Created
March 30, 2017 17:46
-
-
Save lallousx86/af5113c547b1b26250bb8778234d5ac9 to your computer and use it in GitHub Desktop.
Find the EAT slot of a given function
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //------------------------------------------------------------------------- | |
| PDWORD FindFuncEATAddressSlot( | |
| HMODULE hModule, | |
| LPCSTR FuncName) | |
| { | |
| if (hModule == nullptr) | |
| return nullptr; | |
| ULONG_PTR Base = ULONG_PTR(hModule); | |
| IMAGE_DOS_HEADER *idh = (IMAGE_DOS_HEADER *)hModule; | |
| if (idh->e_magic != IMAGE_DOS_SIGNATURE) | |
| return 0; | |
| auto inh = PIMAGE_NT_HEADERS(Base + idh->e_lfanew); | |
| if (inh->Signature != IMAGE_NT_SIGNATURE) | |
| return 0; | |
| IMAGE_DATA_DIRECTORY *edd = inh->OptionalHeader.DataDirectory + IMAGE_DIRECTORY_ENTRY_EXPORT; | |
| // No export table | |
| if (edd->VirtualAddress == 0) | |
| return nullptr; | |
| PIMAGE_EXPORT_DIRECTORY ead = | |
| (PIMAGE_EXPORT_DIRECTORY)(Base + edd->VirtualAddress); | |
| // Parallel arrays. Finding the name in the names table will let us | |
| // use that index in the ordinal table to get the real index into the | |
| // function address table. | |
| PDWORD pNameRVA = PDWORD(Base + ead->AddressOfNames); | |
| PWORD pNameOrdRVA = PWORD(Base + ead->AddressOfNameOrdinals); | |
| // Base array of function addresses RVAs | |
| PDWORD pFuncAddrRVAs = PDWORD(Base + ead->AddressOfFunctions); | |
| for (DWORD i = 0, c = ead->NumberOfNames; | |
| i < c; | |
| ++i, ++pNameRVA, ++pNameOrdRVA) | |
| { | |
| auto Name = (const char *)(Base + *pNameRVA); | |
| if (strcmp(Name, FuncName) != 0) | |
| continue; | |
| return pFuncAddrRVAs + *pNameOrdRVA; | |
| } | |
| return nullptr; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment