[EP_X0FF]

Do as Vrtule posted and check structures align and variables size.

Thanks you, man.
I can get IAT function address by programming.
But I cannot get IAT function name. How to do it by WINDBG or programming?
Actually, WINDBG shows that ImportTable (NtHeader->OptionalHeader.DataDirectory[1].VirtualAddress) is not a valid address:

Code: Select all

lkd>  !dh nt -f

File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
    8664 machine (X64)
      18 number of sections
4CE7951A time date stamp Sat Nov 20 17:30:02 2010

       0 file pointer to symbol table
       0 number of symbols
      F0 size of optional header
      22 characteristics
            Executable
            App can handle >2gb addresses

OPTIONAL HEADER VALUES
     20B magic #
    9.00 linker version
  47D200 size of code
   D0200 size of initialized data
    3400 size of uninitialized data
  2B66F0 address of entry point
    1000 base of code
         ----- new -----
0000000140000000 image base
    1000 section alignment
     200 file alignment
       1 subsystem (Native)
    6.01 operating system version
    6.01 image version
    6.01 subsystem version
  5EA000 size of image
     600 size of headers
  55BBAA checksum
0000000000080000 size of stack reserve
0000000000002000 size of stack commit
0000000000100000 size of heap reserve
0000000000001000 size of heap commit
       0  DLL characteristics
  535000 [   10978] address [size] of Export Directory
  5AF718 [      78] address [size] of Import Directory
  5B1000 [   35F60] address [size] of Resource Directory
  280000 [   300D8] address [size] of Exception Directory
  54CA00 [    1B80] address [size] of Security Directory
  5E7000 [    2070] address [size] of Base Relocation Directory
  1A3290 [      38] address [size] of Debug Directory
       0 [       0] address [size] of Description Directory
       0 [       0] address [size] of Special Directory
       0 [       0] address [size] of Thread Storage Directory
       0 [       0] address [size] of Load Configuration Directory
       0 [       0] address [size] of Bound Import Directory
  1AE000 [     380] address [size] of Import Address Table Directory
       0 [       0] address [size] of Delay Import Directory
       0 [       0] address [size] of COR20 Header Directory
       0 [       0] address [size] of Reserved Directory

lkd> db nt+5AF718 nt+5AF718+78
fffff800`01dc0718  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0728  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0738  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0748  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0758  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0768  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0778  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0788  ?? ?? ?? ?? ?? ?? ?? ??-??                       ?????????

1) Wtf you are doing;
2) See my post above;
3) .symfix, .reload;
4) What are you doing with db command, you suplied a physical address as second param. Size declared with L. e.g. db Address l1000.

[fsdhook]

Do as Vrtule posted and check structures align and variables size.

Thanks you, man.
I can get IAT function address by programming.
But I cannot get IAT function name. How to do it by WINDBG or programming?
Actually, WINDBG shows that ImportTable (NtHeader->OptionalHeader.DataDirectory[1].VirtualAddress) is not a valid address:

Code: Select all

lkd>  !dh nt -f

File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
    8664 machine (X64)
      18 number of sections
4CE7951A time date stamp Sat Nov 20 17:30:02 2010

       0 file pointer to symbol table
       0 number of symbols
      F0 size of optional header
      22 characteristics
            Executable
            App can handle >2gb addresses

OPTIONAL HEADER VALUES
     20B magic #
    9.00 linker version
  47D200 size of code
   D0200 size of initialized data
    3400 size of uninitialized data
  2B66F0 address of entry point
    1000 base of code
         ----- new -----
0000000140000000 image base
    1000 section alignment
     200 file alignment
       1 subsystem (Native)
    6.01 operating system version
    6.01 image version
    6.01 subsystem version
  5EA000 size of image
     600 size of headers
  55BBAA checksum
0000000000080000 size of stack reserve
0000000000002000 size of stack commit
0000000000100000 size of heap reserve
0000000000001000 size of heap commit
       0  DLL characteristics
  535000 [   10978] address [size] of Export Directory
  5AF718 [      78] address [size] of Import Directory
  5B1000 [   35F60] address [size] of Resource Directory
  280000 [   300D8] address [size] of Exception Directory
  54CA00 [    1B80] address [size] of Security Directory
  5E7000 [    2070] address [size] of Base Relocation Directory
  1A3290 [      38] address [size] of Debug Directory
       0 [       0] address [size] of Description Directory
       0 [       0] address [size] of Special Directory
       0 [       0] address [size] of Thread Storage Directory
       0 [       0] address [size] of Load Configuration Directory
       0 [       0] address [size] of Bound Import Directory
  1AE000 [     380] address [size] of Import Address Table Directory
       0 [       0] address [size] of Delay Import Directory
       0 [       0] address [size] of COR20 Header Directory
       0 [       0] address [size] of Reserved Directory

lkd> db nt+5AF718 nt+5AF718+78
fffff800`01dc0718  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0728  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0738  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0748  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0758  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0768  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0778  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0788  ?? ?? ?? ?? ?? ?? ?? ??-??                       ?????????

1) Wtf you are doing;
2) See my post above;
3) .symfix, .reload;
4) What are you doing with db command, you suplied a physical address as second param. Size declared with L. e.g. db Address l4096.

I want to know:
1.why "NTOSBASE + NtHeader->OptionalHeader.DataDirectory[1].VirtualAddress" is not a valid address?!
2.how can I get import table function name without parse PE file but parse PE structure in kernel space.

[fsdhook]

Well, If I correctly read the IAT address as 0x1AE000, it looks like as an offset rather than address (maybe, WinDbg reads the information form the file, not from memory... I am not sure since I have never used this command). So, you can try to add this value to the base address of ntoskrnl.exe in memory.

Thank you, MR.V. :D
But I really don't know how to do that.

[EP_X0FF]

Ok. If the section that import belongs has discardable hint it can be unloaded from memory.

[fsdhook]

Ok. If the section that import belongs has discardable hint it can be unloaded from memory.

OK. I know why I cannot get import table information now.
But I have a new idea to realize IAT HOOK. :lol:
PS: I will not HOOK IAT of NTOSKRNL. I know it is protected by KPP.