bedrock
October 15th, 2003, 08:42
I'm trying to write an ImpRec plugin, but when i try and run one of my unresolved address' through my plugin, ImpRec just returns: 200 Failed!
Here is the situation:
ImpRec shows me an unresolved entry: rva: 00533280 ptr: 00A6E000
I go look at a6e000 in softice after already attach to the correct process and i see code like this:
a6e000 push 8a5f5c6f
a6e005 xor dword ptr[esp], fdb8fbb0
a6e00c ret
so easily enough i just need to xor 8a5f5c6f with fdb8fbb0 to get 77e7a7df, which when i goto softice and do: u 77e7a7df i land at kernel32!GetCurrentThreadId <- this is what shuold go into my IAT
This is all fairly simple, i could do it by hand if there were just a couple, but my target has 300+ entries all like this, so i thought i'd create a plugin for ImpRec, loaded up the tELock src example into msdev and started hacking, ending up with this:
DLLEXPORT DWORD Trace(DWORD hFileMap, DWORD dwSizeMap, DWORD dwTimeOut, DWORD dwToTrace,
DWORD dwExactCall)
{
char temp[260] = {0};
DeleteLogFile();
WriteLogLine("Starting trace"
;
WriteLogLine("b4 MapViewOfFile";
// Map the view of the file
DWORD* dwPtrOutput = (DWORD*)MapViewOfFile((HANDLE)hFileMap, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0);
if (!dwPtrOutput)
{
WriteLogLine("MapViewOfFile failed";
// Can't map view
return (201);
}
WriteLogLine("b4 check size of mapfile";
// Check the size of the map file
if (dwSizeMap < 4)
{
WriteLogLine("mapfile < 4";
// Invalid map size
UnmapViewOfFile((LPCVOID)dwPtrOutput);
CloseHandle((HANDLE)hFileMap);
return (203);
}
WriteLogLine("Check for bad ptr";
if (IsBadReadPtr((VOID*)dwToTrace, 4))
{
WriteLogLine("ptr is bad";
// Bad pointer!
UnmapViewOfFile((LPCVOID)dwPtrOutput);
CloseHandle((HANDLE)hFileMap);
return (205);
}
WriteLogLine("begin tracing";
BYTE *to_trace = (BYTE*)dwToTrace;
sprintf(temp, "Byte to trace: 0x%02X", *to_trace);
WriteLogLine(temp);
// We must have a "push XXXXXXX"
if(to_trace[0] == 0x68)
{
// Get the value in the "push XXXXXXX"
DWORD value1 = *((DWORD*)(to_trace+1));
// Get the value in the xor dword ptr[xxxxxxxx], XXXXXXXX
DWORD value2 = *((DWORD*)(to_trace+8));
sprintf(temp, "value1: 0x%08X", value1);
WriteLogLine(temp);
sprintf(temp, "value2: 0x%08X", value2);
WriteLogLine(temp);
// Do the xor internally rather than executing the real code
DWORD address = value1 ^ value2;
sprintf(temp, "xor: 0x%08X", address);
WriteLogLine(temp);
// Get the value in XXXXXX and write it to the mapped file
*dwPtrOutput = *((DWORD*)address);
}
// OK
UnmapViewOfFile((LPCVOID)dwPtrOutput);
CloseHandle((HANDLE)hFileMap);
return (200);
}
As far as i can see i am setting *dwPtrOutput when i have calced the correct address to go into IAT, but ImpRec just keep saying 200 Failed!
I'm sure i've just done something braindead, but wondered if someone else out there could take a quick look over.
Thanks
--
bedrock
Here is the situation:
ImpRec shows me an unresolved entry: rva: 00533280 ptr: 00A6E000
I go look at a6e000 in softice after already attach to the correct process and i see code like this:
a6e000 push 8a5f5c6f
a6e005 xor dword ptr[esp], fdb8fbb0
a6e00c ret
so easily enough i just need to xor 8a5f5c6f with fdb8fbb0 to get 77e7a7df, which when i goto softice and do: u 77e7a7df i land at kernel32!GetCurrentThreadId <- this is what shuold go into my IAT
This is all fairly simple, i could do it by hand if there were just a couple, but my target has 300+ entries all like this, so i thought i'd create a plugin for ImpRec, loaded up the tELock src example into msdev and started hacking, ending up with this:
DLLEXPORT DWORD Trace(DWORD hFileMap, DWORD dwSizeMap, DWORD dwTimeOut, DWORD dwToTrace,
DWORD dwExactCall)
{
char temp[260] = {0};
DeleteLogFile();
WriteLogLine("Starting trace"
;WriteLogLine("b4 MapViewOfFile"
;// Map the view of the file
DWORD* dwPtrOutput = (DWORD*)MapViewOfFile((HANDLE)hFileMap, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0);
if (!dwPtrOutput)
{
WriteLogLine("MapViewOfFile failed"
;// Can't map view
return (201);
}
WriteLogLine("b4 check size of mapfile"
;// Check the size of the map file
if (dwSizeMap < 4)
{
WriteLogLine("mapfile < 4"
;// Invalid map size
UnmapViewOfFile((LPCVOID)dwPtrOutput);
CloseHandle((HANDLE)hFileMap);
return (203);
}
WriteLogLine("Check for bad ptr"
;if (IsBadReadPtr((VOID*)dwToTrace, 4))
{
WriteLogLine("ptr is bad"
;// Bad pointer!
UnmapViewOfFile((LPCVOID)dwPtrOutput);
CloseHandle((HANDLE)hFileMap);
return (205);
}
WriteLogLine("begin tracing"
;BYTE *to_trace = (BYTE*)dwToTrace;
sprintf(temp, "Byte to trace: 0x%02X", *to_trace);
WriteLogLine(temp);
// We must have a "push XXXXXXX"
if(to_trace[0] == 0x68)
{
// Get the value in the "push XXXXXXX"
DWORD value1 = *((DWORD*)(to_trace+1));
// Get the value in the xor dword ptr[xxxxxxxx], XXXXXXXX
DWORD value2 = *((DWORD*)(to_trace+8));
sprintf(temp, "value1: 0x%08X", value1);
WriteLogLine(temp);
sprintf(temp, "value2: 0x%08X", value2);
WriteLogLine(temp);
// Do the xor internally rather than executing the real code
DWORD address = value1 ^ value2;
sprintf(temp, "xor: 0x%08X", address);
WriteLogLine(temp);
// Get the value in XXXXXX and write it to the mapped file
*dwPtrOutput = *((DWORD*)address);
}
// OK
UnmapViewOfFile((LPCVOID)dwPtrOutput);
CloseHandle((HANDLE)hFileMap);
return (200);
}
As far as i can see i am setting *dwPtrOutput when i have calced the correct address to go into IAT, but ImpRec just keep saying 200 Failed!
I'm sure i've just done something braindead, but wondered if someone else out there could take a quick look over.
Thanks
--
bedrock
