📄 rebuildimport.c
字号:
*Ordinal = 0xFFFF;
}
}
}
SearchAddr++;
bcount++;
}
}
__except(1) {
Addtolist(SearchAddr,1,"Exception in searching ASProtect's special method");
}
}
DllName[0] = '\0';
ApiName[0] = '\0';
*Ordinal = 0xFFFF;
Address = ApiAddress;
Addtolist(Address,1,"404 Real API address Not Found!!");
Updatelist();
ADDRESS_FOUND:
return(Address);
}
BOOL SearchImportData(PIMPORT_DLL_DATA pDllEntry,PINH pINH,PISH pISH)
{
const WORD srch[] = {0x15FF,0x25FF};
DWORD i,ii,NumOfSect,ImageBase;
char *exename,*pdest;
char ApiName[MAX_API_NAME_LEN],DllName[MAX_DLL_NAME_LEN];
WORD buf,Ordinal;
DWORD s,ThunkData,FunctAddress,RangeTop,RangeEnd,Thunk,ThunkBuf;
PIMPORT_DLL_DATA pDll,qDll,pDllNew;
PIMPORT_API_DATA pApi,qApi,pApiNew;
PISH psech;
t_memory *pmem;
exename = (char*)Plugingetvalue(VAL_EXEFILENAME);
pdest = strrchr(exename,'\\');
pdest++;
exename = pdest;
NumOfSect = pINH->FileHeader.NumberOfSections;
ImageBase = pINH->OptionalHeader.ImageBase;
RangeTop = pISH[0].VirtualAddress + ImageBase;
RangeEnd = pISH[NumOfSect-1].VirtualAddress + pISH[NumOfSect-1].Misc.VirtualSize + ImageBase;
__try {
Addtolist(0,0,"OllyDump -- Start \"JMP [Thunk]\"\(0x25FF\) and \"CALL [Thunk]\"\(0x15FF\) search");
for(i=0; i<2; i++) {
s = RangeTop;
pmem = Findmemory(s);
while(s < pmem->base+pmem->size) {
Readmemory(&buf,s,sizeof(WORD),MM_RESTORE|MM_SILENT);
if(buf == srch[i]) {
Readmemory(&Thunk,s+2,sizeof(DWORD),MM_RESTORE|MM_SILENT);
if(SearchAnimation) {
Setcpu(0,Thunk,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS|CPU_REDRAW);
Sleep(AnimationWait);
}
if(Thunk >= RangeTop && Thunk <= RangeEnd-4) {
Readmemory(&FunctAddress,Thunk,sizeof(DWORD),MM_RESTORE|MM_SILENT);
if(FunctAddress == 0) {
s++;
continue;
}
FunctAddress = GetRealApiAddress(FunctAddress,DllName,ApiName,&Ordinal);
if(Ordinal != 0xFFFF) {
if(stricmp(exename,DllName)) { // not self module
if(!stricmp(DllName,"ntdll.dll")) {
wsprintf(DllName,"%s","kernel32.dll");
ii = 0;
while(k2n[ii].ntdll) {
if(!stricmp(k2n[ii].ntdll,ApiName)) {
wsprintf(ApiName,"%s",k2n[ii].krnl);
break;
}
ii++;
}
}
// Search FirstThunk
psech = rva2section(Thunk-ImageBase,pISH,NumOfSect);
ThunkBuf = Thunk;
while(ThunkBuf != 0 && ThunkBuf >= psech->VirtualAddress) {
Readmemory(&ThunkData,ThunkBuf,sizeof(DWORD),MM_RESTORE|MM_SILENT);
if(ThunkData == 0) {
break;
}
ThunkBuf -= sizeof(DWORD);
}
ThunkBuf += sizeof(DWORD);
Readmemory(&ThunkData,ThunkBuf,sizeof(DWORD),MM_RESTORE|MM_SILENT);
// Search Same FirstThunk DLL
pDll = pDllEntry->next;
qDll = pDllEntry;
while(pDll != NULL && ThunkBuf-ImageBase > pDll->FirstThunkRVA) {
qDll = pDll;
pDll = pDll->next;
}
if(pDll == NULL || pDll->FirstThunkRVA != ThunkBuf-ImageBase) {
if((pDllNew = (PIMPORT_DLL_DATA)calloc(1,sizeof(IMPORT_DLL_DATA))) == NULL) {
Addtolist(0,1,"OllyDump -- Error Memory Allocation for New DLL Entry Failed!!");
return(FALSE);
}
pDllNew->next = pDll;
qDll->next = pDllNew;
pDllNew->FirstThunkRVA = ThunkBuf - ImageBase;
wsprintf(pDllNew->DllName,"%s",DllName);
if((pApiNew = (PIMPORT_API_DATA)calloc(1,sizeof(IMPORT_API_DATA))) == NULL) {
Addtolist(0,1,"OllyDump -- Error Memory Allocation for New API Entry Failed!!");
return(FALSE);
}
pApiNew->ThunkRVA = Thunk - ImageBase;
pApiNew->ApiAddress = FunctAddress;
pApiNew->Ordinal = Ordinal;
wsprintf(pApiNew->ApiName,"%s",ApiName);
wsprintf(pApiNew->DllName,"%s",DllName);
pApiNew->next = NULL;
pDllNew->ApiHead.next = pApiNew;
}
else {
pApi = pDll->ApiHead.next;
qApi = &(pDll->ApiHead);
while(pApi != NULL && Thunk-ImageBase > pApi->ThunkRVA) {
qApi = pApi;
pApi = pApi->next;
}
if(pApi == NULL || Thunk-ImageBase != pApi->ThunkRVA) {
if((pApiNew = (PIMPORT_API_DATA)calloc(1,sizeof(IMPORT_API_DATA))) == NULL) {
Addtolist(0,1,"OllyDump -- Error Memory Allocation for New API Entry Failed!!");
return(FALSE);
}
pApiNew->next = pApi;
qApi->next = pApiNew;
pApiNew->ThunkRVA = Thunk - ImageBase;
pApiNew->ApiAddress = FunctAddress;
pApiNew->Ordinal = Ordinal;
wsprintf(pApiNew->ApiName,"%s",ApiName);
wsprintf(pApiNew->DllName,"%s",DllName);
}
}
}
}
}
}
s++;
}
}
} // __try end
__except(1) {
Addtolist(0,0,"OllyDump -- Exception \"JMP [Thunk]\"\(0x25FF\) and \"CALL [Thunk]\"\(0x15FF\) search block");
}
__try {
Addtolist(0,0,"OllyDump -- Check Leaked Thunks in Thunk Blocks");
pDll = pDllEntry->next;
while(pDll != NULL) {
Thunk = pDll->FirstThunkRVA + ImageBase;
psech = rva2section(pDll->FirstThunkRVA,pISH,NumOfSect);
Readmemory(&FunctAddress,Thunk,sizeof(DWORD),MM_RESTORE|MM_SILENT);
while(FunctAddress != 0 && Thunk-ImageBase >= psech->VirtualAddress && Thunk-ImageBase <= psech->VirtualAddress + psech->Misc.VirtualSize) {
FunctAddress = GetRealApiAddress(FunctAddress,DllName,ApiName,&Ordinal);
if(Ordinal != 0xFFFF) {
if(!stricmp(DllName,"ntdll.dll")) {
wsprintf(DllName,"%s","kernel32.dll");
ii = 0;
while(k2n[ii].ntdll) {
if(!stricmp(k2n[ii].ntdll,ApiName)) {
wsprintf(ApiName,"%s",k2n[ii].krnl);
break;
}
ii++;
}
}
}
pApi = pDll->ApiHead.next;
qApi = &(pDll->ApiHead);
while(pApi != NULL && (Thunk-ImageBase) > pApi->ThunkRVA) {
qApi = pApi;
pApi = pApi->next;
}
if(pApi == NULL || Thunk-ImageBase != pApi->ThunkRVA) {
if((pApiNew = (PIMPORT_API_DATA)calloc(1,sizeof(IMPORT_API_DATA))) == NULL) {
Addtolist(0,1,"OllyDump -- Error Memory Allocation for New API Entry Failed!!");
return(FALSE);
}
pApiNew->next = pApi;
qApi->next = pApiNew;
pApiNew->ThunkRVA = Thunk - ImageBase;
pApiNew->ApiAddress = FunctAddress;
pApiNew->Ordinal = Ordinal;
wsprintf(pApiNew->ApiName,"%s",ApiName);
wsprintf(pApiNew->DllName,"%s",DllName);
}
Thunk += sizeof(DWORD);
Readmemory(&FunctAddress,Thunk,sizeof(DWORD),MM_RESTORE|MM_SILENT);
}
Thunk -= sizeof(DWORD);
pDll->ThunkBlockSize = ((Thunk-ImageBase)-pDll->FirstThunkRVA) / sizeof(DWORD) + 1;
pDll = pDll->next;
}
} // __try end
__except(1) {
Addtolist(0,1,"OllyDump -- Exception Checking Leaked Thunks Block!!");
}
/*
__try {
Addtolist(0,0,"Result of Leaked Thunk search");
pDll = pDllEntry->next;
if(pDll == NULL) {
Addtolist(0,-1,"No Dll Entry!!");
}
while(pDll != NULL) {
Addtolist(pDll->FirstThunkRVA+ImageBase,-1,"pDll->DllName:%s FirstThunkRVA:%X ThunkBlockSize:%d",pDll->DllName,pDll->FirstThunkRVA,pDll->ThunkBlockSize);
pApi = pDll->ApiHead.next;
if(pApi == NULL) {
Addtolist(0,-1,"No Api Entry!!");
}
while(pApi != NULL) {
Addtolist(pApi->ThunkRVA+ImageBase,-1,"ApiAddress:%08X ThunkRVA:%X Ordinal:%04X DllName:%-12s ApiName:%s",pApi->ApiAddress,pApi->ThunkRVA,pApi->Ordinal,pApi->DllName,pApi->ApiName);
Updatelist();
pApi = pApi->next;
}
pDll = pDll->next;
}
} // __try end
__except(1) {
Addtolist(0,0,"Exception in SearchImportData\(\) Showing Result of Leaked Thunk search");
}
*/
__try {
Addtolist(0,0,"OllyDump -- Separate Mixed Thunks");
pDll = pDllEntry->next;
while(pDll != NULL) {
wsprintf(pDll->DllName,"%s",pDll->ApiHead.next->DllName);
pApi = pDll->ApiHead.next;
qApi = &(pDll->ApiHead);
while(pApi != NULL) {
if(pApi->DllName[0] != '\0' && stricmp(pApi->DllName,pDll->DllName)) {
if((pDllNew = (PIMPORT_DLL_DATA)calloc(1,sizeof(IMPORT_DLL_DATA))) == NULL) {
Addtolist(0,-1,"OllyDump -- Error Memory Allocation for New DLL Entry Failed!!");
return(FALSE);
}
wsprintf(pDllNew->DllName,"%s",pApi->DllName);
pDllNew->FirstThunkRVA = pApi->ThunkRVA;
pDllNew->ApiHead.next = pApi;
qApi->next = NULL;
pDllNew->next = pDll->next;
pDll->next = pDllNew;
break;
}
qApi = pApi;
pApi = pApi->next;
}
pDll = pDll->next;
}
} // __try end
__except(1) {
Addtolist(0,1,"OllyDump -- Exception Separate Mixed Thunk Blocks!!");
}
/*
__try {
Addtolist(0,0,"Result of Separate Mixed Thunk Blocks");
pDll = pDllEntry->next;
if(pDll == NULL) {
Addtolist(0,-1,"No Dll Entry!!");
}
while(pDll != NULL) {
Addtolist(pDll->FirstThunkRVA+ImageBase,-1,"pDll->DllName:%s FirstThunkRVA:%X ThunkBlockSize:%d",pDll->DllName,pDll->FirstThunkRVA,pDll->ThunkBlockSize);
pApi = pDll->ApiHead.next;
if(pApi == NULL) {
Addtolist(0,-1,"No Api Entry!!");
}
while(pApi != NULL) {
Addtolist(pApi->ThunkRVA+ImageBase,-1,"ApiAddress:%08X ThunkRVA:%X Ordinal:%04X DllName:%-12s ApiName:%s",pApi->ApiAddress,pApi->ThunkRVA,pApi->Ordinal,pApi->DllName,pApi->ApiName);
Updatelist();
pApi = pApi->next;
}
pDll = pDll->next;
}
} // __try end
__except(1) {
Addtolist(0,0,"Exception in SearchImportData\(\) Showing Result of Separate Mixed Thunk Blocks");
}
*/
return(TRUE);
}
////////////////////////////////////////////////////
//
// Get API Name and Ordinal
//
// args
// DWORD ApiAddress : API entry point address
// char *ApiName : buffer for found API name
// char *DllName : DLL name
//
// return value : API Ordinal
//
WORD GetApiNameOrdinal(DWORD ApiAddress, char *DllName, char *ApiName)
{
DWORD functionentry;
DWORD *pDW;
WORD *pWO;
DWORD i;
DWORD functposition,nameposition;
DWORD modulebase;
// export table values
DWORD expbase;
DWORD functnum;
DWORD functaddr;
DWORD namenum;
DWORD nameaddr;
DWORD ordinaladdr;
WORD ordinal;
// PE structs
PIDH dosh;
PINH peh;
IMAGE_DATA_DIRECTORY dir;
functposition = 0xFFFFFFFF;
__try {
// load the dll
modulebase = (DWORD)GetModuleHandle(DllName);
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -