Log in

View Full Version : Assembly Custom GetProcAddress


OpenRCE_Saphex
November 24th, 2007, 18:50
Hi,

I had the need to develop some assembly code to inject in a target application. This code needed some functions export addresses, and since, I didn't want to use fixed addresses, I developed this little piece of code.

Code:
; Find module export method
; eax - Module base address
@find_export: ; edi - Export name
mov ebx, dword ptr [eax + 03Ch] ; Get NT header rva
add ebx, eax ; ebx has the NT header va
cmp word ptr [ebx], 04550h ; Check signature
jnz @find_error ; Failed validation
mov ebx, [ebx + 078h] ; Get the export table rva
add ebx, eax ; ebx has the export table va
mov ecx, [ebx + 018h] ; Extract the number of exported items
dec ecx ; Decrement ecx (iteration is index based)
mov edx, [ebx + 020h] ; Export name address table rva
add edx, eax ; edx has the export name address table va
@find_loop:
mov esi, [edx + ecx * 4] ; Get the rva of the export name
add esi, eax ; Calculate the va using the module base address
push edi ; Save edi
push eax ; Save eax
push ebx ; Save ebx
@cmp_loop: ; String compare method start
mov al, byte ptr [esi] ; Char of first string
mov bl, byte ptr [edi] ; Char of second string
sub al, bl ; Subtract each character value, if zero then they are equal
jne @cmp_different ; Fail comparison
cmp bl, 0 ; If at end of the strings
jz @cmp_equal
inc esi ; Increment pointers
inc edi
jmp @cmp_loop ; Continue comparing
@cmp_different:
pop ebx ; Restore saved registers
pop eax
pop edi
loop @find_loop ; Continue loop in case ecx is different from zero
jmp @find_error ; Otherwise, it wasn't found
@cmp_equal:
pop ebx ; Restore registers
pop eax
pop edi ; String compare method end
; Calculate the address of the exported
mov edx, [ebx + 024h] ; Extract the rva of the ordinals table
add edx, eax ; Make it a va
mov cx, [edx + ecx * 2] ; Extract the current symbol (2 bytes)
mov edx, [ebx + 01Ch] ; Extract the rva of the address table into edx
add edx, eax ; Make it a va
mov ebx, [edx + ecx * 4] ; Get the rva of the exported
add eax, ebx ; Make it a va
ret ; Return it in eax
@find_error:
xor eax, eax ; Return null
ret ; Find module export method end


The base code to witch this code belongs is to be injected in a target process as I wrote before, because of that, I didn't care about the size and the null terminated strings. Anyone interested in reducing the size could always implement a additive checksum generation algorithm instead of the string comparison routine.

Best regards,
saphex

https://www.openrce.org/blog/view/907/Assembly_Custom_GetProcAddress