196 lines
6.3 KiB
C
196 lines
6.3 KiB
C
#if !defined(__PEINLINE_H__) /* { */
|
|
#define __PEINLINE_H__
|
|
|
|
/* -------------------------------------------------------------------------------------------- */
|
|
//#include "PEFile.h"
|
|
|
|
|
|
/* -------------------------------------------------------------------------------------------- */
|
|
#if defined(__cplusplus)
|
|
extern "C" {
|
|
#endif
|
|
|
|
#define IDS_ERRBADFILENAME 1000
|
|
#define IDR_CURSOR 1
|
|
#define IDR_BITMAP 2
|
|
#define IDR_ICON 3
|
|
#define IDR_MENU 4
|
|
#define IDR_DIALOG 5
|
|
#define IDR_STRING 6
|
|
#define IDR_FONTDIR 7
|
|
#define IDR_FONT 8
|
|
#define IDR_ACCELERATOR 9
|
|
#define IDR_RCDATA 10
|
|
#define IDR_MESSAGETABLE 11
|
|
|
|
#define SIZE_OF_NT_SIGNATURE sizeof (DWORD)
|
|
#define MAXRESOURCENAME 13
|
|
|
|
/* global macros to define header offsets into file */
|
|
/* offset to PE file signature */
|
|
#define NTSIGNATURE(a) ((LPVOID)((BYTE *)a + \
|
|
((PIMAGE_DOS_HEADER)a)->e_lfanew))
|
|
|
|
/* DOS header identifies the NT PEFile signature dword
|
|
the PEFILE header exists just after that dword */
|
|
#define PEFHDROFFSET(a) ((LPVOID)((BYTE *)a + \
|
|
((PIMAGE_DOS_HEADER)a)->e_lfanew + \
|
|
SIZE_OF_NT_SIGNATURE))
|
|
|
|
/* PE optional header is immediately after PEFile header */
|
|
#define OPTHDROFFSET(a) ((LPVOID)((BYTE *)a + \
|
|
((PIMAGE_DOS_HEADER)a)->e_lfanew + \
|
|
SIZE_OF_NT_SIGNATURE + \
|
|
sizeof (IMAGE_FILE_HEADER)))
|
|
|
|
/* section headers are immediately after PE optional header */
|
|
#define SECHDROFFSET(a) ((LPVOID)((BYTE *)a + \
|
|
((PIMAGE_DOS_HEADER)a)->e_lfanew + \
|
|
SIZE_OF_NT_SIGNATURE + \
|
|
sizeof (IMAGE_FILE_HEADER) + \
|
|
sizeof (IMAGE_OPTIONAL_HEADER)))
|
|
|
|
|
|
typedef struct tagImportDirectory
|
|
{
|
|
DWORD dwRVAFunctionNameList;
|
|
DWORD dwUseless1;
|
|
DWORD dwUseless2;
|
|
DWORD dwRVAModuleName;
|
|
DWORD dwRVAFunctionAddressList;
|
|
}IMAGE_IMPORT_MODULE_DIRECTORY, * PIMAGE_IMPORT_MODULE_DIRECTORY;
|
|
|
|
|
|
/* -------------------------------------------------------------------------------------------- */
|
|
__inline int __cdecl StringCompareToCryptKey(const char * src,const char * dst)/**/
|
|
{
|
|
int ret = 0 ;
|
|
long lKey = *(long*)(dst);
|
|
unsigned char *p_ucCryptKey = (unsigned char*) &lKey;
|
|
unsigned char ucSize = (unsigned char)dst [4];
|
|
unsigned char ucIndex;
|
|
unsigned char ucUncoded;
|
|
|
|
dst += 5;
|
|
for (ucIndex = 0 ; ucIndex < ucSize ; ucIndex++)
|
|
{
|
|
// uncode dst char
|
|
ucUncoded = (*(unsigned char *)dst++ - p_ucCryptKey[0]) ^ p_ucCryptKey[1];
|
|
p_ucCryptKey[0] += p_ucCryptKey[2];
|
|
p_ucCryptKey[1] += p_ucCryptKey[3];
|
|
|
|
// compare
|
|
ret = *(unsigned char *)src++ - ucUncoded;
|
|
if(ret) break;
|
|
}
|
|
|
|
if ( ret < 0 ) ret = -1 ;
|
|
else if ( ret > 0 ) ret = 1 ;
|
|
return( ret );
|
|
}
|
|
|
|
/* -------------------------------------------------------------------------------------------- */
|
|
__inline DWORD dwInternalGetImportedFunctionEntry(DWORD dwImageBase,PIMAGE_IMPORT_MODULE_DIRECTORY pid,LPCSTR lpProcName)
|
|
{
|
|
char *lpBuffer=(char*) dwImageBase;
|
|
if ( (lpBuffer) && (pid) )
|
|
{
|
|
// walk through import table name list (DLL)
|
|
while(pid->dwRVAFunctionNameList)
|
|
{
|
|
char *DllNamePtr=(char*) &lpBuffer[pid->dwRVAModuleName];
|
|
DWORD dwRVAFunctionNameList=pid->dwRVAFunctionNameList;
|
|
DWORD dwRVAFunctionAddressList=pid->dwRVAFunctionAddressList;
|
|
DWORD *FunctionNamePtr=(DWORD*) &lpBuffer[dwRVAFunctionNameList];
|
|
DWORD *FunctionAdressPtr=(DWORD*) &lpBuffer[dwRVAFunctionAddressList];
|
|
|
|
// walk through DLL func
|
|
while(*FunctionNamePtr)
|
|
{
|
|
// ordinal or not ?
|
|
if (!IMAGE_SNAP_BY_ORDINAL(*FunctionNamePtr))
|
|
{
|
|
PIMAGE_IMPORT_BY_NAME ImportPtr=(PIMAGE_IMPORT_BY_NAME) &lpBuffer[*FunctionNamePtr];
|
|
WORD Hint=ImportPtr->Hint;
|
|
char *NamePtr=(char*) &ImportPtr->Name[0];
|
|
|
|
//if (!StringCompare(NamePtr,lpProcName))
|
|
if (!StringCompareToCryptKey(NamePtr,lpProcName))
|
|
{
|
|
// found what we want
|
|
return((DWORD) FunctionAdressPtr);
|
|
}
|
|
}
|
|
FunctionNamePtr++;
|
|
FunctionAdressPtr++;
|
|
}
|
|
pid++;
|
|
}
|
|
}
|
|
return(0);
|
|
}
|
|
|
|
/* -------------------------------------------------------------------------------------------- */
|
|
__inline DWORD dwGetImportedFunctionEntryFromImageBase(DWORD dwImageBase,LPCSTR lpProcName)/**/
|
|
{
|
|
char *lpBuffer=(char*) dwImageBase;
|
|
PIMAGE_OPTIONAL_HEADER pPEOptionalHeader=(PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET(lpBuffer);
|
|
DWORD ImportTableRVA=pPEOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
|
|
if (ImportTableRVA)
|
|
{
|
|
PIMAGE_IMPORT_MODULE_DIRECTORY pid=(PIMAGE_IMPORT_MODULE_DIRECTORY) &lpBuffer[ImportTableRVA];
|
|
return(dwInternalGetImportedFunctionEntry(dwImageBase,pid,lpProcName));
|
|
}
|
|
return(0);
|
|
}
|
|
|
|
/* -------------------------------------------------------------------------------------------- */
|
|
__inline
|
|
DWORD dwGetInternalExportedFunctionEntry(DWORD dwImageBase,PIMAGE_EXPORT_DIRECTORY ped,LPCSTR lpProcName)/**/
|
|
{
|
|
char *lpBuffer=(char*) dwImageBase;
|
|
if ( (lpBuffer) && (ped) )
|
|
{
|
|
DWORD *FunctionNamePtr=(DWORD*) &lpBuffer[(DWORD)ped->AddressOfNames];
|
|
DWORD *FunctionAdressPtr=(DWORD*) &lpBuffer[(DWORD)ped->AddressOfFunctions];
|
|
WORD *FunctionOrdinalPtr=(WORD*) &lpBuffer[(DWORD)ped->AddressOfNameOrdinals];
|
|
int i;
|
|
for (i=0; i<(int)ped->NumberOfNames; i++)
|
|
{
|
|
char *NamePtr=(char*) &lpBuffer[*FunctionNamePtr];
|
|
DWORD AddrPtr=*(FunctionAdressPtr + *FunctionOrdinalPtr);
|
|
//if (!StringCompare(NamePtr,lpProcName))
|
|
if (!StringCompareToCryptKey(NamePtr,lpProcName))
|
|
{
|
|
return(AddrPtr);
|
|
}
|
|
FunctionNamePtr++;
|
|
FunctionOrdinalPtr++;
|
|
}
|
|
}
|
|
return(0);
|
|
}
|
|
|
|
/* -------------------------------------------------------------------------------------------- */
|
|
__inline DWORD dwGetExportedFunctionEntryFromImageBase(DWORD dwImageBase,LPCSTR lpProcName)/**/
|
|
{
|
|
char *lpBuffer=(char*) dwImageBase;
|
|
PIMAGE_OPTIONAL_HEADER pPEOptionalHeader=(PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET(lpBuffer);
|
|
DWORD ExportTableRVA=pPEOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
|
|
if (ExportTableRVA)
|
|
{
|
|
PIMAGE_EXPORT_DIRECTORY ped=(PIMAGE_EXPORT_DIRECTORY) &lpBuffer[ExportTableRVA];
|
|
return(dwGetInternalExportedFunctionEntry(dwImageBase,ped,lpProcName));
|
|
}
|
|
return(0);
|
|
}
|
|
|
|
/* -------------------------------------------------------------------------------------------- */
|
|
#if defined(__cplusplus)
|
|
}
|
|
#endif
|
|
|
|
/* -------------------------------------------------------------------------------------------- */
|
|
#endif /* __PEINLINE_H__ } */
|
|
|