-
Notifications
You must be signed in to change notification settings - Fork 87
/
Pe.c
52 lines (46 loc) · 1.18 KB
/
Pe.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
/**
*
* Reflective Loader
*
* GuidePoint Security LLC
*
* Threat and Attack Simulation
*
**/
#include "Common.h"
/*!
*
* Purpose:
*
* Searches for a export matching the specified hash.
*
!*/
D_SEC( E ) PVOID PeGetFuncEat( _In_ PVOID Image, _In_ ULONG Hash )
{
ULONG Idx = 0;
PUINT16 Aoo = NULL;
PUINT32 Aof = NULL;
PUINT32 Aon = NULL;
PIMAGE_DOS_HEADER Hdr = NULL;
PIMAGE_NT_HEADERS Nth = NULL;
PIMAGE_DATA_DIRECTORY Dir = NULL;
PIMAGE_EXPORT_DIRECTORY Exp = NULL;
Hdr = C_PTR( Image );
Nth = C_PTR( U_PTR( Hdr ) + Hdr->e_lfanew );
Dir = & Nth->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
/* Has a EAT? */
if ( Dir->VirtualAddress ) {
Exp = C_PTR( U_PTR( Hdr ) + Dir->VirtualAddress );
Aon = C_PTR( U_PTR( Hdr ) + Exp->AddressOfNames );
Aof = C_PTR( U_PTR( Hdr ) + Exp->AddressOfFunctions );
Aoo = C_PTR( U_PTR( Hdr ) + Exp->AddressOfNameOrdinals );
/* Enumerate exports */
for ( Idx = 0 ; Idx < Exp->NumberOfNames ; ++Idx ) {
/* Create a hash of the string and compare */
if ( HashString( C_PTR( U_PTR( Hdr ) + Aon[ Idx ] ), 0 ) == Hash ) {
return C_PTR( U_PTR( Hdr ) + Aof[ Aoo[ Idx ] ] );
};
};
};
return NULL;
};