Get APi from the address

[Jay]

Quote:

Originally Posted by V0ldemAr

My implementation in CPP

neat V0ldemAr, never thought of that.
cheers.

[Nacho_dj]

Wow, a lot of participation in this thread, nice

Anyway, here is second part...


Getting Name of Function and Ordinal value - Part II

We enter this routine with the handle and the name of the module that the handle belongs to.
Let's work with export table of that module.

We compare AddressOfNameOrdinals to AddressOfNames. If they are different, we start a) chapter. Otherwise, go to b) chapter.

a) We first start a loop with NumberOfNames iterations.

Within the loop, we must go through AddressOfOrdinals array. This array is composed only by Words. Each Word performs a 'number of order' in AddressOfFunction array. We take the content in the i-element of the AddresOfOrdinals array.
That content is the number of element in AddressOfFunction array, so we get the value of that component. This comes as RVA.

We compare now:
handle(our input) to RVA content + BaseAddress of the module

If they match:

1. If 'number of order' is not equal to zero, then Ordinal of that handle is:
'number of order'+ nBase(parameter in export table) OR IMAGE_ORDINAL_FLAG32(0x80000000)

2. We go through the AddressOfNameOfFunction array and read the i element. This is an RVA value. Then we read the string at that address and we get the name of the function searched.


b) If 'number of order' is zero (there is no names of functions, just ordinals), we start a loop with NumberOfFunction iterations.

For every element in the array of AddressOfFunction, we compare:
handle(our input) to value of element(RVA) + BaseAddress of the module.

If they match, ordinal for that handle is:
(i(iteration) + nBase(parameter in export table)) OR IMAGE_ORDINAL_FLAG32(0x80000000)


To be continued (solving forwarded functions)...

Some tips:

1) Don't forget about forwarded exports ( they point inside of export table )
2) There may be more than one function with same RVA
Examples:
SetHandleCount = LockResource
NtOpenFile = ZwOpenFile
3) Optimization, need to build lookup tables with name of functions and need to sort table with RVA then simply apply binary search by rva but be aware if you sort rva's standard CRT binary search won't return you pointer to the first function( in other words if you have 3 functions with same rva bsearch may return to you any 1 of 3) so you will need to find first and last by going backward and forward increasing pointer in table.

Good luck.