-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.c
102 lines (65 loc) · 2.94 KB
/
main.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#include "common.h"
BOOL ProcessModule(MODULE_INFO sctModuleInfo) {
BOOL bSTATE = TRUE;
BOOL bIsManuallyMapped = FALSE;
PBYTE pMappedAddress = NULL;
HANDLE hFileToClose = INVALID_HANDLE_VALUE;
HANDLE hFileMappingToClose = NULL;
PHOOK_LIST psctHookList = NULL;
WORD wLoop = 0;
if (!MapTargetModule(sctModuleInfo.wszModuleName, &pMappedAddress, &bIsManuallyMapped , &hFileToClose, &hFileMappingToClose) || pMappedAddress == NULL) {
wprintf(L"[-] Could not map target module %ws in memory\n", sctModuleInfo.wszModuleName);
bSTATE = FALSE; goto _EndOfFunc;
}
if (!ProcessModuleComparison(sctModuleInfo.pModuleAddress, pMappedAddress, bIsManuallyMapped, &psctHookList)) {
wprintf(L"[-] Could not process differences for module %ws\n", sctModuleInfo.wszModuleName);
bSTATE = FALSE; goto _EndOfFunc;
}
if (psctHookList != NULL) {
// Call FindFunctionsFromRVAs with pMappedAddress to only parse the mapped module's headers, and not the loaded one's
// This to avoid any PAGE_GUARD on the loaded module headers' memory page
if (!FindFunctionsFromRVAs(pMappedAddress, bIsManuallyMapped, psctHookList)) {
wprintf(L"[-] Could not find functions for RVAs in module %ws\n", sctModuleInfo.wszModuleName);
bSTATE = FALSE; goto _EndOfFunc;
}
wprintf(L"[+] In module %ws: \n", sctModuleInfo.wszModuleName);
for (wLoop = 0; wLoop < psctHookList->wCount; wLoop++) {
if (psctHookList->pHookList[wLoop].szBestCandidateName != NULL) {
printf("\t[*] Hook found at RVA 0x%lx in function %s (at RVA 0x%lx)\n", psctHookList->pHookList[wLoop].dwDifferenceRVA,
psctHookList->pHookList[wLoop].szBestCandidateName, psctHookList->pHookList[wLoop].dwBestCandidateRVA);
}
else {
printf("\t[*] Hook found at RVA 0x%lx in unknown function\n", psctHookList->pHookList[wLoop].dwDifferenceRVA);
}
}
}
_EndOfFunc:
if (pMappedAddress != NULL && pMappedAddress != INVALID_HANDLE_VALUE)
UnmapViewOfFile(pMappedAddress);
if (hFileMappingToClose != NULL && hFileMappingToClose != INVALID_HANDLE_VALUE)
CloseHandle(hFileMappingToClose);
if (hFileToClose != NULL && hFileToClose != INVALID_HANDLE_VALUE)
CloseHandle(hFileToClose);
if (psctHookList != NULL)
HeapFree(GetProcessHeap(), 0, psctHookList);
return bSTATE;
}
int wmain(
void
) {
PMODULE_LIST psctModuleList = NULL;
WORD wLoop = 0;
StuffIAT();
wprintf(L"[*] Sleeping for 2 seconds to let all initialization and hooking happen...\n");
Sleep(2000);
if (!GetLoadedModuleList(&psctModuleList) || psctModuleList == NULL) {
wprintf(L"[-] Could not get the list of loaded modules\n");
return -1;
}
for (wLoop = 0; wLoop < psctModuleList->wCount; wLoop++) {
wprintf(L"[*] Analyzing module %ws...\n", psctModuleList->pModuleList[wLoop].wszModuleName);
ProcessModule(psctModuleList->pModuleList[wLoop]);
}
HeapFree(GetProcessHeap(), 0, psctModuleList);
return 0;
}