Thread: Get APi from the address
View Single Post
  #2  
Old 02-25-2011, 14:55
Nacho_dj's Avatar
Nacho_dj Nacho_dj is offline
Lo*eXeTools*rd
  
Join Date: Mar 2005
Posts: 211
Rept. Given: 16
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 137 Times in 41 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Since it is a handle in memory and it is linked to the imagebase of its module loaded by the system, you need:
- Getting all processes loaded in memory, thus retrieving their imagebase and size, their module name, and so on...
- Determining which process the handle belongs to, getting in this way the module that is exporting it.
- Go analyzing export table of that module to find the handle (in RVA), and then get the function name, if this exists in the functions names table. Ordinal can always be retrieved.
- If there is forwarding, you should try to find which is the module that is the origin of forward, to get the function name inside it.

Cheers

Nacho_dj
__________________
http://arteam.accessroot.com
Reply With Quote