29A Issue 02 03 05

Published in

· 4 years ago

  

/* 
                        . .: .:.. :.. .. .:.::. :. ..: 
                      <<-==ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ===< 
                       .:: ÛÛÛ ÛÛÛ:ÛÛÛ ÛÛÛ.ÛÛÛ ÛÛÛ .:. 
                       . .:.ÜÜÜÛÛß.ßÛÛÛÛÛÛ.ÛÛÛÛÛÛÛ:.. 
                        ...ÛÛÛÜÜÜÜ:ÜÜÜÜÛÛÛ:ÛÛÛ ÛÛÛ.::. 
                       >===ÛÛÛÛÛÛÛ=ÛÛÛÛÛÛß=ÛÛÛ ÛÛÛ=->> 
                      .: .:.. ..:. .: ..:.::. ::.. :.:. 

                                  [GETPROC] 
              GetProcAddress-alike utility, by Jacky Qwerty/29A 

 
 And here's one more tool you will probably find useful when getting started 
 in the 32-bit virus coding.  Albeit it simply gets the function addresez of 
 one or more APIz from inside any specified module.  It has the advantage of 
 findin  API function adressez  exported by  ordinal only  from the KERNEL32 
 module library. This is somethin u can't normally do by usin GetProcAddress 
 on any ordinal exported from KERNEL32,  since Microsoft intentionally added 
 some code to return failure in such casez. This program overcomes this pro- 
 blem by interactin directly with the export table if necesary. This utility 
 will surely help u when codin your Win32 PE infector and when findin the so 
 called "VxDCall" API address (ordinal 1) to do whatever u want under Win95. 

                                                                          */ 
/*- -[GETPROC.C]- - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 */ 

#include <windows.h> 
#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 

#define RVA2OFS(Type, Base, RVA) ((Type *)((DWORD)(Base) + (DWORD)(RVA)))       //a very useful macro 

FARPROC MyGetProcAddr(HMODULE hMod, LPCSTR pszAPIName) { 
  PIMAGE_DOS_HEADER pMZ; 
  PIMAGE_NT_HEADERS pPE; 
  PIMAGE_EXPORT_DIRECTORY pExp; 
  DWORD cIndex; 
  FARPROC fnAddr; 
  if ((fnAddr = GetProcAddress(hMod, pszAPIName)) == 0) { 
    pMZ = (PIMAGE_DOS_HEADER)hMod; 
    if (pMZ->e_magic != IMAGE_DOS_SIGNATURE) goto Ret; 
    pPE = RVA2OFS(IMAGE_NT_HEADERS, pMZ, pMZ->e_lfanew); 
    if (pPE->Signature != IMAGE_NT_SIGNATURE) goto Ret; 
    if (pPE->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size == 0) goto Ret; 
    pExp = RVA2OFS(IMAGE_EXPORT_DIRECTORY, pMZ, pPE->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); 
    if ((DWORD)pszAPIName & -0x10000) { 
      for (cIndex = 0; cIndex < pExp->NumberOfNames; cIndex++) 
        if (strcmp(RVA2OFS(CHAR, pMZ, RVA2OFS(DWORD, pMZ, pExp->AddressOfNames)[cIndex]) , pszAPIName) == 0) break; 
      if (pExp->NumberOfNames <= cIndex) goto Ret; 
      cIndex = (DWORD)RVA2OFS(WORD, pMZ, pExp->AddressOfNameOrdinals)[cIndex]; } 
    else cIndex = (DWORD)pszAPIName - pExp->Base; 
    if (pExp->NumberOfFunctions <= cIndex) goto Ret; 
    fnAddr = (FARPROC)RVA2OFS(DWORD, pMZ, RVA2OFS(DWORD, pMZ, pExp->AddressOfFunctions)[cIndex]); } 
  Ret: return fnAddr;           
} 

UINT main(UINT argc, CHAR *argv[]) { 
  OSVERSIONINFO Version; 
  HMODULE hMod; 
  FARPROC fnAddr; 
  DWORD Ordinal; 
  UINT i, RetValue = 1; 
  CHAR *szTmp; 
  printf("GETPROC - Gets Win32 API function adressez - (c) 1997 jqwerty/29A\n\n"); 
  Version.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); 
  if (!GetVersionEx(&Version)) { printf("Can't get Win32 version\n"); Ret: return RetValue; } 
  if (Version.dwPlatformId == VER_PLATFORM_WIN32s) { printf("This program can NOT run under Win32s\n"); goto Ret; } 
  if (argc == 1) { 
    printf("  Syntax: GETPROC <Win32 Module Name> <Win32 API #1 [Win32 API #2] ... >\n\n"); 
    if ((hMod = GetModuleHandleA("KERNEL32")) == 0) { printf("[KERNEL32] Module Name base adress not found\n"); goto Ret; } 
    printf("[KERNEL32] Module name base adress = %08Xh\n", hMod); 
    if ((fnAddr = MyGetProcAddr(hMod, "GetModuleHandleA")) == 0) printf("[GetModuleHandleA] API name base adress not found\n"); 
    else printf("[GetModuleHandleA] API name base adress = %08Xh\n", fnAddr); 
    if ((fnAddr = MyGetProcAddr(hMod, "GetModuleHandleW")) == 0) printf("[GetModuleHandleW] API name base adress not found\n"); 
    else printf("[GetModuleHandleW] API name base adress = %08Xh\n", fnAddr); 
    if ((fnAddr = MyGetProcAddr(hMod, "GetProcAddress")) == 0) printf("[GetProcAddress] API name base adress not found\n"); 
    else printf("[GetProcAddress] API name base adress = %08Xh\n", fnAddr); } 
  else { 
    if ((hMod = LoadLibraryA(strupr(argv[1]))) == 0) { printf("[%s] Module name base adress not found\n", argv[1]); goto Ret; } 
    printf("[%s] Module name base adress = %08Xh\n", argv[1], hMod); 
    for (i = 2; i < argc; i++) { 
      if ((Ordinal = atoi(argv[i])) == 0) { szTmp = "Name"; fnAddr = MyGetProcAddr(hMod, argv[i]); } 
      else { szTmp = "Ordinal"; fnAddr = MyGetProcAddr(hMod, (LPCSTR)Ordinal); } 
      if (!fnAddr) printf("[%s] API %s base adress not found\n", argv[i], szTmp); 
      else printf("[%s] API %s base adress = %08Xh\n", argv[i], szTmp, fnAddr); } 
    FreeLibrary(hMod); 
    RetValue--; } 
  goto Ret; 
}

29A Issue 02 03 05

Share this article

Let's discover also

29A Issue 01 01 05

29A Issue 02 01 02

29A Issue 03 01 02

29A Issue 03 01 01

29A Issue 02 01 03

29A Issue 02 03 03

29A Issue 03 03 07

29A Issue 02 01 01

29A Issue 03 01 04

29A Issue 02 02 08

Recent Articles

Oh I think it is the first time I am seeing king Charles

My British citizenship

Crema catalana ketogenica

Leeto Phreako Headz Issue 4

Leeto Phreako Headz Issue 3

Leeto Phreako Headz Issue 2 (Part II of II)

Sea Serpents and Lake Monsters: Legends or Reality ?

The Palenque Stela, evidence of ancient astronauts?

Leeto Phreako Headz Issue 2 (Part I of II)

Interview d'Alain Finkielkraut

Recent Comments