Last active
February 11, 2022 14:52
-
-
Save p4yl0ad/c89c7fd5e667b364ceffafc74b46e7c3 to your computer and use it in GitHub Desktop.
Load kernelbase.dll. parse PE structure, Iterate over exports and add FunctionName:RVA to a single linked list, sort linked list by RVA and prints
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| /* | |
| resources: | |
| sektor7 for basic PE parse structure | |
| https://www.techiedelight.com/given-linked-list-change-sorted-order/ | |
| And thanks to people in secret club for being smart as fuck & helpful lul | |
| */ | |
| struct node | |
| { | |
| char FuncName[_MAX_PATH]; | |
| ULONGLONG whereami; | |
| struct node* next; | |
| }; | |
| struct node* head = NULL; | |
| void push(struct node** head, char* pVFuncName, ULONGLONG Vwhereami) | |
| { | |
| struct node* newpushNode; //= (struct node*)malloc(sizeof(struct node)); | |
| if (!(newpushNode = (node*)malloc(sizeof(struct node)))) | |
| { | |
| printf("fuckywucky push\nif (!(newpushNode = (node*)malloc(sizeof(struct node))))"); | |
| exit(1); | |
| } | |
| int res = strcpy_s(newpushNode->FuncName, _MAX_PATH, pVFuncName); | |
| newpushNode->whereami = Vwhereami; | |
| newpushNode->next = *head; | |
| *head = newpushNode; | |
| } | |
| void sortedInsert(struct node** head, struct node* newNode) | |
| { | |
| struct node dummy; | |
| struct node* current = &dummy; | |
| dummy.next = *head; | |
| while (current->next != NULL && current->next->whereami < newNode->whereami) { | |
| current = current->next; | |
| } | |
| newNode->next = current->next; | |
| current->next = newNode; | |
| *head = dummy.next; | |
| } | |
| void insertSort(struct node** head) | |
| { | |
| struct node* result = NULL; // build the answer here | |
| struct node* current = *head; // iterate over the original list | |
| struct node* next; | |
| while (current != NULL) | |
| { | |
| next = current->next; | |
| sortedInsert(&result, current); | |
| current = next; | |
| } | |
| *head = result; | |
| } | |
| void addLast(struct node** head, char * pVFuncName, ULONGLONG Vwhereami) | |
| { | |
| struct node* newNode; | |
| if (!(newNode = (node*)malloc(sizeof(struct node)))) | |
| { | |
| printf("fuckywucky addLast\nif (!(newNode = (node*)malloc(sizeof(struct node))))"); | |
| exit(1); | |
| } | |
| int res = strcpy_s(newNode->FuncName, _MAX_PATH, pVFuncName); | |
| newNode->whereami = Vwhereami; | |
| newNode->next = NULL; | |
| //if head is NULL, it is an empty list | |
| if (*head == NULL) | |
| *head = newNode; | |
| else | |
| { | |
| struct node* lastNode = *head; | |
| while (lastNode->next != NULL) | |
| { | |
| lastNode = lastNode->next; | |
| } | |
| lastNode->next = newNode; | |
| } | |
| } | |
| void printList(struct node* head) | |
| { | |
| struct node* temp = head; | |
| while (temp != NULL) | |
| { | |
| printf("%s->", temp->FuncName); | |
| printf("%llu->", temp->whereami); | |
| temp = temp->next; | |
| } | |
| printf("NULL\n"); | |
| } | |
| void main(int argc, char* argv[]) | |
| { | |
| PIMAGE_DOS_HEADER pIDH; | |
| PIMAGE_NT_HEADERS pINH; | |
| PIMAGE_OPTIONAL_HEADER pOH; | |
| PIMAGE_DATA_DIRECTORY pDD; | |
| DWORD* pEAT, pFuncNameTbl; | |
| WORD* pHintsTbl; | |
| PIMAGE_EXPORT_DIRECTORY pIED; | |
| PVOID dllBase; | |
| ULONG i; | |
| LPCWSTR mod; | |
| char* mod2, sTmpFuncName; | |
| void* arrVeeAyy; | |
| mod2 = "kernelbase.dll"; | |
| if ((dllBase = GetModuleHandle(mod2)) == NULL) | |
| { | |
| printf("Failed if ((dllBase = GetModuleHandle(mod)) == NULL)"); | |
| exit(1); | |
| } | |
| else | |
| { | |
| if ((pIDH = (PIMAGE_DOS_HEADER)dllBase)->e_magic != IMAGE_DOS_SIGNATURE) | |
| { | |
| printf("if ((pIDH = (PIMAGE_DOS_HEADER)dllBase)->e_magic != IMAGE_DOS_SIGNATURE)"); | |
| exit(1); | |
| } | |
| else | |
| { | |
| if ((pINH = (IMAGE_NT_HEADERS*)((ULONGLONG)(dllBase)+pIDH->e_lfanew))->Signature != IMAGE_NT_SIGNATURE) | |
| { | |
| printf("if ((pINH = (IMAGE_NT_HEADERS*)((ULONGLONG)(dllBase)+pIDH->e_lfanew))->Signature != IMAGE_NT_SIGNATURE)"); | |
| exit(1); | |
| } | |
| else | |
| { | |
| pOH = &pINH->OptionalHeader; | |
| pDD = (IMAGE_DATA_DIRECTORY*)(&pOH->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]); | |
| pIED = (IMAGE_EXPORT_DIRECTORY*)((ULONGLONG)dllBase + pDD->VirtualAddress); | |
| pEAT = (DWORD*)((ULONGLONG)dllBase + pIED->AddressOfFunctions); | |
| pFuncNameTbl = (DWORD*)((ULONGLONG)dllBase + pIED->AddressOfNames); | |
| pHintsTbl = (WORD*)((ULONGLONG)dllBase + pIED->AddressOfNameOrdinals); | |
| arrVeeAyy = NULL; | |
| struct node* head = NULL; | |
| for (i = 0; i < pIED->NumberOfNames; i++) | |
| { | |
| sTmpFuncName = (char*)dllBase + (DWORD_PTR)pFuncNameTbl[i]; | |
| arrVeeAyy = (FARPROC)((DWORD_PTR)pEAT[pHintsTbl[i]]); | |
| addLast(&head, sTmpFuncName, (ULONGLONG)arrVeeAyy); | |
| } | |
| printList(head); | |
| insertSort(&head); | |
| printf("\n\n\n\n"); | |
| printList(head); | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment