-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy pathpe.c
61 lines (52 loc) · 1.44 KB
/
pe.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
/**
*
* Captures incoming Net-NTLMv1/v2 hashes
* for incoming authentication attempts
* via NTLM.
*
* GuidePoint Security LLC
* Threat and Attack Simulation
*
**/
#include "common.h"
/**
*
* @brief: Acts a replacement for GetProcAddress
*
* @param: Pointer to the PE base.
* @param: Hash of the function name.
*
**/
D_SEC( E ) PVOID PeGetFuncEat( _In_ PVOID Image, _In_ ULONG ExpHash )
{
ULONG Djb = 0 ;
ULONG Idx = 0 ;
PUINT16 Aoi = NULL ;
PUINT32 Aof = NULL ;
PUINT32 Aos = NULL ;
PIMAGE_DOS_HEADER Ids = NULL ;
PIMAGE_NT_HEADERS Inh = NULL ;
PIMAGE_DATA_DIRECTORY Idd = NULL ;
PIMAGE_EXPORT_DIRECTORY Ied = NULL ;
/* Get pointer to EAT */
Ids = C_PTR( Image );
Inh = C_PTR( U_PTR( Ids ) + Ids->e_lfanew );
Idd = C_PTR( & Inh->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ] );
if ( Idd->VirtualAddress != 0 )
{
/* Set pointers to strings, ordinals, and funcs */
Ied = C_PTR( U_PTR( Ids ) + Idd->VirtualAddress );
Aos = C_PTR( U_PTR( Ids ) + Ied->AddressOfNames );
Aof = C_PTR( U_PTR( Ids ) + Ied->AddressOfFunctions );
Aoi = C_PTR( U_PTR( Ids ) + Ied->AddressOfNameOrdinals );
/* Enumerate export entries in table */
for ( Idx = 0 ; Idx < Ied->NumberOfNames ; ++Idx ) {
/* Create hash and compare */
Djb = HashString( C_PTR( U_PTR( Ids ) + Aos[ Idx ] ), 0 );
if ( Djb == ExpHash ) {
return C_PTR( U_PTR( Ids ) + Aof[ Aoi[ Idx ] ] );
};
};
};
return NULL;
};