Can we find address of a winAPI without using GetProcAddress?
-
Hi, Can we get the address of a winAPI (from Advapi32.dll) without using GetProcAddress or IAT scan? Is it possible? Basically, I want to obfuscate the api call in source code level. Thanks, GNU:lihd
But why you dont want to use GetProcAddress?
WhiteSky
-
Hi, Can we get the address of a winAPI (from Advapi32.dll) without using GetProcAddress or IAT scan? Is it possible? Basically, I want to obfuscate the api call in source code level. Thanks, GNU:lihd
Yes. This code should point you in the right direction. It outputs the names of all the functions exported by name from "Kernel32.dll":
// Console.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <iostream>
#include <windows.h>
LPVOID PrintFunctions(HMODULE hMod)
{
// Find the DOS header.
PIMAGE_DOS_HEADER pDOS = (PIMAGE_DOS_HEADER)hMod;
// Find the address of the "new" header.
PIMAGE_NT_HEADERS pNew = (PIMAGE_NT_HEADERS)((char*)pDOS+pDOS->e_lfanew);
// Find the address of the "optional" header.
PIMAGE_OPTIONAL_HEADER pOpt = &(pNew->OptionalHeader);
// Now find the export table.
PIMAGE_EXPORT_DIRECTORY pExport =
(PIMAGE_EXPORT_DIRECTORY)((char*)pDOS+pOpt->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
// Write out all the exported names.
UINT_PTR *pNameArray = (UINT_PTR*)((char*)pDOS+pExport->AddressOfNames);
for (DWORD i=0; i<pExport->NumberOfNames; ++i)
{
LPCSTR pName = (LPCSTR)((char*)pDOS+pNameArray[i]);
std::cout << pName << std::endl;
}
return NULL;
}
int main(int arvc, char* argv[])
{
HMODULE hMod = GetModuleHandle("kernel32.dll");
PrintFunctions(hMod);
return 0;
}Steve
-
But why you dont want to use GetProcAddress?
WhiteSky
-
Yes. This code should point you in the right direction. It outputs the names of all the functions exported by name from "Kernel32.dll":
// Console.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <iostream>
#include <windows.h>
LPVOID PrintFunctions(HMODULE hMod)
{
// Find the DOS header.
PIMAGE_DOS_HEADER pDOS = (PIMAGE_DOS_HEADER)hMod;
// Find the address of the "new" header.
PIMAGE_NT_HEADERS pNew = (PIMAGE_NT_HEADERS)((char*)pDOS+pDOS->e_lfanew);
// Find the address of the "optional" header.
PIMAGE_OPTIONAL_HEADER pOpt = &(pNew->OptionalHeader);
// Now find the export table.
PIMAGE_EXPORT_DIRECTORY pExport =
(PIMAGE_EXPORT_DIRECTORY)((char*)pDOS+pOpt->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
// Write out all the exported names.
UINT_PTR *pNameArray = (UINT_PTR*)((char*)pDOS+pExport->AddressOfNames);
for (DWORD i=0; i<pExport->NumberOfNames; ++i)
{
LPCSTR pName = (LPCSTR)((char*)pDOS+pNameArray[i]);
std::cout << pName << std::endl;
}
return NULL;
}
int main(int arvc, char* argv[])
{
HMODULE hMod = GetModuleHandle("kernel32.dll");
PrintFunctions(hMod);
return 0;
}Steve
Hi, Where I could learn this kind of learning. Please point me to the right guides to do kernel/system programming?
-
Hi, Where I could learn this kind of learning. Please point me to the right guides to do kernel/system programming?
To learn to understand the code I posted try these resources: - Microsoft Portable Executable and Common Object File Format Specification[^] - And this Google search[^].
Steve