[Help]Externally listing functions in the IAT.

Sup, so I wanted to list the functions in the IAT of another process without having to inject a module into it so I decided to do this. |:

Anyway, it's extremely messy and probably inefficient, I had to use ReadProcessMemory quite a bit to achieve what I wanted, anyways, it works...

Here ya' go, I tested it using calculator, as you can see.

[highlight=cpp]
#include <windows.h>
#include <iostream>
#include <tlhelp32.h>

using namespace std;

void DisplayIAT(unsigned long processid)
{
PROCESSENTRY32 ProcEnt;
ProcEnt.dwSize = sizeof( PROCESSENTRY32 );

HANDLE Snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL,0);

Process32First(Snapshot,&ProcEnt);

do {
if(ProcEnt.th32ProcessID == processid)
{
break;
}
}while(Process32Next(Snapshot,&ProcEnt));

MODULEENTRY32 ModEnt;
ModEnt.dwSize = sizeof( MODULEENTRY32 );

HMODULE hMod;
HANDLE Snapshot1 = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,ProcEnt .th32ProcessID);

Module32First(Snapshot1,&ModEnt);
do {
if( strcmp(ProcEnt.szExeFile,ModEnt.szModule) == 0 )
{
hMod = ModEnt.hModule;
break;
}
}while(Module32Next(Snapshot1,&ModEnt));

cout << hex << (int)hMod << endl;
cout << ModEnt.szModule << endl;

HANDLE handle = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ,0,ProcEnt.th32ProcessID);

unsigned char* temp;

//DOS
IMAGE_DOS_HEADER* pDos;
temp = new unsigned char[sizeof(IMAGE_DOS_HEADER)];
ReadProcessMemory(handle,(LPVOID)hMod,(LPVOID)temp ,sizeof(IMAGE_DOS_HEADER),0);
pDos = (IMAGE_DOS_HEADER*)temp;
temp = 0;

//HEADER
IMAGE_OPTIONAL_HEADER* pHeader;
temp = new unsigned char[sizeof(IMAGE_OPTIONAL_HEADER)];
ReadProcessMemory(handle,(LPVOID)( (BYTE*)hMod + pDos->e_lfanew + 24 ),(LPVOID)temp,sizeof(IMAGE_OPTIONAL_HEADER),0);
pHeader = (IMAGE_OPTIONAL_HEADER*)temp;
temp = 0;

//DESCRIPTOR
IMAGE_IMPORT_DESCRIPTOR* pDescriptor;
temp = new unsigned char[sizeof(IMAGE_IMPORT_DESCRIPTOR)];
ReadProcessMemory(handle,(LPVOID)( (BYTE*)hMod + pHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress ),(LPVOID)temp,sizeof(IMAGE_IMPORT_DESCRIPTOR),0);
pDescriptor = (IMAGE_IMPORT_DESCRIPTOR*)temp;
temp = 0;

int i = 0;
while( pDescriptor->FirstThunk )
{
IMAGE_THUNK_DATA* pThunk;
temp = new unsigned char[sizeof(IMAGE_THUNK_DATA)];
ReadProcessMemory(handle,(LPVOID)( (BYTE*)hMod + pDescriptor->OriginalFirstThunk ),(LPVOID)temp,sizeof(IMAGE_THUNK_DATA),0);
pThunk = (IMAGE_THUNK_DATA*)temp;
temp = 0;

i+= sizeof(IMAGE_IMPORT_DESCRIPTOR);

char modName[24];
ReadProcessMemory(handle,(LPVOID)( (BYTE*)hMod + pDescriptor->Name ),modName,24,0);
cout << "\n\n" << modName << "\n\n" << endl;

int n = 0;
while(pThunk->u1.Function)
{
n+=4;

char funcName[100];
ReadProcessMemory(handle,(LPVOID)( (BYTE*)hMod + (DWORD)pThunk->u1.AddressOfData + 2 ),funcName,100,0);

temp = new unsigned char[sizeof(IMAGE_THUNK_DATA)];
ReadProcessMemory(handle,(LPVOID)( (BYTE*)hMod + pDescriptor->OriginalFirstThunk + n ),(LPVOID)temp,sizeof(IMAGE_THUNK_DATA),0);
pThunk = (IMAGE_THUNK_DATA*)temp;
temp = 0;

cout << funcName << endl;
}

temp = new unsigned char[sizeof(IMAGE_IMPORT_DESCRIPTOR)];
ReadProcessMemory(handle,(LPVOID)( (BYTE*)hMod + pHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + i),(LPVOID)temp,sizeof(IMAGE_IMPORT_DESCRIPTOR),0) ;
pDescriptor = (IMAGE_IMPORT_DESCRIPTOR*)temp;
temp = 0;
}

}

int main()
{
DWORD pid;
HWND hwnd = FindWindow(0,"Calculator");
GetWindowThreadProcessId(hwnd,&pid);
DisplayIAT(pid);

cin.get();
}
[/highlight]

Yep.

[Help]Externally listing functions in the IAT.

Post a Reply

Similar Threads

Tags for this Thread