#include #include #define warn(msg, ...) printf("[!] - " msg "\n", ##__VA_ARGS__) #define info(msg, ...) printf("[i] - " msg "\n", ##__VA_ARGS__) #define done(msg, ...) printf("[+] - " msg "\n", ##__VA_ARGS__) int main() { uintptr_t baseAddressKernel32 = (uintptr_t)GetModuleHandle("kernel32"); // Creating the chain to retrieve the EAT from the base address // dos header -> nt headers -> optionnal headers -> data directories -> directory entry export PIMAGE_DOS_HEADER dosHeaders = (PIMAGE_DOS_HEADER)baseAddressKernel32; PIMAGE_NT_HEADERS64 ntHeaders = (PIMAGE_NT_HEADERS64)(baseAddressKernel32 + dosHeaders->e_lfanew); IMAGE_DATA_DIRECTORY exportDataDirectory = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; uintptr_t exportDirectoryAddr = baseAddressKernel32 + exportDataDirectory.VirtualAddress; PIMAGE_EXPORT_DIRECTORY exportDirectory = (PIMAGE_EXPORT_DIRECTORY)exportDirectoryAddr; info("Base address @ 0x%llx", baseAddressKernel32); info("Export directory @ 0x%llx", exportDirectory); // info("DLL name: %s", baseAddressKernel32 + exportDirectory->Name); DWORD* exportNameTable = (DWORD*)(baseAddressKernel32 + exportDirectory->AddressOfNames); DWORD* exportAddressTable = (DWORD*)(baseAddressKernel32 + exportDirectory->AddressOfFunctions); WORD* exportOrdinalTable = (WORD*)(baseAddressKernel32 + exportDirectory->AddressOfNameOrdinals); info("Export name table @ 0x%llx", exportNameTable); info("Export address table @ 0x%llx", exportAddressTable); info("Export ordinal table @ 0x%llx", exportOrdinalTable); char* currName = NULL; WORD currOrd = 0; uintptr_t currAddr = 0; for (int i = 0; i < exportDirectory->NumberOfNames; i++) { currName = (char*)(baseAddressKernel32 + exportNameTable[i]); currOrd = exportOrdinalTable[i]; currAddr = (uintptr_t)(baseAddressKernel32 + exportAddressTable[currOrd]); if (strncmp(currName, "LoadLibraryA", 12) == 0) { printf("[i] export %d/%d: %s offset: %llx", i, exportDirectory->NumberOfNames, currName, exportAddressTable[currOrd]); break; } } return EXIT_SUCCESS; }