Posts Custom GetProcAddress
Post
Cancel

Custom GetProcAddress

1
2
3
4
5
6
7
8
9
10
11
12
13
typedef struct _IMAGE_EXPORT_DIRECTORY {
  DWORD   Characteristics;
  DWORD   TimeDateStamp;
  WORD    MajorVersion;
  WORD    MinorVersion;
  DWORD   Name;
  DWORD   Base;
  DWORD   NumberOfFunctions;
  DWORD   NumberOfNames;
  DWORD   AddressOfFunctions;
  DWORD   AddressOfNames;
  DWORD   AddressOfNameOrdinals;
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#include <Windows.h>
#include <iostream>
using namespace std;

template<typename T>
LPVOID CustomGetProcAddress(T hModule, LPCSTR lpProcName) {
	PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule;
	PIMAGE_NT_HEADERS64 pNtHeaders = (PIMAGE_NT_HEADERS64)((ULONGLONG)pDosHeader + pDosHeader->e_lfanew);
	PIMAGE_EXPORT_DIRECTORY pExport = (PIMAGE_EXPORT_DIRECTORY)((ULONGLONG)pDosHeader + pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);

	//PCHAR DllName = (PCHAR)((ULONGLONG)pDosHeader + pExport->Name);
	//DWORD NumberOfFunctions = pExport->NumberOfFunctions;
	DWORD NumberOfNames = pExport->NumberOfNames;
	PDWORD AddressOfFunctions = (DWORD*)((ULONGLONG)pDosHeader + pExport->AddressOfFunctions);
	PDWORD AddressOfNames = (DWORD*)((ULONGLONG)pDosHeader + pExport->AddressOfNames);
	PWORD AddressOfNameOrdinals = (WORD*)((ULONGLONG)pDosHeader + pExport->AddressOfNameOrdinals);

	PCHAR AddressOfName = nullptr;
	WORD AddressOfNameOrdinal = 0;
	LPVOID AddressOfFunction = nullptr;
	for (DWORD i = 0; i < NumberOfNames; ++i) {
		AddressOfName = (PCHAR)((ULONGLONG)pDosHeader + AddressOfNames[i]);
		if (strcmp(AddressOfName, lpProcName)) {
			continue;
		} else {
			AddressOfNameOrdinal = AddressOfNameOrdinals[i];
			AddressOfFunction = (LPVOID)((ULONGLONG)pDosHeader + AddressOfFunctions[AddressOfNameOrdinal]);
			return AddressOfFunction;
		}
	}

	return nullptr;
}

int main() {
	HMODULE hKernel32{ GetModuleHandleA("kernel32") };

	LPVOID AddAtomAGetProcAddress{ GetProcAddress(hKernel32, "AddAtomA") };
	LPVOID AddAtomACustomGetProcAddress{ CustomGetProcAddress(hKernel32, "AddAtomA") };

	if (AddAtomAGetProcAddress == AddAtomACustomGetProcAddress)
		cout << "[+] Success!" << endl;
	else
		cout << "[-] Failure!" << endl;

	return 0;
}

Reference

BendyBear: サイバースパイグループBlackTechとリンクされた新しい中国のシェルコード 5d1414b47d88e95ae6612d3fc211c29b35cc5db4a8a992f5e27cff5203ebf44b PE Format - Win32 apps GetProcAddress function (libloaderapi.h) - Win32 apps

This post is licensed under CC BY 4.0 by the author.