Support ordinal lookups

This commit is contained in:
Maurice Heumann 2023-01-17 18:37:08 +01:00
parent 87b9b9d146
commit 6e27f58f89
2 changed files with 27 additions and 7 deletions

View File

@ -16,7 +16,8 @@ namespace utils::nt
library library::get_by_address(void* address) library library::get_by_address(void* address)
{ {
HMODULE handle = nullptr; HMODULE handle = nullptr;
GetModuleHandleExA(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS | GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, static_cast<LPCSTR>(address), &handle); GetModuleHandleExA(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS | GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT,
static_cast<LPCSTR>(address), &handle);
return library(handle); return library(handle);
} }
@ -157,6 +158,11 @@ namespace utils::nt
} }
void** library::get_iat_entry(const std::string& module_name, const std::string& proc_name) const void** library::get_iat_entry(const std::string& module_name, const std::string& proc_name) const
{
return this->get_iat_entry(module_name, proc_name.data());
}
void** library::get_iat_entry(const std::string& module_name, const char* proc_name) const
{ {
if (!this->is_valid()) return nullptr; if (!this->is_valid()) return nullptr;
@ -183,16 +189,22 @@ namespace utils::nt
while (original_thunk_data->u1.AddressOfData) while (original_thunk_data->u1.AddressOfData)
{ {
const size_t ordinal_number = original_thunk_data->u1.AddressOfData & 0xFFFFFFF; if (thunk_data->u1.Function == reinterpret_cast<uint64_t>(target_function))
if (ordinal_number > 0xFFFF) continue;
if (GetProcAddress(other_module.module_, reinterpret_cast<char*>(ordinal_number)) ==
target_function)
{ {
return reinterpret_cast<void**>(&thunk_data->u1.Function); return reinterpret_cast<void**>(&thunk_data->u1.Function);
} }
const size_t ordinal_number = original_thunk_data->u1.AddressOfData & 0xFFFFFFF;
if (ordinal_number <= 0xFFFF)
{
auto* proc = GetProcAddress(other_module.module_, reinterpret_cast<char*>(ordinal_number));
if (reinterpret_cast<void*>(proc) == target_function)
{
return reinterpret_cast<void**>(&thunk_data->u1.Function);
}
}
++original_thunk_data; ++original_thunk_data;
++thunk_data; ++thunk_data;
} }

View File

@ -43,6 +43,13 @@ namespace utils::nt
return reinterpret_cast<T>(GetProcAddress(this->module_, process.data())); return reinterpret_cast<T>(GetProcAddress(this->module_, process.data()));
} }
template <typename T>
T get_proc(const char* name) const
{
if (!this->is_valid()) T{};
return reinterpret_cast<T>(GetProcAddress(this->module_, name));
}
template <typename T> template <typename T>
std::function<T> get(const std::string& process) const std::function<T> get(const std::string& process) const
{ {
@ -81,6 +88,7 @@ namespace utils::nt
PIMAGE_OPTIONAL_HEADER get_optional_header() const; PIMAGE_OPTIONAL_HEADER get_optional_header() const;
void** get_iat_entry(const std::string& module_name, const std::string& proc_name) const; void** get_iat_entry(const std::string& module_name, const std::string& proc_name) const;
void** get_iat_entry(const std::string& module_name, const char* name) const;
private: private:
HMODULE module_; HMODULE module_;