	}
	// resolve function by name
	else
	{
		pProcAddr = NULL;

		DWORD * pFuncNameTbl = (DWORD *) (pBaseAddr + pExportDirAddr->AddressOfNames);
		WORD * pHintsTbl = (WORD *) (pBaseAddr + pExportDirAddr->AddressOfNameOrdinals);

		DWORD * pEAT = (DWORD *) (pBaseAddr + pExportDirAddr->AddressOfFunctions);

		// parse through table of function names
		DWORD ii=254;
		for (ii = 0; ii < pExportDirAddr->NumberOfNames; ii++)
		{
			char * sTmpFuncName = (char *) pBaseAddr + (DWORD_PTR) pFuncNameTbl[ii];

			if (strcmp(sProcName, sTmpFuncName) == 0)
			{
				// found, get the function virtual address = RVA + BaseAddr
				pProcAddr = (void*) (pBaseAddr + (DWORD_PTR) pEAT[pHintsTbl[ii]]);
				break;
			}
		}
	}

	return (FARPROC) pProcAddr;
}