📄 rebuildimport.c
字号:
#define _WIN32_WINNT 0x0400
#include <windows.h>
#include <odbg\plugin.h> // Please change for your environment
#define MAX_API_NAME_LEN 256
#define MAX_DLL_NAME_LEN 50
#define FILE_ALIGNMENT 0x200
#define SECT_ALIGNMENT 0x1000
typedef PIMAGE_DOS_HEADER PIDH;
typedef PIMAGE_NT_HEADERS PINH;
typedef PIMAGE_SECTION_HEADER PISH;
typedef PIMAGE_DATA_DIRECTORY PIDD;
typedef PIMAGE_IMPORT_DESCRIPTOR PIID;
typedef PIMAGE_IMPORT_BY_NAME PIBN;
struct krnl2ntdll {
char *ntdll;
char *krnl;
} k2n[] = {
{"RtlDeleteCriticalSection" ,"DeleteCriticalSection" },
{"RtlEnterCriticalSection" ,"EnterCriticalSection" },
{"RtlAllocateHeap" ,"HeapAlloc" },
{"RtlFreeHeap" ,"HeapFree" },
{"RtlReAllocateHeap" ,"HeapReAlloc" },
{"RtlSizeHeap" ,"HeapSize" },
{"RtlLeaveCriticalSection" ,"LeaveCriticalSection" },
{"RtlFillMemory" ,"RtlFillMemory" },
{"RtlMoveMemory" ,"RtlMoveMemory" },
{"RtlUnwind" ,"RtlUnwind" },
{"RtlZeroMemory" ,"RtlZeroMemory" },
{"RtlSetCriticalSectionSpinCount","SetCriticalSectionSpinCount"},
{"RtlTryEnterCriticalSection" ,"TryEnterCriticalSection" },
{"RtlGetLastWin32Error" ,"GetLastError" },
{ NULL , NULL }
};
typedef struct _IMPORT_API_DATA {
DWORD ThunkRVA;
DWORD ApiAddress;
WORD Ordinal;
char ApiName[MAX_API_NAME_LEN];
char DllName[MAX_DLL_NAME_LEN];
struct _IMPORT_API_DATA *next;
} IMPORT_API_DATA, *PIMPORT_API_DATA;
typedef struct _IMPORT_DLL_DATA {
char DllName[MAX_DLL_NAME_LEN];
DWORD FirstThunkRVA;
DWORD ThunkBlockSize;
IMPORT_API_DATA ApiHead;
struct _IMPORT_DLL_DATA *next;
} IMPORT_DLL_DATA, *PIMPORT_DLL_DATA;
static DWORD rva2offset(DWORD dwRva, PISH pISH, int NumberOfSections);
static DWORD offset2rva(DWORD dwOffset, PISH pISH, int NumberOfSections);
static PISH rva2section(DWORD dwRva, PISH pISH, int NumberOfSections);
static DWORD GetRealApiAddress(DWORD ApiAddress, char *DllName, char *ApiName, WORD *Ordinal);
static WORD GetApiNameOrdinal(DWORD ApiAddress, char *DllName, char *ApiName);
static BOOL SearchImportData(PIMPORT_DLL_DATA pDllEntry,PINH pINH,PISH pISH);
static void MakeIID(BYTE *pMemBase, DWORD dwNewSectSize,PIMPORT_DLL_DATA pDllEntry);
BOOL RebuildImport(char *szTargetFile);
static const char *szNewSecName = ".newIID";
static DWORD DllNum;
extern BOOL SearchAnimation;
extern BOOL SearchLog;
extern DWORD AnimationWait;
DWORD rva2offset(DWORD dwRva, PISH pISH, int NumberOfSections)
{
int i;
PISH pISH2;
if(dwRva == 0) {
return(dwRva);
}
pISH2 = pISH;
// in which section is the import table ?
for(i=0; i<NumberOfSections; i++) {
if(dwRva >= pISH2->VirtualAddress && dwRva < pISH2->VirtualAddress+pISH2->Misc.VirtualSize) {
break;
}
pISH2++;
}
return(dwRva - pISH2->VirtualAddress + pISH2->PointerToRawData);
}
DWORD offset2rva(DWORD dwOffset, PISH pISH, int NumberOfSections)
{
int i;
PISH pISH2;
if(dwOffset == 0) {
return(dwOffset);
}
pISH2 = pISH;
// in which section is the import table ?
for(i=0; i<NumberOfSections; i++) {
if(dwOffset >= pISH2->PointerToRawData && dwOffset < pISH2->PointerToRawData+pISH2->SizeOfRawData) {
break;
}
pISH2++;
}
return(dwOffset + pISH2->VirtualAddress - pISH2->PointerToRawData);
}
PISH rva2section(DWORD dwRva, PISH pISH, int NumberOfSections)
{
PISH pISH2;
int i;
pISH2 = pISH;
for(i=0; i<NumberOfSections; i++) {
if(dwRva >= pISH2->VirtualAddress && dwRva < pISH2->VirtualAddress+pISH2->Misc.VirtualSize) {
break;
}
pISH2++;
}
return(pISH2);
}
#define MAX_BYTE_COUNT 50
/////////////////////////////////////////////////////////////////////////////
//
// Chack given value is API address, if not try to find real API address
//
// args
// DWORD ApiAddress : API address
// char *DllName : buffer for DLL name includes API
// char *ApiName : buffer for API name
// WORD *Ordinal : buffer for API ordinal
//
// return value : API address or 0 (DWORD)
//
DWORD GetRealApiAddress(DWORD ApiAddress, char *DllName, char *ApiName, WORD *Ordinal)
{
BOOL vboxcall[] = {TRUE,TRUE,FALSE,TRUE,FALSE,TRUE};
t_memory *pmem;
t_module *pmod;
t_disasm dasm;
char *exename,*pdest;
BYTE cmd[MAXCMDSIZE],r;
DWORD Address,AddrBuf,RetBuf,bcount,cmdsize,tElock,SearchAddr,ASPR,PushBuf;
DWORD eax,ecx,edx,edi,esi,callcount;
exename = (char*)Plugingetvalue(VAL_EXEFILENAME);
pdest = strrchr(exename,'\\');
pdest++;
exename = pdest;
Address = ApiAddress;
pmod = Findmodule(Address);
if(pmod) {
if((pdest = strrchr(pmod->path,'\\')) != NULL) {
pdest++;
wsprintf(DllName,"%s",pdest);
}
if(stricmp(DllName,exename) != 0) {
*Ordinal = GetApiNameOrdinal(Address,DllName,ApiName);
if(*Ordinal != 0xFFFF) {
if(SearchLog) {
Addtolist(Address,0,"Found in %-12s --- Address:%08X Ordinal:%04X API name:%-25s",DllName,Address,*Ordinal,ApiName);
Updatelist();
}
goto ADDRESS_FOUND;
}
}
else {
SearchAddr = Address;
if(SearchAnimation) {
Setcpu(0,SearchAddr,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS|CPU_REDRAW);
Sleep(AnimationWait);
}
Readmemory(&r,SearchAddr,1,MM_RESTORE|MM_SILENT);
if(r == 0xE9) {
Readmemory(&AddrBuf,SearchAddr+1,sizeof(DWORD),MM_RESTORE|MM_SILENT);
Address += (AddrBuf+5);
pmod = Findmodule(Address);
if(pmod) {
if((pdest = strrchr(pmod->path,'\\')) != NULL) {
pdest++;
wsprintf(DllName,"%s",pdest);
*Ordinal = GetApiNameOrdinal(Address,DllName,ApiName);
if(*Ordinal != 0xFFFF) {
if(SearchLog) {
Addtolist(Address,0,"Found in %-12s --- Address:%08X Ordinal:%04X API name:%-25s",DllName,Address,*Ordinal,ApiName);
Updatelist();
}
goto ADDRESS_FOUND;
}
}
}
}
}
}
else { // module not found
// try to find Vbox's disguised API address
__try {
if(SearchLog) {
Addtolist(0,0,"Vbox search");
Updatelist();
}
Address = ApiAddress;
bcount = 0;
callcount = 0;
SearchAddr = Address;
while(bcount < 100) {
if(SearchAnimation) {
Setcpu(0,SearchAddr,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS|CPU_REDRAW);
Sleep(AnimationWait);
}
Readmemory(cmd,SearchAddr,MAXCMDSIZE,MM_RESTORE|MM_SILENT);
cmdsize = Disasm(cmd,MAXCMDSIZE,SearchAddr,NULL,&dasm,DISASM_ALL,NULL);
if(SearchLog) {
Addtolist(SearchAddr,0," %-16s %-30s bcount:%4d",dasm.dump,dasm.result,bcount);
Updatelist();
}
Readmemory(&r,SearchAddr,1,MM_RESTORE|MM_SILENT);
if(bcount == 0 && r != 0xE8) {
goto VBOX_NOTFOUND;
}
if(r == 0xE8) {
if(callcount == 0) {
RetBuf = SearchAddr + cmdsize;
}
if(vboxcall[callcount]) {
SearchAddr = dasm.jmpaddr;
callcount++;
bcount += cmdsize;
continue;
}
callcount++;
}
if(callcount > 5) {
break;
}
SearchAddr += cmdsize;
bcount += cmdsize;
}
//0700C0E4 /$ 8B15 CC9A0507 mov edx,[7059ACC]
Readmemory(cmd,SearchAddr,MAXCMDSIZE,MM_RESTORE|MM_SILENT);
cmdsize = Disasm(cmd,MAXCMDSIZE,SearchAddr,NULL,&dasm,DISASM_ALL,NULL);
if(SearchAnimation) {
Setcpu(0,SearchAddr,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS|CPU_REDRAW);
Sleep(AnimationWait);
}
if(SearchLog) {
Addtolist(SearchAddr,0," %-16s %-30s",dasm.dump,dasm.result);
Updatelist();
}
AddrBuf = dasm.adrconst;
Readmemory(&edx,AddrBuf,sizeof(DWORD),MM_RESTORE|MM_SILENT);
SearchAddr += cmdsize;
//0700C0EA |. 56 push esi
Readmemory(cmd,SearchAddr,MAXCMDSIZE,MM_RESTORE|MM_SILENT);
cmdsize = Disasm(cmd,MAXCMDSIZE,SearchAddr,NULL,&dasm,DISASM_ALL,NULL);
if(SearchAnimation) {
Setcpu(0,SearchAddr,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS|CPU_REDRAW);
Sleep(AnimationWait);
}
if(SearchLog) {
Addtolist(SearchAddr,0," %-16s %-30s",dasm.dump,dasm.result);
Updatelist();
}
SearchAddr += cmdsize;
//0700C0EB |. 8B35 D09A0507 mov esi,[7059AD0]
Readmemory(cmd,SearchAddr,MAXCMDSIZE,MM_RESTORE|MM_SILENT);
cmdsize = Disasm(cmd,MAXCMDSIZE,SearchAddr,NULL,&dasm,DISASM_ALL,NULL);
if(SearchAnimation) {
Setcpu(0,SearchAddr,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS|CPU_REDRAW);
Sleep(AnimationWait);
}
if(SearchLog) {
Addtolist(SearchAddr,0," %-16s %-30s",dasm.dump,dasm.result);
Updatelist();
}
AddrBuf = dasm.adrconst;
Readmemory(&esi,AddrBuf,sizeof(DWORD),MM_RESTORE|MM_SILENT);
SearchAddr += cmdsize;
//0700C0F1 |. 57 push edi
Readmemory(cmd,SearchAddr,MAXCMDSIZE,MM_RESTORE|MM_SILENT);
cmdsize = Disasm(cmd,MAXCMDSIZE,SearchAddr,NULL,&dasm,DISASM_ALL,NULL);
if(SearchAnimation) {
Setcpu(0,SearchAddr,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS|CPU_REDRAW);
Sleep(AnimationWait);
}
if(SearchLog) {
Addtolist(SearchAddr,0," %-16s %-30s",dasm.dump,dasm.result);
Updatelist();
}
SearchAddr += cmdsize;
//0700C0F2 |> 3BD6 /cmp edx,esi
//if(edx == esi) {
//goto VBOX_NOTFOUND;
//}
Readmemory(cmd,SearchAddr,MAXCMDSIZE,MM_RESTORE|MM_SILENT);
cmdsize = Disasm(cmd,MAXCMDSIZE,SearchAddr,NULL,&dasm,DISASM_ALL,NULL);
if(SearchAnimation) {
Setcpu(0,SearchAddr,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS|CPU_REDRAW);
Sleep(AnimationWait);
}
if(SearchLog) {
Addtolist(SearchAddr,0," %-16s %-30s",dasm.dump,dasm.result);
Updatelist();
}
SearchAddr += cmdsize;
//0700C0F4 |. 74 2E |je short 0700C124
Readmemory(cmd,SearchAddr,MAXCMDSIZE,MM_RESTORE|MM_SILENT);
cmdsize = Disasm(cmd,MAXCMDSIZE,SearchAddr,NULL,&dasm,DISASM_ALL,NULL);
if(SearchAnimation) {
Setcpu(0,SearchAddr,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS|CPU_REDRAW);
Sleep(AnimationWait);
}
if(SearchLog) {
Addtolist(SearchAddr,0," %-16s %-30s",dasm.dump,dasm.result);
Updatelist();
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -