📄 rebit.c
字号:
#define _WIN32_WINNT 0x0400
#include <windows.h>
#include <string.h>
#include <odbg\plugin.h>
const DWORD ordinalimp = 0x80000000;
const char *szNewSecName = ".NewIID";
const int MaxDllNameLength = 40;
const int MinDllNameLength = 4;
const int MaxFunctNameLength = 80;
const int BadSectionsNum = 10;
const char *BadSections[] = {".rsrc","rsrc",".bss","bss",".reloc","reloc",".code","code",".edata","edata",".tls","tls"};
const int FineFileExtsNum = 6;
const char *FineFileExts[] = {".dll",".ocx",".exe",".bpl",".drv",".pak"};
static PIMAGE_DOS_HEADER dosh;
static PIMAGE_NT_HEADERS peh;
static PIMAGE_SECTION_HEADER sectionh;
static PIMAGE_DATA_DIRECTORY pDir;
static DWORD tmpnum,hlib;
// for getdllfunctnames
static DWORD DllNum;
static int FunctNum[50];
static char *Dllnames[50];
static HANDLE Dllhandles[50];
static char *Functnames[50][1200];
static DWORD Functaddresses[50][1200];
// for "SearchForFirstThunk"
// pDllThunkBlock : array [1..50] of pointer; // with memBase
// infos about the target memory
static BYTE *pMemBase;
static DWORD dwMemBase;
static DWORD MemSize;
DWORD rva2offset(DWORD dwRva)
{
int i;
PIMAGE_SECTION_HEADER sectionh2;
if(dwRva == 0) {
return(dwRva);
}
sectionh2 = sectionh;
// in which section is the import table ?
for(i=0; i<peh->FileHeader.NumberOfSections; i++) {
if(dwRva >= sectionh2->VirtualAddress && dwRva < sectionh2->VirtualAddress+sectionh2->Misc.VirtualSize) {
break;
}
sectionh2++;
}
return(dwRva - sectionh2->VirtualAddress + sectionh2->PointerToRawData);
}
DWORD offset2rva(DWORD dwOffset)
{
int i;
PIMAGE_SECTION_HEADER sectionh2;
if(dwOffset == 0) {
return(dwOffset);
}
sectionh2 = sectionh;
// in which section is the import table ?
for(i=0; i<peh->FileHeader.NumberOfSections; i++) {
if(dwOffset >= sectionh2->PointerToRawData && dwOffset < sectionh2->PointerToRawData+sectionh2->SizeOfRawData) {
break;
}
sectionh2++;
}
return(dwOffset + sectionh2->VirtualAddress - sectionh2->PointerToRawData);
}
PIMAGE_SECTION_HEADER rva2section(DWORD dwRva)
{
PIMAGE_SECTION_HEADER sectionh2;
int i;
sectionh2 = sectionh;
for(i=0; i<peh->FileHeader.NumberOfSections; i++) {
if(dwRva >= sectionh2->VirtualAddress && dwRva < sectionh2->VirtualAddress+sectionh2->Misc.VirtualSize) {
break;
}
sectionh2++;
}
return(sectionh2);
}
DWORD GetAddressOrdinal(char *libname, DWORD MemoryAddress)
{
DWORD functionentry;
DWORD *pDW;
DWORD i;
DWORD functposition;
DWORD modulebase;
// export table values
DWORD expbase;
DWORD functnum;
DWORD functaddr;
DWORD namenum;
DWORD nameaddr;
DWORD ordinaladdr;
// PE structs
PIMAGE_DOS_HEADER dosh;
PIMAGE_NT_HEADERS peh;
IMAGE_DATA_DIRECTORY dir;
functposition = 0xFFFFFFFF;
__try {
// load the dll
modulebase = (DWORD)GetModuleHandle(libname);
if(modulebase == 0) {
modulebase = (DWORD)LoadLibrary(libname);
if(modulebase == 0) {
return(functposition);
}
}
if(MemoryAddress <= modulebase) {
return(functposition);
}
functionentry = MemoryAddress - modulebase;
// check whether hmodule is a valid PE file
dosh = (PIMAGE_DOS_HEADER)modulebase;
if(dosh->e_magic != IMAGE_DOS_SIGNATURE) {
return(functposition);
}
peh = (PIMAGE_NT_HEADERS)((DWORD)dosh + dosh->e_lfanew);
if(peh->Signature != IMAGE_NT_SIGNATURE) {
return(functposition);
}
dir = peh->OptionalHeader.DataDirectory[0];
pDW = (DWORD*)(dir.VirtualAddress + 0x10 + (DWORD)dosh); // go fast to the base
// get the export values
expbase = *pDW;
pDW++;
functnum = *pDW;
pDW++;
namenum = *pDW;
pDW++;
functaddr = *pDW;
pDW++;
nameaddr = *pDW;
pDW++;
ordinaladdr = *pDW;
// search the entry in the RVA array of the export table
pDW = (DWORD*)((DWORD)dosh + functaddr);
//functposition = 0xFFFFFFFF;
for(i=0; i<functnum; i++) {
if(functionentry == *pDW) {
functposition = i;
break;
}
pDW++;
}
if(functposition != 0xFFFFFFFF) {
(DWORD)functposition += (expbase + ordinalimp);
}
}
__except(1) {
return(-1);
}
return(functposition);
}
DWORD FindOldIT(BYTE *DataPointer, DWORD SizeOfImage, DWORD OldITRVA)
{
DWORD *pDW;
char *pCH, *pcExt;
DWORD dwCurrRVA, dwCurrRVA2;
PIMAGE_IMPORT_DESCRIPTOR IID2;
DWORD dwTargetPos;
DWORD dwDllPoi;
int iii;
DWORD result;
result = OldITRVA;
pCH = DataPointer;
for(dwCurrRVA=0; dwCurrRVA<=SizeOfImage-4; dwCurrRVA++) {
if(*pCH > 0x30) {
if(strlen(pCH) < (size_t)MaxDllNameLength) {
pcExt = &pCH[strlen(pCH)-4];
for(iii=0; iii<FineFileExtsNum; iii++) {
if(!stricmp(pcExt,FineFileExts[iii])) {
if(!LoadLibrary(pCH)) {
// we found a dll name
pDW = (DWORD*)DataPointer;
dwTargetPos = offset2rva(dwCurrRVA);
for(dwCurrRVA2=0; dwCurrRVA2<=SizeOfImage-4; dwCurrRVA2++) {
if(*pDW ==dwTargetPos) {
// we found a pointer to the dll
//IID2 = (PIMAGE_IMAGE_IMPORT_DESCRIPTOR)((DWORD)DataPointer+dwCurrRVA2-12);
IID2 = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)DataPointer+dwCurrRVA2-12);
// check whether it's the first IID !
do {
IID2--;
dwDllPoi = rva2offset(IID2->Name) + (DWORD)DataPointer;
if(IsBadStringPtr((char*)dwDllPoi,MaxDllNameLength)) {
break;
}
if(!LoadLibrary((char*)dwDllPoi)) {
break;
}
} while(dwCurrRVA != 0); // will never be true !!!
IID2++;
// some more checking
if(IID2->OriginalFirstThunk < SizeOfImage && IID2->FirstThunk < SizeOfImage) {
if((DWORD)IID2 - (DWORD)DataPointer != OldITRVA) {
goto DONE;
}
}
}
((DWORD)pDW)++;
}
break;
}
}
}
}
}
pCH++;
}
return(result);
DONE:
result = offset2rva((DWORD)IID2 - (DWORD)DataPointer);
return(result);
}
void GetFunctNamesEx(DWORD dwFrom, DWORD dwSize)
{
char *pCH;
DWORD i, ii;
//HANDLE hlib;
// Search all function names
pCH = (char*)((DWORD)pMemBase + dwFrom);
for(i=0; i<=dwSize-4; i++) {
if(*pCH > 0x30) {
if((int)strlen(pCH) < MaxFunctNameLength) {
for(ii=0; ii<DllNum; ii++) {
tmpnum = (DWORD)GetProcAddress(Dllhandles[ii],pCH);
if(tmpnum != 0) {
//Functnames[ii][FunctNum[ii]] = (char*)((DWORD)pCH - (DWORD)pMemBase + (DWORD)pMemBase);
Functnames[ii][FunctNum[ii]] = (char*)(DWORD)pCH;
pCH += strlen(Functnames[ii][FunctNum[ii]]);
Functaddresses[ii][FunctNum[ii]] = tmpnum;
FunctNum[ii]++;
break;
}
}
}
}
pCH++;
}
}
void GetFunctNamesFast(void)
{
PIMAGE_SECTION_HEADER pSectionh2;
int i, ii;
BOOL checkit;
memset(FunctNum,0,sizeof(FunctNum));
pSectionh2 = sectionh;
for(i=0; i<peh->FileHeader.NumberOfSections; i++) {
checkit = TRUE;
// is the current section an bad section ?
for(ii=0; ii<BadSectionsNum; ii++) {
if(!stricmp(pSectionh2->Name,BadSections[ii])) {
checkit = FALSE;
break;
}
}
if(checkit) {
GetFunctNamesEx(pSectionh2->PointerToRawData,pSectionh2->SizeOfRawData);
}
pSectionh2++;
}
}
void GetDllNames(void)
{
char *pCH;
char *pcExt;
DWORD i, ii, iii;
DllNum = 0;
// Search all dll names
pCH = pMemBase;
for(i=0; i<=MemSize-4; i++) {
if(*pCH > 0x30) {
if((int)strlen(pCH) < MaxDllNameLength && (int)strlen(pCH) > MinDllNameLength) {
pcExt = &pCH[strlen(pCH)-4];
for(iii=0; iii<(DWORD)FineFileExtsNum; iii++) {
if(!stricmp(pcExt,FineFileExts[iii])) {
hlib = (DWORD)LoadLibrary(pCH);
if(hlib) {
// check if we have this dll already
for(ii=0; ii<=DllNum; ii++) {
if(hlib == (DWORD)Dllhandles[ii]) {
break;
}
}
if(ii > DllNum || DllNum == 0) {
Dllhandles[DllNum] = (HANDLE)hlib;
Dllnames[DllNum] = pCH;
DllNum++;
break;
}
}
pCH += strlen(pCH);
break;
}
}
}
}
pCH++;
}
}
void FixIAT(DWORD pointer2IID)
{
PIMAGE_IMPORT_DESCRIPTOR IID2;
DWORD *pDW;
char *pCH;
DWORD i, ii;
BOOL fixed;
DWORD tmpnum;
IID2 = (PIMAGE_IMPORT_DESCRIPTOR)pointer2IID;
if(IID2 == NULL) {
return;
}
do {
tmpnum = (DWORD)LoadLibrary((char*)((BYTE*)(rva2offset(IID2->Name)+dwMemBase)));
for(i=0; i<DllNum; i++) {
if(Dllhandles[i] == (HANDLE)tmpnum) {
break;
}
}
pDW = (DWORD*)(rva2offset(IID2->FirstThunk) + (DWORD)pMemBase);
pCH = (char*)((DWORD*)rva2offset(IID2->Name)+(DWORD)pMemBase);
while(*pDW != 0) { // for each firstthunk member
fixed = FALSE;
for(ii=0; ii<(DWORD)FunctNum[i]; ii++) {
if(Functaddresses[i][ii] == *pDW) {
// correct the pointer to the Imported by Name struct
*pDW = offset2rva((DWORD)Functnames[i][ii] - (DWORD)pMemBase - 2);
fixed = TRUE;
break;
}
}
if(!fixed) { // take an ordinal instead
tmpnum = GetAddressOrdinal(pCH,*pDW);
if(tmpnum != 0xFFFFFFFF) {
*pDW = tmpnum;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -