forked from benheise/ANGRYORCHARD
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Pe.c
48 lines (43 loc) · 1.05 KB
/
Pe.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
/*!
*
* Exploit
*
* GuidePoint Security LLC
*
* Threat and Attack Simulation
*
!*/
#include "Common.h"
/*!
*
* Purpose:
*
* Locates an export in a PE.
*
!*/
D_SEC( E ) PVOID PeGetFuncEat( _In_ PVOID Image, _In_ UINT32 Hash )
{
UINT32 Idx = 0;
PUINT16 Aoo = NULL;
PUINT32 Aof = NULL;
PUINT32 Aon = NULL;
PIMAGE_DOS_HEADER Dos = NULL;
PIMAGE_NT_HEADERS Nth = NULL;
PIMAGE_DATA_DIRECTORY Dir = NULL;
PIMAGE_EXPORT_DIRECTORY Exp = NULL;
Dos = C_PTR( Image );
Nth = C_PTR( U_PTR( Dos ) + Dos->e_lfanew );
Dir = & Nth->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
if ( Dir->VirtualAddress ) {
Exp = C_PTR( U_PTR( Dos ) + Dir->VirtualAddress );
Aon = C_PTR( U_PTR( Dos ) + Exp->AddressOfNames );
Aof = C_PTR( U_PTR( Dos ) + Exp->AddressOfFunctions );
Aoo = C_PTR( U_PTR( Dos ) + Exp->AddressOfNameOrdinals );
for ( Idx = 0 ; Idx < Exp->NumberOfNames ; ++Idx ) {
if ( HashString( C_PTR( U_PTR( Dos ) + Aon[ Idx ] ), 0 ) == Hash ) {
return C_PTR( U_PTR( Dos ) + Aof[ Aoo[ Idx ] ] );
};
};
};
return NULL;
};