📄 pe_dlls.idc
字号:
#include <idc.idc>
#define NO_MAIN
#include <pe_sections.idc>
/*
// File:
// pe_dlls.idc
//
// Created by:
// Atli Gudmundsson (agudmundsson@symantec.com)
//
// Purpose:
// Loads DLL's, associated with a particular PE executable, into the database.
//
// Note:
// This script requires the PE_SECTIONS.IDC script.
// This version does not support relocs (sorry)
//
// If the script doesn't find the HEADER section then it automatically runs the PE_SECTIONS.IDC script
// (with out asking the user).
//
// Otherwise the script asks the user if it should run the PE_SECTIONS.IDC script.
//
// Usage:
// Just run the script :)
//
// Fixes/additions
// amg - ??-06-1999 - 1st version
// amg - 18-12-2000 - Blew the dust of this old script and made the following modifications:
// - cleaned it up
// - removed large portions of it and made it use PE_SECTIONS.IDC instead.
// amg - 18-12-2000 - added a new [custom] FirstNamedSeg(in_name)
// amg - 15-01-2001 - the script now supports loading of DLLs specified by the user (ex. dynamically
// loaded DLLs).
// amg - 28-02-2001 - bugfix: the script now correctly hooks imported functions to the import table.
// amg - 01-03-2001 - the script can (and will) now load DLLs of DLLs, relocs are still not supported though.
// amg - 12-03-2002 - minor structural change: doPEtables is now handled with in the LoadSections function
//
// Note: even though relocs are currently unsupported this is not a disadvantage when
// disassembling apps that use system DLLs, they usually have unique base addresses
// anyway (because of optimization issues and the desire not to create a copy of the
// DLL in the systems swap file).
//
// amg - 13-07-2002 - interface: clarified one user message.
// amg - 13-07-2002 - bugfix:
// - we now correctly recognize if a DLL has already been loaded.
// - we now correctly patch imports in multiple DLLs, which import the same DLL.
// - we now correctly patch imports in a DLL if it imports from the loaded base image.
// - removed reduntant call to the PE table parsing function (see pe_sections.idc:12-03-2002).
// amg - 13-07-2002 - enhancement (actually in pe_sections.idc):
// - we now apply fixups to all relocated DLLs (most common relocs are supported).
//
*/
static main()
{
auto imageBase, PEoffset, loadEXE;
auto ask_user;
auto fhandle;
Message("-------------------------------------------------------------------------------\n\n");
Message(" The DLL loader script for PE files.\n created by Atli Gudmundsson <agudmundsson@symantec.com>\n");
Message("\n");
ask_user = AskYN(0, "Do you want to specify DLL(s) to load?");
if(ask_user != 0)
{
auto DLL_name;
if(ask_user == -1)
{
return -1;
}
do
{
DLL_name = AskStr("KERNEL32.DLL", "What is the name of the DLL (don't type in the full path)?");
if(DLL_name == 0)
{
break;
}
imageBase = LoadSingleDLL(DLL_name);
if(imageBase == -1)
{
break;
}
if(imageBase != 0)
{
if(LoadDLLs(imageBase) < 0)
{
break;
}
}
ask_user = AskYN(1, "Do you want to load another DLL?");
}
while(ask_user == 1);
return 0;
}
imageBase = FirstSeg();
if((imageBase != BADADDR) && (SegName(imageBase) == PE_HEADER_SECTION_NAME))
{
ask_user = AskYN(0, "HEADER section found, do you want me to run the PE_SECTION.IDC script?");
// 1 - Yes
// 0 - No
// -1 - Cancel
if(ask_user == -1)
{
return -1;
}
else if(ask_user == 1)
{
loadEXE = 1;
}
else
{
loadEXE = 0;
}
}
else
{
loadEXE = 1;
}
if(loadEXE)
{
imageBase = EXEload();
if(imageBase == BADADDR)
{
return -1;
}
}
LoadDLLs(imageBase);
Message("\n-------------------------------------------------------------------------------\n\n");
return 0;
}
static LoadDLLs(imageBase)
{
auto PEoffset;
auto importTable;
auto BaseArray;
auto ask_user, loadDLL;
auto index;
loadDLL = 1;
ask_user = AskYN(1, "Load all DLLs associated with this one?");
// 1 - Yes
// 0 - No
// -1 - Cancel
if(ask_user < 0)
{
return 0;
}
BaseArray = CreateArray("BaseArray for DLLs");
if(BaseArray == -1)
{
WarningMessage("ERROR:can't initialize the BaseArray");
return -1;
}
index = 0;
SetArrayLong(BaseArray, 0, imageBase);
while(1)
{
imageBase = GetArrayElement(AR_LONG, BaseArray, index);
PEoffset = LEDword(imageBase + 0x3c);
if(LEDword(imageBase + PEoffset) != 0x4550)
{
WarningMessage("ERROR:A none PE file was specified as a DLL!");
return -1; // unexpected
}
importTable = LEDword(imageBase + PEoffset + 0x80);
if(importTable)
{
importTable = importTable + imageBase;
if(SegStart(importTable) == BADADDR)
{
WarningMessage(" import table is not in any section (run the PE_SECTIONS.IDC script)!");
return 0;
}
while(1)
{
auto ilt, tds, fc, name, iat;
auto imports;
auto DLL_name;
ilt = LEDword(importTable);
tds = LEDword(importTable + 0x04);
fc = LEDword(importTable + 0x08);
name = LEDword(importTable + 0x0c);
iat = LEDword(importTable + 0x10);
if(!name || (!iat && !ilt))
{
break;
}
if(ilt)
{
imports = ilt;
}
else
{
imports = iat;
}
name = name + imageBase;
imports = imports + imageBase;
iat = iat + imageBase;
DLL_name = Str(name);
if(!ask_user)
{
loadDLL = AskYN(1, "Do you want me to load " + DLL_name + "?");
// 1 - Yes
// 0 - No
// -1 - Cancel
if(loadDLL < 0)
{
return -1;
}
}
if(loadDLL)
{
auto DLLBase;
DLLBase = LoadSingleDLL(DLL_name);
// Add
if(DLLBase == -1)
{
if(ask_user)
{
ask_user = AskYN(1, "Some error occured, do you still want to load all DLLs?");
// 1 - Yes
// 0 - No
// -1 - Cancel
if(ask_user < 0)
{
return;
}
}
DLLBase = 0;
}
if(DLLBase != 0)
{
auto travel, last;
travel = 0;
last = GetLastIndex(AR_LONG, BaseArray);
while(travel <= last)
{
if(GetArrayElement(AR_LONG, BaseArray, travel) == DLLBase)
{
break;
}
travel++;
}
if(travel > last)
{
// no match was found, so add it for later parsing
SetArrayLong(BaseArray, GetLastIndex(AR_LONG, BaseArray) + 1, DLLBase);
}
}
if(DLLBase != 0)
{
auto importAddress;
auto FuncName;
// fix the import table of the current DLL.
importAddress = LEDword(imports);
if(importAddress)
{
do
{
if(importAddress < 0)
{
// import by ordinal
importAddress = importAddress & 0x7fffffff;
importAddress = GetProcAddress(DLLBase, "", importAddress);
}
else
{
// import by name
importAddress = importAddress + imageBase + 2;
FuncName = Str(importAddress);
importAddress = GetProcAddress(DLLBase, FuncName, 0);
}
if(importAddress != 0)
{
PatchDword(iat, importAddress);
OpOff(iat, 0, 0);
MakeCode(importAddress);
}
// else // silently ignore this case... the most likely cause for this is that the import
// { // table has already been patched (the script is being re-executed)...
// MakeComm(iat, "Can't resolve to this address!");
// }
iat = iat + 4;
imports = imports + 4;
importAddress = LEDword(imports);
}
while(importAddress);
}
}
}
importTable = importTable + 0x14;
}
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -