我所遇到的问题如下:
badboy代码行:
HMODULE handle = (HMODULE)pLoadLibraryA((LPCSTR)(codeBase + importDesc->Name));
这是很好的输出,但它错过了以下功能:(ijl11.dll和libcef.dll)
我试过了:
如果我使HMODULE句柄“全局”,输出良好但缺少两个dll的输出。
如果我使HMODULE句柄“本地功能”,输出良好但缺少两个dll。
如果我使HMODULE句柄“for循环的本地”,输出良好但缺少两个dll。
badboy代码行:
static HMODULE handle = (HMODULE)pLoadLibraryA((LPCSTR)(codeBase + importDesc->Name));
输出为“静态”给了我两个缺少dll的功能。
问题:为什么静态的使用会给我输出两个缺少dll的函数?虽然使用非静态不会给我正确的输出。
另外,为什么使用两种方式加在一起当然会给我输出我想要的输出?
结论我到目前为止:句柄有一些东西在继续。
但是非静态的使用给了我很大的输出,并且静态的使用给了我垃圾输出但是给了我两个丢失的dll的导入函数的输出。
我不明白。有人可以解释一下吗?
代码:
// Custom Module Struct
typedef struct
{
PIMAGE_NT_HEADERS NT_Headers;
unsigned char *codeBase;
HMODULE *modules;
int numModules;
int initialized;
} MEMORYMODULE, *PMEMORYMODULE;
//HMODULE handle;
int BuildImportTable(PMEMORYMODULE module)
{
int result = 1;
//HMODULE handle;
unsigned char *codeBase = module->codeBase;
PIMAGE_DATA_DIRECTORY directory = GET_HEADER_DICTIONARY(module, IMAGE_DIRECTORY_ENTRY_IMPORT);
printf("Directory Size: %d\n", directory->Size);
if (directory->Size > 0)
{
PIMAGE_IMPORT_DESCRIPTOR importDesc = (PIMAGE_IMPORT_DESCRIPTOR)(codeBase + directory->VirtualAddress);
// Check Each Import Descriptor
for (; !pIsBadReadPtr(importDesc, sizeof(IMAGE_IMPORT_DESCRIPTOR)) && importDesc->Name; importDesc++) {
// loop scope
PIMAGE_THUNK_DATA thunkILT;
PIMAGE_THUNK_DATA thunkIAT;
// Load Each Library By Name
printf("\n\n\n[BuildImportTable]: Trying To Load: %s\n", codeBase + importDesc->Name);
static HMODULE handle = (HMODULE)pLoadLibraryA((LPCSTR)(codeBase + importDesc->Name));
if (handle != NULL){
printf("[BuildImportTable]: Loaded: %s\n", codeBase + importDesc->Name);
}
if (handle == INVALID_HANDLE_VALUE) {
result = 0;
printf("[BuildImportTable]: Handle NULL\n");
break;
}
//// Build Out Module Structure Members
//HMODULE *p = (HMODULE*)MemRealloc( module->modules, (module->numModules + 1) * ( sizeof(HMODULE) ) );
//module->modules = p;
//if (module->modules == NULL) {
// result = 0;
// printf("[BuildImportTable]: Modules NULL\n");
// break;
//}
//// Store Allocated Library
//module->modules[module->numModules++] = handle; // Load Library Handle
// OriginalFirstThunk - Names are stored in ILT.
if ( importDesc->OriginalFirstThunk ) {
// Get RVA of the Import Lookup Table (ILT)
thunkILT = (PIMAGE_THUNK_DATA)(importDesc->OriginalFirstThunk);
if (thunkILT == NULL) { printf("[BuildImportTable]: thunkILT RVA NULL\n"); continue; }
// Get VA to (ILT)
thunkILT = (PIMAGE_THUNK_DATA)( codeBase + importDesc->OriginalFirstThunk);
if (thunkILT == NULL) { printf("[BuildImportTable]: codeBase + thunkILT RVA NULL\n"); continue; }
// Offset Linear Address to get valid data
//thunkILT = (PIMAGE_THUNK_DATA)rvaToPtr( (DWORD)thunkILT, module->NT_Headers, (DWORD)codeBase );
}
// FirstThunk - ( i.e., the array of linear addresses built by the loader ).
if (importDesc->FirstThunk){
// The RVA of the Import Address Table (IAT)
thunkIAT = (PIMAGE_THUNK_DATA)(importDesc->FirstThunk);
if (thunkIAT == NULL) { printf("[BuildImportTable]: thunkIAT RVA NULL\n"); continue; }
// Get VA to (IAT).
thunkIAT = (PIMAGE_THUNK_DATA)(codeBase + importDesc->FirstThunk);
if (thunkIAT == NULL) { printf("[BuildImportTable]: codeBase + thunkIAT RVA NULL\n"); continue; }
}
while( (thunkILT->u1.AddressOfData != 0) || thunkILT->u1.Ordinal != 0 )
{
if ( IMAGE_SNAP_BY_ORDINAL(thunkILT->u1.Ordinal) ) {
// BY ORDINAL
printf("[BuildImportTable]: OLD thunkIAT->Function: 0x%08X\n", thunkIAT->u1.Function);
/*HMODULE hModule = GetModuleHandle((LPCSTR)(codeBase + importDesc->Name));
if (hModule != NULL){*/
thunkIAT->u1.Function = (DWORD)pGetProcAddress(handle, (LPCSTR)IMAGE_ORDINAL(thunkILT->u1.Ordinal));
if (thunkIAT->u1.Function == NULL){
printf("[BuildImportTable]: Procedure Not Found By Ordinal\n");
printf("[BuildImportTable]: HMODULE: 0x%08X ERROR: %d\n", handle, GetLastError());
thunkILT++;
break;
}
printf("[BuildImportTable]: NEW thunkIAT->Function: 0x%08X\n", thunkIAT->u1.Function);
printf("[BuildImportTable]: Ordinal: 0x%08X\n", thunkILT->u1.Ordinal);
thunkILT++;
//}
//else{
// printf("[BuildImportTable]: HMODULE: 0x%08X ERROR: %d\n", hModule, GetLastError());
// thunkILT++; break; }
} else {
// if statement scope
PIMAGE_IMPORT_BY_NAME NameData;
NameData = (PIMAGE_IMPORT_BY_NAME)( thunkILT->u1.AddressOfData );
if (NameData == NULL) { printf("[BuildImportTable]: NameData RVA NULL\n"); break; }
NameData = (PIMAGE_IMPORT_BY_NAME)( codeBase + thunkILT->u1.AddressOfData );
if (NameData == NULL) { printf("[BuildImportTable]: codeBase + NameData RVA NULL\n"); break; }
// BY NAME
printf("[BuildImportTable]: OLD thunkIAT->Function: 0x%08X\n", thunkIAT->u1.Function);
thunkIAT->u1.Function = (DWORD)pGetProcAddress(handle, NameData->Name);
if (thunkIAT->u1.Function == NULL){ printf("[BuildImportTable]: Procedure Not Found By Name\n"); break; }
printf("[BuildImportTable]: NEW thunkIAT->Function: 0x%08X\n", thunkIAT->u1.Function);
printf("[BuildImportTable]: ThunkData->Name: %s\n", NameData->Name);
thunkILT++;
}
// CHECK NEW IAT
if ( thunkIAT == 0 ) {
result = 0;
printf("[BuildImportTable]: NEW IAT NULL\n");
break;
}
// Increment
thunkIAT++;
} // End of Thunk Loop
} // End of for Loop
} // Director Size
_getch();
return result;
}
答案):
我通过确保loadlibrary具有正确的模块位置来解决上述问题。通过这样做,给了我每个模块的正确句柄。
我使用了procmon并过滤了应用程序并在CreateFile()上放置了一个过滤器,它显示了加载库正在搜索模块的区域。该模块不在任何列出的位置内。
所以,我将从现在开始提供loadlibrary完整路径以阻止上述问题。
感谢您停下来阅读我的问题。考虑一下解决了:)