Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Get APi from the address
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #14  
Old 02-28-2011, 14:38
BoB's Avatar
BoB BoB is offline
Lo*eXeTools*rd
  
Join Date: Jun 2009
Location: England
Posts: 85
Rept. Given: 88
Rept. Rcvd 56 Times in 24 Posts
Thanks Given: 2
Thanks Rcvd at 2 Times in 2 Posts
BoB Reputation: 56
Cool
Ah but Dila, that only works if the Imports.OrigFirstThunk array is valid

Code:
//-----------------------------------------------------------------------//
// Get Api Name from address ..  (Reverse GetProcAddress)

Function  GetProcAddressName(Const ApiAddress : DWord) : String;
Var
  I,
  Base,                         // Module base address ..
  Rva : DWord;                  // Rva of Api ..
  FA,                           // Pointer to Functions Array ..
  NA  : PDWord;                 // Pointer to Names Array ..
  Exp : PImageExportDirectory;  // Export Table ..
  Dos : PImageDosHeader;        // Dos Header ..
  Nt  : PImageNtHeaders;        // Nt Headers ..
Begin
  Result := 'Error';

  // Calc module base address from API address ..
  Base := ApiAddress;
  Repeat
    NT := Nil;
    Dec(Base);
    Base := Base And $FFFFF000;  // Align to page size ..
    If (Not IsBadReadPtr(Pointer(Base), 4)) Then Begin
      Dos := Pointer(Base);
      If (Dos^.Magic = IMAGE_DOS_SIGNATURE) Then Nt := Pointer(Base + Dos^.OffsetPE);
    End;
  Until (Not IsBadReadPtr(NT, 4)) And (NT^.Signature = IMAGE_NT_SIGNATURE);

  // Search for the Rva in the Function Array of the export table ..
  Exp := Pointer(Base + NT^.OptionalHeader.DataDirectory[0].Rva);
  Rva := ApiAddress - Base;
  FA  := Pointer(Base + Exp^.RvaOfFunctions);
  NA  := Pointer(Base + Exp^.RvaOfNames);
  For I := 0 To Exp^.NumberOfFunctions-1 Do Begin
    If (Rva = FA^) Then Begin
      // Return name or ordinal string ..
      Result := PAnsiChar(Base + Exp^.Name) + '!';
      If (I < Exp^.NumberOfNames) Then Result := Result + PAnsiChar(Base + NA^)
      Else Result := Result + '#' + IntToStr(Exp^.Base + I);
      Break;
    End;
    Inc(FA);
    Inc(NA);
  End;
End;
Simple usage like this:
Code:
  Api := DWord(GetProcAddress(KernelBase, 'HeapCreate'));
  MessageBox(0, PChar(GetProcAddressName(Api)), Nil, MB_OK);
Would show:
Code:
KERNEL32.dll!HeapCreate
Ahmadmansoor: If you want it rewriting in Asm or anything let me know.

Excuse any weird code, it's 6:30 am and I need to sleep
BoB
Last edited by BoB; 02-28-2011 at 14:44.
Reply With Quote
The Following 2 Users Gave Reputation+1 to BoB For This Useful Post:
ahmadmansoor (02-28-2011)
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
fake mac address theGate General Discussion 16 08-13-2022 10:12
Get real address of api not nt version Mahmoudnia General Discussion 18 05-23-2018 00:44
Finding API Address britedream General Discussion 5 10-05-2006 21:28
how to get the address of the entry point in an API Warren General Discussion 6 08-30-2005 16:18


All times are GMT +8. The time now is 03:08.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )