[Help]Externally listing functions in the IAT.

[Void]

Sup, so I wanted to list the functions in the IAT of another process without having to inject a module into it so I decided to do this. |:

Anyway, it's extremely messy and probably inefficient, I had to use ReadProcessMemory quite a bit to achieve what I wanted, anyways, it works...

Here ya' go, I tested it using calculator, as you can see.

[highlight=cpp]
#include <windows.h>
#include <iostream>
#include <tlhelp32.h>

using namespace std;

void DisplayIAT(unsigned long processid)
{
PROCESSENTRY32 ProcEnt;
ProcEnt.dwSize = sizeof( PROCESSENTRY32 );

HANDLE Snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL,0);


Process32First(Snapshot,&ProcEnt);

do {
if(ProcEnt.th32ProcessID == processid)
{
break;
}
}while(Process32Next(Snapshot,&ProcEnt));

MODULEENTRY32 ModEnt;
ModEnt.dwSize = sizeof( MODULEENTRY32 );

HMODULE hMod;
HANDLE Snapshot1 = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,ProcEnt .th32ProcessID);

Module32First(Snapshot1,&ModEnt);
do {
if( strcmp(ProcEnt.szExeFile,ModEnt.szModule) == 0 )
{
hMod = ModEnt.hModule;
break;
}
}while(Module32Next(Snapshot1,&ModEnt));

cout << hex << (int)hMod << endl;
cout << ModEnt.szModule << endl;

HANDLE handle = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ,0,ProcEnt.th32ProcessID);

unsigned char* temp;

//DOS
IMAGE_DOS_HEADER* pDos;
temp = new unsigned char[sizeof(IMAGE_DOS_HEADER)];
ReadProcessMemory(handle,(LPVOID)hMod,(LPVOID)temp ,sizeof(IMAGE_DOS_HEADER),0);
pDos = (IMAGE_DOS_HEADER*)temp;
temp = 0;

//HEADER
IMAGE_OPTIONAL_HEADER* pHeader;
temp = new unsigned char[sizeof(IMAGE_OPTIONAL_HEADER)];
ReadProcessMemory(handle,(LPVOID)( (BYTE*)hMod + pDos->e_lfanew + 24 ),(LPVOID)temp,sizeof(IMAGE_OPTIONAL_HEADER),0);
pHeader = (IMAGE_OPTIONAL_HEADER*)temp;
temp = 0;

//DESCRIPTOR
IMAGE_IMPORT_DESCRIPTOR* pDescriptor;
temp = new unsigned char[sizeof(IMAGE_IMPORT_DESCRIPTOR)];
ReadProcessMemory(handle,(LPVOID)( (BYTE*)hMod + pHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress ),(LPVOID)temp,sizeof(IMAGE_IMPORT_DESCRIPTOR),0);
pDescriptor = (IMAGE_IMPORT_DESCRIPTOR*)temp;
temp = 0;

int i = 0;
while( pDescriptor->FirstThunk )
{
IMAGE_THUNK_DATA* pThunk;
temp = new unsigned char[sizeof(IMAGE_THUNK_DATA)];
ReadProcessMemory(handle,(LPVOID)( (BYTE*)hMod + pDescriptor->OriginalFirstThunk ),(LPVOID)temp,sizeof(IMAGE_THUNK_DATA),0);
pThunk = (IMAGE_THUNK_DATA*)temp;
temp = 0;

i+= sizeof(IMAGE_IMPORT_DESCRIPTOR);

char modName[24];
ReadProcessMemory(handle,(LPVOID)( (BYTE*)hMod + pDescriptor->Name ),modName,24,0);
cout << "\n\n" << modName << "\n\n" << endl;

int n = 0;
while(pThunk->u1.Function)
{
n+=4;

char funcName[100];
ReadProcessMemory(handle,(LPVOID)( (BYTE*)hMod + (DWORD)pThunk->u1.AddressOfData + 2 ),funcName,100,0);

temp = new unsigned char[sizeof(IMAGE_THUNK_DATA)];
ReadProcessMemory(handle,(LPVOID)( (BYTE*)hMod + pDescriptor->OriginalFirstThunk + n ),(LPVOID)temp,sizeof(IMAGE_THUNK_DATA),0);
pThunk = (IMAGE_THUNK_DATA*)temp;
temp = 0;

cout << funcName << endl;
}

temp = new unsigned char[sizeof(IMAGE_IMPORT_DESCRIPTOR)];
ReadProcessMemory(handle,(LPVOID)( (BYTE*)hMod + pHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + i),(LPVOID)temp,sizeof(IMAGE_IMPORT_DESCRIPTOR),0) ;
pDescriptor = (IMAGE_IMPORT_DESCRIPTOR*)temp;
temp = 0;
}

}

int main()
{
DWORD pid;
HWND hwnd = FindWindow(0,"Calculator");
GetWindowThreadProcessId(hwnd,&pid);
DisplayIAT(pid);

cin.get();
}
[/highlight]

Yep.

[zeco]

▓▓▓▓▓▓▓▓▓▓
▓▓▓ -__- ▓▓▓
▓▓▓▓▓▓▓▓▓▓

[why06]

▓▓▓▓▓▓▓▓▓▓
▓▓▓ -__- ▓▓▓
▓▓▓▓▓▓▓▓▓▓

Jon said it best. (though Im not sure what he said) I didn't know they had structures for those image structures in the WinAPI. But everything looks right to me, you even used e_lfanew. Looks like u did your homework. Good job.

[zeco]

Jon said it best. (though Im not sure what he said) I didn't know they had structures for those image structures in the WinAPI. But everything looks right to me, you even used e_lfanew. Looks like u did your homework. Good job.

Good job shaun. . .It would seem the other 70 people who looked at this were just left utterly speechless in the presence of David's awe inspiring work.

By the way, you like replied to this thread as soon as I clicked it to check it :/ Hax0r

By the, by the way, whats with the awesome new emoticons like onionhead etc.?

P.S. I'm not sure if you can stack by the way like P.S.

[why06]

Good job shaun. . .It would seem the other 70 people who looked at this were just left utterly speechless.

Yeh that's why I said u said it best. Cuz no1 else said anything.

And the emoticons are from when MPGH1 (msn group) spilled over into MPGH. So no the msn and the regular emots are mixed.

Finally I was outta town and just got back this morning, I didn't notice you just posted though. /

[.::SCHiM::.]

Huh?

I didn't know that the pe structure was loaded into memory...
Strange...

[Void]

Good job shaun. . .It would seem the other 70 people who looked at this were just left utterly speechless in the presence of David's awe inspiring work.

By the way, you like replied to this thread as soon as I clicked it to check it :/ Hax0r

By the, by the way, whats with the awesome new emoticons like onionhead etc.?

P.S. I'm not sure if you can stack by the way like P.S.

Mighty zeco has returned.

[why06]

Mighty zeco has returned.

Yes he has.

[zeco]

Yes he has.

No he hasn't.

This is all a phallacy. (misspelling intentional)