📄 rebuildimport.c
字号:
if(modulebase == 0) {
modulebase = (DWORD)LoadLibrary(DllName);
if(modulebase == 0) {
return((WORD)(functposition&0xFFFF));
}
}
if(ApiAddress <= modulebase) {
return((WORD)(functposition&0xFFFF));
}
functionentry = ApiAddress - modulebase;
// check whether hmodule is a valid PE file
dosh = (PIDH)modulebase;
if(dosh->e_magic != IMAGE_DOS_SIGNATURE) {
return((WORD)(functposition&0xFFFF));
}
peh = (PINH)((DWORD)dosh + dosh->e_lfanew);
if(peh->Signature != IMAGE_NT_SIGNATURE) {
return((WORD)(functposition&0xFFFF));
}
dir = peh->OptionalHeader.DataDirectory[0];
pDW = (DWORD*)(dir.VirtualAddress + 0x10 + (DWORD)dosh); // go fast to the base
// get the export values
expbase = *pDW;
pDW++;
functnum = *pDW;
pDW++;
namenum = *pDW;
pDW++;
functaddr = *pDW;
pDW++;
nameaddr = *pDW;
pDW++;
ordinaladdr = *pDW;
// search the entry in the RVA array of the export table
pDW = (DWORD*)((DWORD)dosh + functaddr);
functposition = 0xFFFFFFFF;
for(i=0; i<functnum; i++) {
if(functionentry == *pDW) {
functposition = i;
break;
}
pDW++;
}
if(functposition != 0xFFFFFFFF) {
nameposition = 0xFFFFFFFF;
pWO = (WORD*)(ordinaladdr + modulebase);
for(i=0; i<namenum; i++) {
if(functposition == (DWORD)*pWO) {
nameposition = i;
break;
}
pWO++;
}
if(nameposition != 0xFFFFFFFF) {
pDW = (DWORD*)(nameaddr + modulebase);
pDW += nameposition;
wsprintf(ApiName,"%s",(char*)(*pDW+modulebase));
}
else {
wsprintf(ApiName,"");
}
}
ordinal = (WORD)((functposition + ((functposition == 0xFFFFFFFF) ? 0 : expbase))&0xFFFF);
}
__except(1) {
wsprintf(ApiName,"");
return(0xFFFF);
}
return(ordinal);
}
void MakeIID(BYTE *pMemBase, DWORD dwNewSectSize,PIMPORT_DLL_DATA pDllEntry)
{
PIDH dosh;
PINH peh;
PIID pIID;
PIBN pIIBM;
PISH pSectionh, pNewSectionh,pSectionh2;
PIMPORT_DLL_DATA pDll;
PIMPORT_API_DATA pApi;
DWORD i,dwTmpNum,dwMemBase,*pThunk;
char *pCH;
__try {
dwMemBase = (DWORD)pMemBase;
// make a new section
dosh = (PIDH)pMemBase;
peh = (PINH)((DWORD)dosh + dosh->e_lfanew);
pSectionh = (PISH)((DWORD)peh + 0xF8);
pSectionh2 = pSectionh;
peh->OptionalHeader.FileAlignment = FILE_ALIGNMENT;
for(i=0; i<(DWORD)(peh->FileHeader.NumberOfSections); i++) {
pSectionh++;
}
peh->FileHeader.NumberOfSections++;
for(i=0; i<=7; i++) {
pSectionh->Name[i] = szNewSecName[i];
}
pNewSectionh = pSectionh;
pNewSectionh->Characteristics = 0xC0000040;
pNewSectionh->Misc.VirtualSize = ((dwNewSectSize%SECT_ALIGNMENT) != 0) ? (dwNewSectSize/SECT_ALIGNMENT+1)*SECT_ALIGNMENT : dwNewSectSize;
pSectionh--;
// set a valid RawOffset
dwTmpNum = pSectionh->SizeOfRawData + pSectionh->PointerToRawData;
if(dwTmpNum%FILE_ALIGNMENT != 0) {
dwTmpNum = ((dwTmpNum / FILE_ALIGNMENT) + 1) * FILE_ALIGNMENT;
}
pNewSectionh->PointerToRawData = dwTmpNum;
// set a valild VirtualAddress
dwTmpNum = pSectionh->VirtualAddress + pSectionh->Misc.VirtualSize;
if(dwTmpNum%SECT_ALIGNMENT != 0) {
dwTmpNum = ((dwTmpNum/SECT_ALIGNMENT) + 1) * SECT_ALIGNMENT;
}
pNewSectionh->VirtualAddress = dwTmpNum;
// set new section RawSize
pNewSectionh->SizeOfRawData = dwNewSectSize;
// correct the SizeOfImage
peh->OptionalHeader.SizeOfImage += dwNewSectSize;
// write the new IID into the new section
peh->OptionalHeader.DataDirectory[1].VirtualAddress = pNewSectionh->VirtualAddress;
pIID = (PIID)(dwMemBase + rva2offset(pNewSectionh->VirtualAddress,pSectionh2,peh->FileHeader.NumberOfSections));
pCH = (BYTE*)((DWORD)pIID+sizeof(IMAGE_IMPORT_DESCRIPTOR)*(DllNum+1));
memset(pIID,0,dwNewSectSize);
pDll = pDllEntry->next;
while(pDll != NULL) {
pIID->OriginalFirstThunk = 0;
pIID->TimeDateStamp = 0;
pIID->ForwarderChain = 0;
pIID->FirstThunk = pDll->FirstThunkRVA;
wsprintf(pCH,"%s",pDll->DllName);
pIID->Name = offset2rva((DWORD)(pCH-pMemBase),pSectionh2,peh->FileHeader.NumberOfSections);
pCH += (strlen(pDll->DllName) + 1);
pApi = pDll->ApiHead.next;
while(pApi != NULL) {
pThunk = (DWORD*)(rva2offset(pApi->ThunkRVA,pSectionh2,peh->FileHeader.NumberOfSections)+dwMemBase);
if(pApi->Ordinal == 0xFFFF && pApi->ApiName[0] == '\0') {
*pThunk = 0;
}
else {
if(strlen(pApi->ApiName) == 0) {
*pThunk = (pApi->Ordinal&0x0000FFFF)|IMAGE_ORDINAL_FLAG;
}
else {
*pThunk = offset2rva((DWORD)(pCH-pMemBase),pSectionh2,peh->FileHeader.NumberOfSections);
pIIBM = (PIBN)pCH;
pIIBM->Hint = pApi->Ordinal;
wsprintf(pIIBM->Name,"%s",pApi->ApiName);
pCH += sizeof(WORD);
pCH += (strlen(pApi->ApiName) + 1);
}
}
pApi = pApi->next;
}
pDll = pDll->next;
pIID++;
}
pIID->OriginalFirstThunk = 0;
pIID->TimeDateStamp = 0;
pIID->ForwarderChain = 0;
pIID->FirstThunk = 0;
pIID->Name = 0;
}
__except(1) {
Addtolist(0,1,"OllyDump -- Exception in MakeIID!!");
}
}
BOOL RebuildImport(char *szTargetFile)
{
//const DWORD AlignBreaker = 0x1200;
DWORD dwFsize,dwNewSize,dwNewSectSize,dwBuff,ImageBase,i;
HANDLE hFile;
LPBYTE pFileMem;
PIDH pFileIDH;
PINH pFileINH;
PISH pFileISH;
IMPORT_DLL_DATA DllEntry;
PIMPORT_DLL_DATA pDll,qDll;
PIMPORT_API_DATA pApi,qApi;
BOOL result;
result = FALSE;
// map the file
hFile = CreateFile(szTargetFile,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile == INVALID_HANDLE_VALUE) {
Addtolist(0,1,"OllyDump -- Error CreateFile %s failed!!",szTargetFile);
goto CLEAN0;
}
dwFsize = GetFileSize(hFile,NULL);
pFileMem = (BYTE*)HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,dwFsize);
if(pFileMem == NULL) {
Addtolist(0,1,"OllyDump -- Error HeapAlloc failed!!");
goto CLEAN1;
}
ReadFile(hFile,pFileMem,dwFsize,&dwBuff,0);
if(dwBuff == 0) {
Addtolist(0,1,"OllyDump -- Error ReadFile failed!!");
goto CLEAN2;
}
pFileIDH = (PIDH)pFileMem;
if(pFileIDH->e_magic != IMAGE_DOS_SIGNATURE) {
Addtolist(0,1,"OllyDump -- Error Invalid DOS Signature!!");
goto CLEAN2;
}
pFileINH = (PINH)((DWORD)pFileIDH + pFileIDH->e_lfanew);
if(pFileINH->Signature != IMAGE_NT_SIGNATURE) {
Addtolist(0,1,"OllyDump -- Error Invalid NT Signature!!");
goto CLEAN2;
}
ImageBase = pFileINH->OptionalHeader.ImageBase;
pFileISH = (PISH)((DWORD)pFileINH + 0xF8);
DllEntry.next = NULL;
SearchImportData(&DllEntry,pFileINH,pFileISH);
// Show DLL and API Search Result
Addtolist(0,0,"OllyDump -- Import Table");
pDll = DllEntry.next;
if(pDll == NULL) {
Addtolist(0,1,"OllyDump -- Error No Dll Entry!!");
}
while(pDll != NULL) {
Addtolist(pDll->FirstThunkRVA+ImageBase,0,"DLL:%s FirstThunkRVA:%X",pDll->DllName,pDll->FirstThunkRVA);
pApi = pDll->ApiHead.next;
if(pApi == NULL) {
Addtolist(0,1,"OllyDump -- Error No Api Entry!!");
}
Addtolist(pApi->ThunkRVA+ImageBase,1," DLL Name Address Ordinal API Name");
while(pApi != NULL) {
Addtolist(pApi->ThunkRVA+ImageBase,0," %-12s %08X %04X %-s",pApi->DllName,pApi->ApiAddress,pApi->Ordinal,pApi->ApiName);
Updatelist();
pApi = pApi->next;
}
pDll = pDll->next;
}
dwNewSize = 0;
for(i=0; i<(DWORD)(pFileINH->FileHeader.NumberOfSections); i++) {
if(pFileISH->SizeOfRawData + pFileISH->PointerToRawData > dwNewSize) {
dwNewSize = pFileISH->SizeOfRawData + pFileISH->PointerToRawData;
}
pFileISH++;
}
// align the last section and add SECT_ALIGNMENT
if((dwNewSize % FILE_ALIGNMENT) != 0) {
dwNewSize = ((dwNewSize / FILE_ALIGNMENT) + 1) * FILE_ALIGNMENT;
}
Addtolist(0,-1,"OllyDump -- Calculating New File Size...");
dwNewSectSize = 0;
DllNum = 0;
pDll = DllEntry.next;
while(pDll != NULL) {
DllNum++;
dwNewSectSize += sizeof(IMAGE_IMPORT_DESCRIPTOR);
dwNewSectSize += (strlen(pDll->DllName) + 1);
pApi = pDll->ApiHead.next;
while(pApi != NULL) {
if(strlen(pApi->ApiName) != 0) {
dwNewSectSize += (strlen(pApi->ApiName) + 1);
}
pApi = pApi->next;
}
pDll = pDll->next;
}
if(dwNewSectSize%FILE_ALIGNMENT != 0) {
dwNewSectSize = ((dwNewSectSize/FILE_ALIGNMENT) + 1) * FILE_ALIGNMENT;
}
dwNewSectSize += sizeof(IMAGE_IMPORT_DESCRIPTOR);
if((dwNewSectSize % FILE_ALIGNMENT) != 0) {
dwNewSectSize = ((dwNewSectSize / FILE_ALIGNMENT) + 1) * FILE_ALIGNMENT;
}
dwFsize = dwNewSize + dwNewSectSize;
pFileMem = (BYTE*)HeapReAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,(LPVOID)pFileMem,dwFsize);
if(!pFileMem) {
Addtolist(0,1,"OllyDump -- Error HeapReAlloc Error!!");
goto CLEAN3;
}
Addtolist(0,-1,"OllyDump -- Making New Import Table...");
MakeIID(pFileMem,dwNewSectSize,&DllEntry);
// write the file back
SetFilePointer(hFile,0,NULL,FILE_BEGIN);
WriteFile(hFile,pFileMem,dwFsize,&dwBuff,0);
if(dwBuff != 0) {
Addtolist(0,-1,"OllyDump -- Dump and Rebuild Finish!!");
result = TRUE;
}
// clean up
CLEAN3:
pDll = DllEntry.next;
while(pDll != NULL) {
pApi = pDll->ApiHead.next;
while(pApi != NULL) {
qApi = pApi;
pApi = pApi->next;
free(qApi);
}
qDll = pDll;
pDll = pDll->next;
free(qDll);
}
CLEAN2:
if(!HeapFree(GetProcessHeap(),0,pFileMem)) {
Addtolist(0,1,"OllyDump -- Error HeapFree Error!!");
}
CLEAN1:
if(!CloseHandle(hFile)) {
Addtolist(0,1,"OllyDump -- Error CloseHandle Error!!");
}
CLEAN0:
return(result);
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -