设为首页收藏一下又不会死!新人公告
切换到窄版

 找回密码
 立即注册→加入我们

QQ登录

只需一步,快速开始

搜索
热搜: 下载 VB C 实现 编写
技术宅的结界»论坛 计算机技术 技巧探讨 GetProcAddress解析(一)
返回列表 发新帖
查看: 2937|回复: 1

GetProcAddress解析(一)

[复制链接]
元始天尊

307

主题

228

回帖

7349

积分

用户组: 真·技术宅

UID
2
精华
76
威望
291 点
宅币
5599 个
贡献
253 次
宅之契约
0 份
在线时间
949 小时
注册时间
2014-1-25
发表于 2015-6-13 12:42:57 | 显示全部楼层 |阅读模式

欢迎访问技术宅的结界,请注册或者登录吧。

您需要 登录 才可以下载或查看,没有账号?立即注册→加入我们

×
本帖最后由 元始天尊 于 2015-6-13 15:06 编辑

剔除了很多无关代码

可以借鉴的地方:
1、考虑了很多极端情况如dllmain未执行,获得函数地址不能等于基址等
2、名称查找采用二分搜索
3、考虑了forward导出函数
4、对按序号和按名称分别处理
5、对内存pe解析

  1. FARPROC WINAPI GetProcAddress(HMODULE hModule, LPCSTR lpProcName)
  2. {
  3.     if (HIWORD(lpProcName) != 0)
  4.     {//按名称查找
  5.         RtlInitAnsiString(&ProcedureName, (LPSTR)lpProcName);
  6.         ProcNamePtr = &ProcedureName;
  7.     }
  8.     else
  9.     { //按序号查找
  10.         Ordinal = (ULONG)lpProcName;
  11.     }
  12.     hMapped = BasepMapModuleHandle(hModule, FALSE);//如果没提供hModule则取得当前模块hModule
  13.     Status = LdrGetProcedureAddress(hMapped,ProcNamePtr, Ordinal,(PVOID*)&fnExp);
  14. }

  16. PVOID WINAPI BasepMapModuleHandle(HMODULE hModule, BOOLEAN AsDataFile)
  17. {
  18.         if (!hModule) return NtCurrentPeb()->ImageBaseAddress;
  19.         if (LDR_IS_DATAFILE(hModule) && !AsDataFile)//如果为资源DLL
  20.                 return NULL;
  21.         return hModule;
  22. }

  24. NTSTATUS NTAPI LdrpGetProcedureAddress(IN PVOID BaseAddress,IN PANSI_STRING Name,IN ULONG Ordinal,OUT PVOID *ProcedureAddress,IN BOOLEAN ExecuteInit)
  25. {
  26.     NTSTATUS Status = STATUS_SUCCESS;
  27.     UCHAR ImportBuffer[64];
  28.     PLDR_DATA_TABLE_ENTRY LdrEntry;
  29.     IMAGE_THUNK_DATA Thunk;
  30.     PVOID ImageBase;
  31.     PIMAGE_IMPORT_BY_NAME ImportName = NULL;
  32.     PIMAGE_EXPORT_DIRECTORY ExportDir;
  33.     ULONG ExportDirSize, Length;
  34.     PLIST_ENTRY Entry;
  35.     if (Name)//若按名称查找
  36.     {
  37.         Length = Name->Length +sizeof(CHAR) + FIELD_OFFSET(IMAGE_IMPORT_BY_NAME, Name);
  38.         ImportName->Hint = 0;
  39.         RtlCopyMemory(ImportName->Name, Name->Buffer, Name->Length);
  40.         ImportName->Name[Name->Length] = ANSI_NULL;
  41.         ImageBase = ImportName;
  42.         Thunk.u1.AddressOfData = 0;
  43.     }
  44.     else//若按序号查找
  45.     {
  46.         ImageBase = NULL;
  47.         Thunk.u1.Ordinal = Ordinal | IMAGE_ORDINAL_FLAG;
  48.     }
  49.     LdrpCheckForLoadedDllHandle(BaseAddress, &LdrEntry); //查找已加载dll
  50.     ExportDir = RtlImageDirectoryEntryToData(LdrEntry->DllBase,TRUE,IMAGE_DIRECTORY_ENTRY_EXPORT, &ExportDirSize);//查找导出表
  51.     Status = LdrpSnapThunk(LdrEntry->DllBase,ImageBase,&Thunk, &Thunk,ExportDir,ExportDirSize,FALSE,NULL);//获取导出表Thunk结构
  52.         *ProcedureAddress = (PVOID)Thunk.u1.Function;
  53. }

  55. BOOLEAN NTAPI LdrpCheckForLoadedDllHandle(IN PVOID Base,OUT PLDR_DATA_TABLE_ENTRY *LdrEntry)
  56. {
  57.         PLDR_DATA_TABLE_ENTRY Current;
  58.         PLIST_ENTRY ListHead, Next;
  59.         if ((LdrpLoadedDllHandleCache) && (LdrpLoadedDllHandleCache->DllBase == Base))//查找缓存
  60.         {
  61.                 *LdrEntry = LdrpLoadedDllHandleCache;
  62.                 return TRUE;
  63.         }
  64.         ListHead = &NtCurrentPeb()->Ldr->InLoadOrderModuleList;//线性查找ldr
  65.         Next = ListHead->Flink;
  66.         while (Next != ListHead)
  67.         {
  68.                 Current = CONTAINING_RECORD(Next,LDR_DATA_TABLE_ENTRY,InLoadOrderLinks);
  69.                 if ((Current->InMemoryOrderModuleList.Flink) && (Base == Current->DllBase))
  70.                 {
  71.                         LdrpLoadedDllHandleCache = Current;
  72.                         *LdrEntry = Current;
  73.                         return TRUE;
  74.                 }
  75.                 Next = Next->Flink;
  76.         }
  77.         return FALSE;
  78. }

  80. PVOID NTAPI RtlImageDirectoryEntryToData(PVOID BaseAddress,BOOLEAN MappedAsImage,USHORT Directory,PULONG Size)
  81. {
  82.         PIMAGE_NT_HEADERS NtHeader;
  83.         ULONG Va;
  84.         NtHeader = RtlImageNtHeader(BaseAddress);
  85.         if (NtHeader == NULL)
  86.                 return NULL;
  87.         if(NtHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
  88.                 return RtlpImageDirectoryEntryToData32(BaseAddress,MappedAsImage,Directory,Size,NtHeader);
  89.         else if(NtHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
  90.                 return RtlpImageDirectoryEntryToData64(BaseAddress,MappedAsImage,Directory,Size,NtHeader);
  91.         return NULL;
  92. }

  94. PIMAGE_NT_HEADERS NTAPI RtlImageNtHeader(IN PVOID Base)
  95. {
  96.         PIMAGE_NT_HEADERS NtHeaders = NULL;
  97.         PIMAGE_DOS_HEADER DosHeader;
  98.         if ((Base != NULL) && (Base == (PVOID)-1) && (DosHeader->e_magic == IMAGE_DOS_SIGNATURE))
  99.         {
  100.                 if (DosHeader->e_lfanew < 0x10000000)
  101.                 {
  102.                         NtHeaders = (BYTE*)Base + DosHeader->e_lfanew;
  103.                         if(NtHeaders->Signature != IMAGE_NT_SIGNATURE)
  104.                                 NtHeaders = NULL;
  105.                 }
  106.         }
  107.         return NtHeaders;
  108. }

  110. PVOID NTAPI RtlpImageDirectoryEntryToData32(PVOID BaseAddress, BOOLEAN MappedAsImage, USHORT Directory, PULONG Size, PIMAGE_NT_HEADERS32 NtHeader)
  111. {
  112.         if(Directory >= NtHeader->OptionalHeader.NumberOfRvaAndSizes)
  113.                 return NULL;
  114.         DWORD vaaddr = NtHeader->OptionalHeader.DataDirectory[Directory].VirtualAddress;
  115.         if(vaaddr == 0)
  116.                 return NULL;
  117.         *Size = NtHeader->OptionalHeader.DataDirectory[Directory].Size;
  118.         if(MappedAsImage || vaaddr < NtHeader->OptionalHeader.SizeOfHeaders)
  119.                 return (PVOID)((BYTE*)BaseAddress + vaaddr);
  120. }

  122. PVOID NTAPI RtlpImageDirectoryEntryToData64(PVOID BaseAddress, BOOLEAN MappedAsImage, USHORT Directory, PULONG Size, PIMAGE_NT_HEADERS64 NtHeader)
  123. {
  124.         if(Directory >= NtHeader->OptionalHeader.NumberOfRvaAndSizes)
  125.                 return NULL;
  126.         DWORD vaaddr = NtHeader->OptionalHeader.DataDirectory[Directory].VirtualAddress;
  127.         if(vaaddr == 0)
  128.                 return NULL;
  129.         *Size = NtHeader->OptionalHeader.DataDirectory[Directory].Size;
  130.         if(MappedAsImage || vaaddr < NtHeader->OptionalHeader.SizeOfHeaders)
  131.                 return (PVOID)((BYTE*)BaseAddress + vaaddr);
  132. }

  134. NTSTATUS NTAPI LdrpSnapThunk(IN PVOID ExportBase,IN PVOID ImportBase,IN PIMAGE_THUNK_DATA OriginalThunk,IN OUT PIMAGE_THUNK_DATA Thunk,
  135.         IN PIMAGE_EXPORT_DIRECTORY ExportEntry,IN ULONG ExportSize,IN BOOLEAN Static,IN LPSTR DllName)
  136. {
  137.         BOOLEAN IsOrdinal;
  138.         USHORT Ordinal;
  139.         ULONG OriginalOrdinal = 0;
  140.         PIMAGE_IMPORT_BY_NAME AddressOfData;
  141.         PULONG NameTable;
  142.         PUSHORT OrdinalTable;
  143.         LPSTR ImportName = NULL;
  144.         USHORT Hint;
  145.         NTSTATUS Status;
  146.         ULONG_PTR HardErrorParameters[3];
  147.         UNICODE_STRING HardErrorDllName, HardErrorEntryPointName;
  148.         ANSI_STRING TempString;
  149.         ULONG Mask;
  150.         ULONG Response;
  151.         PULONG AddressOfFunctions;
  152.         UNICODE_STRING TempUString;
  153.         ANSI_STRING ForwarderName;
  154.         PANSI_STRING ForwardName;
  155.         PVOID ForwarderHandle;
  156.         ULONG ForwardOrdinal;

  158.         if ((IsOrdinal = IMAGE_SNAP_BY_ORDINAL(OriginalThunk->u1.Ordinal)))//按序号
  159.         {
  160.                 OriginalOrdinal = IMAGE_ORDINAL(OriginalThunk->u1.Ordinal);
  161.                 Ordinal = (USHORT)(OriginalOrdinal - ExportEntry->Base);
  162.         }
  163.         else
  164.         {
  165.                 AddressOfData = (PIMAGE_IMPORT_BY_NAME)((ULONG_PTR)ImportBase +((ULONG_PTR)OriginalThunk->u1.AddressOfData & 0xffffffff));
  166.                 ImportName = (LPSTR)AddressOfData->Name;
  167.                 NameTable = (PULONG)((ULONG_PTR)ExportBase + (ULONG_PTR)ExportEntry->AddressOfNames);
  168.                 OrdinalTable = (PUSHORT)((ULONG_PTR)ExportBase + (ULONG_PTR)ExportEntry->AddressOfNameOrdinals);
  169.                 Hint = AddressOfData->Hint;
  170.                 Ordinal = LdrpNameToOrdinal(ImportName,ExportEntry->NumberOfNames,ExportBase,NameTable,OrdinalTable);//根据名称找到序号
  171.         }

  173.         if ((ULONG)Ordinal >= ExportEntry->NumberOfFunctions)
  174.         {
  175.         }
  176.         else
  177.         {
  178.                 AddressOfFunctions = (PULONG)((ULONG_PTR)ExportBase + (ULONG_PTR)ExportEntry->AddressOfFunctions);
  179.                 Thunk->u1.Function = (ULONG_PTR)ExportBase + AddressOfFunctions[Ordinal];
  180.                 if ((Thunk->u1.Function > (ULONG_PTR)ExportEntry) && (Thunk->u1.Function < ((ULONG_PTR)ExportEntry + ExportSize)))
  181.                 {//对于前向索引的动态链  Function指向字符串  "dll.func"
  182.                         ImportName = (LPSTR)Thunk->u1.Function;
  183.                         ForwarderName.Buffer = ImportName;
  184.                         ForwarderName.Length = (USHORT)(strchr(ImportName, '.') - ImportName);//取得dll名称
  185.                         ForwarderName.MaximumLength = ForwarderName.Length;
  186.                         Status = RtlAnsiStringToUnicodeString(&TempUString,&ForwarderName,TRUE);
  187.                         if (NT_SUCCESS(Status))
  188.                         {
  189.                                 Status = LdrpLoadDll(FALSE,NULL,NULL,&TempUString,&ForwarderHandle,FALSE);
  190.                                 RtlFreeUnicodeString(&TempUString);
  191.                         }
  192.                         RtlInitAnsiString(&ForwarderName,ImportName + ForwarderName.Length + sizeof(CHAR));//取得函数名
  193.                         if ((ForwarderName.Length > 1) && (*ForwarderName.Buffer == '#'))
  194.                         {//按序号
  195.                                 ForwardName = NULL;
  196.                                 Status = RtlCharToInteger(ForwarderName.Buffer + sizeof(CHAR),0,&ForwardOrdinal);
  197.                         }
  198.                         else
  199.                         {//按名称
  200.                                 ForwardName = &ForwarderName;
  201.                         }
  202.                         Status = LdrpGetProcedureAddress(ForwarderHandle,ForwardName,ForwardOrdinal,(PVOID*)&Thunk->u1.Function,FALSE);//重新获取地址
  203.                 }
  204. }

  206. USHORT
  207. NTAPI
  208. LdrpNameToOrdinal(IN LPSTR ImportName,
  209.                   IN ULONG NumberOfNames,
  210.                   IN PVOID ExportBase,
  211.                   IN PULONG NameTable,
  212.                   IN PUSHORT OrdinalTable)
  213. {
  214.     LONG Start, End, Next, CmpResult;

  216.     /* Use classical binary search to find the ordinal */
  217.     Start = Next = 0;
  218.     End = NumberOfNames - 1;
  219.     while (End >= Start)
  220.     {
  221.         /* Next will be exactly between Start and End */
  222.         Next = (Start + End) >> 1;

  224.         /* Compare this name with the one we need to find */
  225.         CmpResult = strcmp(ImportName, (PCHAR)((ULONG_PTR)ExportBase + NameTable[Next]));

  227.         /* We found our entry if result is 0 */
  228.         if (!CmpResult) break;

  230.         /* We didn't find, update our range then */
  231.         if (CmpResult < 0)
  232.         {
  233.             End = Next - 1;
  234.         }
  235.         else if (CmpResult > 0)
  236.         {
  237.             Start = Next + 1;
  238.         }
  239.     }

  241.     /* If end is before start, then the search failed */
  242.     if (End < Start) return -1;

  244.     /* Return found name */
  245.     return OrdinalTable[Next];
  246. }
复制代码
回复

使用道具 举报

元始天尊

307

主题

228

回帖

7349

积分

用户组: 真·技术宅

UID
2
精华
76
威望
291 点
宅币
5599 个
贡献
253 次
宅之契约
0 份
在线时间
949 小时
注册时间
2014-1-25
 楼主| 发表于 2015-6-13 16:14:56 | 显示全部楼层
依据上述过程,我们可以写出一个简化版的GetProcAddress,且不用依赖peb的ldr,输入是pe加载地址和函数名,输出是函数位置,只做查输出表的操作,该函数可以实现我之后要研究的dll隐藏技术。
这份代码除了比原有功能少了通过index获取函数地址之外,增加了一些特殊功能,比如支持unicode,支持顺序查找和二分查找,已在win8.1 x86 x64 环境下测试,若有坑请指出。


  1. #include <windows.h>
  2. #include <winternl.h>

  4. #if defined(WIN64) || defined(_WIN64)
  5. #pragma comment(lib,"ntdll64.lib")
  6. #else
  7. #pragma comment(lib,"ntdll.lib")
  8. #endif

  10. #if defined(UNICODE) || defined(_UNICODE)
  11. #define GetProcAddressT GetProcAddressW
  12. #else
  13. #define GetProcAddresT GetProcAddressA
  14. #endif

  16. /*
  17. 改进之处:
  18. 1.只允许使用名称索引
  19. 2.采用二分查找(后期改成hash)
  20. 3.精简代码
  21. 4.支持unicode版本
  22. 5.加入对资源方式加载dll的处理
  23. */

  25. typedef struct _MTEB
  26. {
  27.         _NT_TIB NtTib;
  28.         PVOID ProcessEnvironmentBlock;
  29. }MTEB,*PMTEB;

  31. typedef struct _MPEB
  32. {
  33.         DWORD flags;
  34.         PVOID Mutant;
  35.         PVOID ImageBaseAddress;
  36. }MPEB,*PMPEB;

  38. #define SEARCH_LINEAR 1
  39. #define SEARCH_BINARY 2

  41. FARPROC WINAPI GetProcAddressTA(HMODULE hModule,LPCSTR lpProcName,INT how);
  42. FARPROC WINAPI GetProcAddressTW(HMODULE hModule,LPCWSTR lpProcName,INT how = SEARCH_BINARY)
  43. {
  44.         ANSI_STRING ProcNameA;
  45.         UNICODE_STRING ProcNameW;
  46.         FARPROC ObjAddr = NULL;
  47.         if(lpProcName == NULL)
  48.                 return NULL;
  49.         RtlInitUnicodeString(&ProcNameW,lpProcName);
  50.         if(!RtlUnicodeStringToAnsiString(&ProcNameA,&ProcNameW,TRUE))
  51.                 return NULL;
  52.         ObjAddr = GetProcAddressTA(hModule,ProcNameA.Buffer,how);
  53.         RtlFreeAnsiString(&ProcNameA);
  54.         return ObjAddr;
  55. }

  57. #define DLL_RESOURCE_FLAG 3
  58. FARPROC WINAPI GetProcAddressTA(HMODULE hModule,LPCSTR lpProcName,INT how = SEARCH_BINARY)
  59. {
  60.         if(!hModule)//获取当前模块
  61.                 hModule = (HMODULE)((PMPEB)((PMTEB)NtCurrentTeb())->ProcessEnvironmentBlock)->ImageBaseAddress;
  62.         BYTE* pFlag = (BYTE*)&hModule;
  63.         if(*pFlag & DLL_RESOURCE_FLAG)//还原到'MZ'位置
  64.                 *pFlag &= ~DLL_RESOURCE_FLAG;
  65.         if(hModule == NULL || hModule == (HMODULE)-1)
  66.                 return NULL;
  67.         //找到导出表
  68.         PIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)hModule;
  69.         PIMAGE_NT_HEADERS NtHeaders = NULL;
  70.         if(DosHeader->e_magic == IMAGE_DOS_SIGNATURE && DosHeader->e_lfanew)
  71.         {//简单检查hModule对应内存PE的合法性
  72.                 NtHeaders = (PIMAGE_NT_HEADERS)((BYTE*)hModule + DosHeader->e_lfanew);
  73.                 if(NtHeaders->Signature != IMAGE_NT_SIGNATURE)
  74.                         NtHeaders = NULL;
  75.         }
  76.         if(!NtHeaders)
  77.                 return NULL;

  79.         PVOID BaseAddress = hModule;
  80.         USHORT Directory = IMAGE_DIRECTORY_ENTRY_EXPORT;
  81.         PIMAGE_EXPORT_DIRECTORY ExportDir = NULL;
  82.         ULONG ExportDirSize = 0;
  83.         if(NtHeaders->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
  84.         {
  85.                 PIMAGE_NT_HEADERS32 tpnh = (PIMAGE_NT_HEADERS32)NtHeaders;
  86.                 if(Directory >= tpnh->OptionalHeader.NumberOfRvaAndSizes)
  87.                         return NULL;
  88.                 DWORD VA = tpnh->OptionalHeader.DataDirectory[Directory].VirtualAddress;
  89.                 if(VA == NULL)
  90.                         return NULL;
  91.                 ExportDirSize = tpnh->OptionalHeader.DataDirectory[Directory].Size;
  92.                 ExportDir = (PIMAGE_EXPORT_DIRECTORY)((BYTE*)BaseAddress + VA);
  93.         }
  94.         else
  95.         {
  96.                 PIMAGE_NT_HEADERS64 tpnh = (PIMAGE_NT_HEADERS64)NtHeaders;
  97.                 if(Directory >= tpnh->OptionalHeader.NumberOfRvaAndSizes)
  98.                         return NULL;
  99.                 DWORD VA = tpnh->OptionalHeader.DataDirectory[Directory].VirtualAddress;
  100.                 if(VA == NULL)
  101.                         return NULL;
  102.                 ExportDirSize = tpnh->OptionalHeader.DataDirectory[Directory].Size;
  103.                 ExportDir = (PIMAGE_EXPORT_DIRECTORY)((BYTE*)BaseAddress + VA);
  104.         }
  105.         //匹配导出名,假设按字母排序
  106.         PULONG NameTable = (PULONG)((ULONG_PTR)BaseAddress + (ULONG_PTR)ExportDir->AddressOfNames);
  107.         PUSHORT OrdinalTable = (PUSHORT)((ULONG_PTR)BaseAddress + (ULONG_PTR)ExportDir->AddressOfNameOrdinals);
  108.        
  109.         USHORT Ordinal = -1;
  110.         if(how == SEARCH_LINEAR)
  111.         {
  112.                 for(LONG i = 0;i < ExportDir->NumberOfNames;i++)
  113.                 {
  114.                         if(!strcmp(lpProcName,(PCHAR)((ULONG_PTR)BaseAddress + NameTable[i])))
  115.                         {
  116.                                 Ordinal = OrdinalTable[i];
  117.                                 break;
  118.                         }
  119.                 }
  120.         }
  121.         else if(how == SEARCH_BINARY)
  122.         {
  123.                 LONG Start = 0,Next = 0,End = ExportDir->NumberOfNames -1,CmpResult;
  124.                 while(End >= Start)
  125.                 {
  126.                         Next = (Start + End) >> 1;
  127.                         CmpResult = strcmp(lpProcName,(PCHAR)((ULONG_PTR)BaseAddress + NameTable[Next]));
  128.                         if(!CmpResult)
  129.                                 break;
  130.                         if(CmpResult < 0)
  131.                                 End = Next - 1;
  132.                         else
  133.                                 Start = Next + 1;
  134.                 }
  135.                 if(End >= Start)
  136.                         Ordinal = OrdinalTable[Next];
  137.         }

  139.         //处理forward export情况
  140.         if(Ordinal >= ExportDir->NumberOfFunctions)
  141.                 return NULL;
  142.         PULONG AddressOfFunctions = (PULONG)((ULONG_PTR)BaseAddress + (ULONG_PTR)ExportDir->AddressOfFunctions);
  143.         ULONG_PTR Function = (ULONG_PTR)BaseAddress + AddressOfFunctions[Ordinal];
  144.         if(Function > (ULONG_PTR)ExportDir && Function < (ULONG_PTR)ExportDir + ExportDirSize)
  145.                 return NULL;
  146.         return (FARPROC)Function;
  147. }

  149. void main()
  150. {
  151.         typedef int (WINAPI* MSGBOX)(DWORD,CHAR*,CHAR*,DWORD);
  152.         HMODULE hmod = LoadLibraryA("user32.dll");
  153.         if(hmod == NULL)
  154.                 return;
  155.         MSGBOX box ;
  156. //         box = (MSGBOX)GetProcAddress(hmod,"MessageBoxA");
  157. //         if(box == NULL)
  158. //                 return;
  159. //         box(NULL,"ok","ok",0);
  160.         box = (MSGBOX)GetProcAddressTA(hmod,"MessageBoxA");
  161.         if(box == NULL)
  162.                 return;
  163.         box(NULL,"ok","ok",0);

  165.         FreeLibrary(hmod);
  166. }
复制代码
回复 赞! 靠!

使用道具 举报

返回列表 发新帖

QQ|Archiver|小黑屋|技术宅的结界 ( 滇ICP备16008837号 )|网站地图

GMT+8, 2024-5-6 13:05 , Processed in 0.032950 second(s), 28 queries , Gzip On.

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表