Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Windows on Arm64, x86/x64 emulation
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #20  
Old 04-09-2022, 15:16
DavidXanatos DavidXanatos is offline
Family
  
Join Date: Jun 2018
Posts: 183
Rept. Given: 3
Rept. Rcvd 47 Times in 33 Posts
Thanks Given: 59
Thanks Rcvd at 363 Times in 120 Posts
DavidXanatos Reputation: 47
I have figured out how to get the Dyn. Relocs Table with which we can get the alternate export directory from an image on disk:

Code:
			IMAGE_LOAD_CONFIG_DIRECTORY64 LoadConfig;

			IMAGE_DATA_DIRECTORY* dir10 = &opt_hdr_64->DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG];
			if (resolve_ec && dir10->VirtualAddress && dir10->Size >= FIELD_OFFSET(IMAGE_LOAD_CONFIG_DIRECTORY64, CHPEMetadataPointer) + sizeof(ULONGLONG)) {

				status = ReadDll(hProcess, FindImagePosition(dir10->VirtualAddress, nt_hdrs_64, DllBase), &LoadConfig, min(sizeof(LoadConfig), dir10->Size), NULL);
			}

			typedef struct _DYN_RELOC_TABLE {
				ULONG Unknown1;
				ULONG Unknown2;
				ULONG Unknown3;
				ULONG Unknown4;
				ULONG TableSize;
				UCHAR Entries[];
			} DYN_RELOC_TABLE;
			
			DYN_RELOC_TABLE* DynamicValueRelocTable = NULL;

			if (DllBase == 0 && (resolve_ec || resolve_exp)) { // only for images on disk, on linve images we take the actuallly used export directory

				PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(nt_hdrs);
				nt_hdrs->FileHeader.NumberOfSections;

				section += (LoadConfig.DynamicValueRelocTableSection - 1);

				ULONG pos = FindImagePosition(section->VirtualAddress, nt_hdrs_64, DllBase);
				status = ReadDll(hProcess, pos, Buffer2, min(sizeof(Buffer2), section->Misc.VirtualSize), NULL);

				DynamicValueRelocTable = (DYN_RELOC_TABLE*)(Buffer2 + LoadConfig.DynamicValueRelocTableOffset);

				//dir0->VirtualAddress = 0x308810;
			}

			for (UCHAR* TablePtr = DynamicValueRelocTable->Entries; TablePtr < DynamicValueRelocTable->Entries + DynamicValueRelocTable->TableSize; ) {

				struct {
					ULONG Offset;
					ULONG Size;
				} *Section = TablePtr;
				TablePtr += 8;
				Section->Size -= 8;

				for (UCHAR* EntryPtr = TablePtr; TablePtr < EntryPtr + Section->Size; ) {
					struct {
						USHORT  
							RVA : 12,
							Unknown: 1,
							Size : 3;
					} *Entry = TablePtr;
					TablePtr += 2;

					ULONGLONG Value = 0;
					memcpy(&Value, TablePtr, Entry->Size);
					TablePtr += Entry->Size;

					DbgPrintf("%08x -> %08x\n", Section->Offset + Entry->RVA, (ULONG)Value);

				}
			}
there are a couple unknown values so if anyone has an idea what they are please share.
Reply With Quote
The Following User Says Thank You to DavidXanatos For This Useful Post:
sh3dow (04-10-2022)
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows 11 ARM64 version 24H2 blue_devil General Discussion 9 11-20-2024 13:55
Question about PE format (ARM64) DavidXanatos General Discussion 0 04-28-2022 01:09


All times are GMT +8. The time now is 20:14.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )