Skip to content

Instantly share code, notes, and snippets.

@janoglezcampos

janoglezcampos/find_function.cpp

Last active August 29, 2022 09:24
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save janoglezcampos/4e7059d5b0191fe982d044640ca8e7b7 to your computer and use it in GitHub Desktop.
Save janoglezcampos/4e7059d5b0191fe982d044640ca8e7b7 to your computer and use it in GitHub Desktop.
Download ZIP
Find non exported functions in a module using masks.
Raw
find_function.cpp
#include <windows.h>
#include <stdio.h>
#include <psapi.h>
typedef char * (*ParseHeaders)(LPCSTR, int *);
BOOL bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
for (; *szMask; ++szMask, ++pData, ++bMask)
if (*szMask == 'x' && *pData != *bMask)
return 0;
return (*szMask) == NULL;
}
DWORD_PTR FindPattern(DWORD_PTR dwAddress, DWORD dwLen, PBYTE bMask, PCHAR szMask)
{
for(DWORD i=0; i<dwLen; i++)
if (bCompare((PBYTE)(dwAddress+i),bMask,szMask))
return (DWORD_PTR)(dwAddress+i);
return 0;
}
DWORD_PTR findFunctionAddr(PCHAR dllPath, PBYTE bMask, PCHAR szMask)
{
HMODULE hMod = GetModuleHandleA( TEXT(dllPath) );
MODULEINFO modinfo = { NULL, };
GetModuleInformation(GetCurrentProcess(), hMod, &modinfo, sizeof(modinfo));
DWORD_PTR dwAddress = FindPattern((DWORD_PTR)hMod, modinfo.SizeOfImage, bMask, szMask);
return dwAddress;
}
//M-SEARCH * HTTP/1.1 HOST: 192.168.0.1
int main(int argc, char** argv)
{
PBYTE hdrParserFuncB = (PBYTE)"\x48\x89\x5c\x24\x10\x48\x89\x6c\x24\x18\x56\x57\x41\x56\x48\x83\xec\x20\x4c\x8b\xf2\x48\x8b\xd9\x48\xff\x15\xe1\x24\x03\x00\x0f\x1f\x44\x00\x00\x48\x63\xe8\x48\x8d\x15\x92\x2e\x03\x00\x48\x8b\xcb\x48\x03\xeb\x48\xff\x15\x1d\x27\x03\x00\x0f\x1f\x44\x00\x00\x48\x8b\xf0\x48\x85\xc0\x0f\x84\x4a\x04\x01\x00";
PCHAR hdrParserFunctMask = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
HMODULE ssdpapi;
PCHAR dllPath;
DWORD_PTR ptr;
ParseHeaders parser;
int msgType;
char* result;
dllPath = "ssdpsrv.dll";
ssdpapi = LoadLibrary(TEXT(dllPath));
ptr = findFunctionAddr(dllPath, hdrParserFuncB, hdrParserFunctMask);
parser = (ParseHeaders) ptr;
printf( TEXT("\t [-] Module address is: %p\n"), (void *)ssdpapi);
printf( TEXT("\t [-] Function address is: %p\n"), (void *)ptr);
printf( TEXT("\t [-] Trying call to %p\n"), (void *)ptr);
printf( TEXT("\t [-] Input: %s\n"), argv[1]);
result = parser(argv[1], &msgType);
printf( TEXT("\t [-] Call done\n"));
if(result == NULL){
printf( TEXT("\t [-] Error\n"));
FreeLibrary(ssdpapi);
return 1;
}
printf( TEXT("\t [-] Ok\n"));
printf( TEXT("\t [-] Output: %s\n"), result);
FreeLibrary(ssdpapi);
return 0;
}
@ozcanerensayin
Copy link

good

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment