Thread: Get real address of api not nt version
View Single Post
  #1  
Old 05-20-2018, 20:20
dosprog dosprog is offline
Friend
  
Join Date: Feb 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 17 Times in 16 Posts
Thanks Given: 33
Thanks Rcvd at 147 Times in 74 Posts
dosprog Reputation: 17
Then, as I understand, your program is working fine
- it determines that the bytes of the actual function server
do not match the bytes in the tracked DLL in the system32 directory
?

..
You can previouosly import target function to your program and make alias-table
like this:
;-------------------------------------------------------[ASM]
ECU_TABLE_ITEM STRUC
RealAddress dd ? ;;Real address
TargetFunctionName db 30h dup (?), 0 ;;Function name
ECU_TABLE_ITEM ENDS

imp_equ_table:
imp1 ECU_TABLE_ITEM <?, 'ShowWindow'>
imp2 ECU_TABLE_ITEM <?, 'GetModuleHandle'>
.....etc.
;-------------------------------------------------------[ASM]

- Further work referring to this table.



--add--

PE-loader at new versions of OS can emulate imported function without original dll
(For example, kernel32.dll may be absent, but application with call of kernel32.GetModuleHandleA will work fine)

Last edited by dosprog; 05-21-2018 at 01:28.
Reply With Quote
The Following User Says Thank You to dosprog For This Useful Post:
p4r4d0x (05-20-2018)