[everdox]

you use the .reloc section to rebase the RVA's. for example in a pe32 the default imagebase is 0x400000. So you could like run across some code in the .text section basically doing:

push 0x403000
call something

which could be pushing the address of a string from .rdata

but that is the offset once the executable is mapped to memory (not in the file). If you read the section headers it tells you the VA (not RVA) of the base of the section (added to base) once loaded to memory. So whereas say .rdata could be at 0x403000, in the file it could be at offset 0x1200 or something.

[r2nwcnydc]

Yes, that's my first idea..
raw address are not part of structures?

_IMAGE_SECTION_HEADER::PointerToRawData

[Tigzy]

ok for the sections.
But according to : http://msdn.microsoft.com/en-us/library ... 85%29.aspx ,
I must find the export / import tables in the IMAGE_DATA_DIRECTORY : http://msdn.microsoft.com/en-us/library ... 85%29.aspx
which only gives rva

Do I need to walk through the .idata / .rdata instead?

----

Basically, what I need to do is the same as a PE loader would.

[Tigzy]

ok, that's better:

All I need to do is to get the RVA address of import/export table in data directory, then get the section where it lies (by looking at the RVA + size of each section),
then substract the two RVA to get the RVA relative to the beginning of the section and add the physical addresss of the section to get the physical address of the table. ;)

Sans titre 1.png (38.5 KiB) Viewed 319 times

[Tigzy]

OK, I succeed to parse the export table. :!:

Here's my code:

peInfo.cpp

(7.86 KiB) Downloaded 26 times

[rkhunter]

Very useful Matt Pietrek's old guide to PE-format with code samples http://msdn.microsoft.com/en-us/magazine/ms809762.aspx

[Tigzy]

Very detailed indeed!

As ntoskrnl.exe export table is zero-ed (almost), we cannot get the function from there.
There's another solution:

- Get the ntoskrnl base address (from kernel mode really easy, don't know if it's possible from userland)
- Get address of the API you want to retrieve (my example NtTerminateProcess), easily recoverable from the SSDT (if not hooked, else in the original SSDT in ntoskrnl)

RVANtTerminate = @NtTerminate - @ntoskBase;
- Then, find the section where this RVA lies (the sections addresses are available in ntoskrnl.exe)
- Read the section, and go to the corresponding offset.
- You got it.

Sans titre 1.png (24.87 KiB) Viewed 305 times

[rkhunter]

As ntoskrnl.exe export table is zero-ed (almost), we cannot get the function from there.

This is not true, look to it export.
What function you mean?
What your end target?

[Tigzy]

This is not true, look to it export.

Look at my screenshot, export table adress is 0xcccccccc ;)

EDIT: Maybe I need to dump a copy of the file before?

What function you mean?
What your end target

Basically the functions of the SSDT.
I need to get the very firsts bytes of all of them in order to restore inline hooks

[rkhunter]

Restore inline hooks of system services on live working system this is a not good idea, I think... This is your end target?