mrexodia · January 16, 2025 06:10 · Feb 26, 2016 · Feb 25, 2016 · Feb 24, 2016 · Feb 24, 2016
diff --git a/ImportParser.cpp b/ImportParser.cpp
@@ -50,32 +50,43 @@ int main(int argc, char* argv[])
         return gtfo("No Import directory!");
 
     auto importDescriptor = PIMAGE_IMPORT_DESCRIPTOR(ULONG_PTR(fileMap) + importDir.VirtualAddress);
-
-    for (; importDescriptor->OriginalFirstThunk; importDescriptor++)
+    if (!IsBadReadPtr((char*)fileMap + importDir.VirtualAddress, 0x1000))
     {
-        printf("OriginalFirstThunk: %08X\n", importDescriptor->OriginalFirstThunk);
-        printf("     TimeDateStamp: %08X\n", importDescriptor->TimeDateStamp);
-        printf("    ForwarderChain: %08X\n", importDescriptor->ForwarderChain);
-        printf("              Name: %08X \"%s\"\n", importDescriptor->Name, (char*)fileMap + importDescriptor->Name);
-        printf("        FirstThunk: %08X\n", importDescriptor->FirstThunk);
-
-        auto thunkData = PIMAGE_THUNK_DATA(ULONG_PTR(fileMap) + importDescriptor->OriginalFirstThunk);
-        for (; thunkData->u1.Function; thunkData++)
+        for (; importDescriptor->FirstThunk; importDescriptor++)
         {
-            auto data = thunkData->u1.Function;
-            if (data & IMAGE_ORDINAL_FLAG)
-                printf("              Ordinal: %08X\n", data & ~IMAGE_ORDINAL_FLAG);
-            else if (data >= importDir.VirtualAddress && data < importDir.VirtualAddress + importDir.Size)
-                printf("      ForwarderString: %08X \"%s\"\n", data, (char*)fileMap + data);
+            printf("OriginalFirstThunk: %08X\n", importDescriptor->OriginalFirstThunk);
+            printf("     TimeDateStamp: %08X\n", importDescriptor->TimeDateStamp);
+            printf("    ForwarderChain: %08X\n", importDescriptor->ForwarderChain);
+            if (!IsBadReadPtr((char*)fileMap + importDescriptor->Name, 0x1000))
+                printf("              Name: %08X \"%s\"\n", importDescriptor->Name, (char*)fileMap + importDescriptor->Name);
             else
+                printf("              Name: %08X INVALID\n", importDescriptor->Name);
+            printf("              Name: %08X\n", importDescriptor->Name);
+            printf("        FirstThunk: %08X\n", importDescriptor->FirstThunk);
+
+            auto thunkData = PIMAGE_THUNK_DATA(ULONG_PTR(fileMap) + importDescriptor->FirstThunk);
+            for (; thunkData->u1.AddressOfData; thunkData++)
             {
-                auto importByName = PIMAGE_IMPORT_BY_NAME(ULONG_PTR(fileMap) + data);
-                printf("             Function: %08X \"%s\"\n", data, importByName->Name);
+                auto rva = ULONG_PTR(thunkData) - ULONG_PTR(fileMap);
+
+                auto data = thunkData->u1.AddressOfData;
+                if (data & IMAGE_ORDINAL_FLAG)
+                    printf("              Ordinal: %08X\n", data & ~IMAGE_ORDINAL_FLAG);
+                else
+                {
+                    auto importByName = PIMAGE_IMPORT_BY_NAME(ULONG_PTR(fileMap) + data);
+                    if (!IsBadReadPtr(importByName, 0x1000))
+                        printf("             Function: %08X \"%s\"\n", data, (char*)importByName->Name);
+                    else
+                        printf("             Function: %08X INVALID\n", data);
+                }
             }
-        }
 
-        puts("");
+            puts("");
+        }
     }
+    else
+        puts("INVALID IMPORT DESCRIPTOR");
 
     return 0;
 }
diff --git a/ImportParser.cpp b/ImportParser.cpp
@@ -46,6 +46,9 @@ int main(int argc, char* argv[])
     printf(" RVA: %08X\n", importDir.VirtualAddress);
     printf("Size: %08X\n\n", importDir.Size);
 
+    if (!importDir.VirtualAddress || !importDir.Size)
+        return gtfo("No Import directory!");
+
     auto importDescriptor = PIMAGE_IMPORT_DESCRIPTOR(ULONG_PTR(fileMap) + importDir.VirtualAddress);
 
     for (; importDescriptor->OriginalFirstThunk; importDescriptor++)
@@ -60,8 +63,8 @@ int main(int argc, char* argv[])
         for (; thunkData->u1.Function; thunkData++)
         {
             auto data = thunkData->u1.Function;
-            if (data & IMAGE_ORDINAL_FLAG32)
-                printf("              Ordinal: %08X\n", data);
+            if (data & IMAGE_ORDINAL_FLAG)
+                printf("              Ordinal: %08X\n", data & ~IMAGE_ORDINAL_FLAG);
             else if (data >= importDir.VirtualAddress && data < importDir.VirtualAddress + importDir.Size)
                 printf("      ForwarderString: %08X \"%s\"\n", data, (char*)fileMap + data);
             else

diff --git a/ImportParser.cpp b/ImportParser.cpp
@@ -18,7 +18,7 @@ int main(int argc, char* argv[])
         return gtfo("CreateFile");
 
     //map the file
-    auto hMappedFile = CreateFileMappingA(hFile, nullptr, PAGE_READONLY | SEC_IMAGE_NO_EXECUTE, 0, 0, nullptr);
+    auto hMappedFile = CreateFileMappingA(hFile, nullptr, PAGE_READONLY | SEC_IMAGE, 0, 0, nullptr);
     if (!hMappedFile)
         return gtfo("CreateFileMappingA");
 

diff --git a/ImportParser.cpp b/ImportParser.cpp
@@ -0,0 +1,78 @@
+#include <windows.h>
+#include <stdio.h>
+
+int gtfo(const char* text = "")
+{
+    printf("gtfo! (%s)\n", text);
+    return -1;
+}
+
+int main(int argc, char* argv[])
+{
+    if (argc < 2)
+        return gtfo("argc");
+
+    //read the file
+    auto hFile = CreateFileA(argv[1], GENERIC_READ, FILE_SHARE_READ, nullptr, OPEN_EXISTING, 0, nullptr);
+    if (hFile == INVALID_HANDLE_VALUE)
+        return gtfo("CreateFile");
+
+    //map the file
+    auto hMappedFile = CreateFileMappingA(hFile, nullptr, PAGE_READONLY | SEC_IMAGE_NO_EXECUTE, 0, 0, nullptr);
+    if (!hMappedFile)
+        return gtfo("CreateFileMappingA");
+
+    //map the sections appropriately
+    auto fileMap = MapViewOfFile(hMappedFile, FILE_MAP_READ, 0, 0, 0);
+    if (!fileMap)
+        return gtfo("MapViewOfFile");
+
+    auto pidh = PIMAGE_DOS_HEADER(fileMap);
+    if (pidh->e_magic != IMAGE_DOS_SIGNATURE)
+        return gtfo("IMAGE_DOS_SIGNATURE");
+
+    auto pnth = PIMAGE_NT_HEADERS(ULONG_PTR(fileMap) + pidh->e_lfanew);
+    if (pnth->Signature != IMAGE_NT_SIGNATURE)
+        return gtfo("IMAGE_NT_SIGNATURE");
+
+    if (pnth->FileHeader.Machine != IMAGE_FILE_MACHINE_I386)
+        return gtfo("IMAGE_FILE_MACHINE_I386");
+
+    if (pnth->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR_MAGIC)
+        return gtfo("IMAGE_NT_OPTIONAL_HDR_MAGIC");
+
+    auto importDir = pnth->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
+    puts("Import Directory");
+    printf(" RVA: %08X\n", importDir.VirtualAddress);
+    printf("Size: %08X\n\n", importDir.Size);
+
+    auto importDescriptor = PIMAGE_IMPORT_DESCRIPTOR(ULONG_PTR(fileMap) + importDir.VirtualAddress);
+
+    for (; importDescriptor->OriginalFirstThunk; importDescriptor++)
+    {
+        printf("OriginalFirstThunk: %08X\n", importDescriptor->OriginalFirstThunk);
+        printf("     TimeDateStamp: %08X\n", importDescriptor->TimeDateStamp);
+        printf("    ForwarderChain: %08X\n", importDescriptor->ForwarderChain);
+        printf("              Name: %08X \"%s\"\n", importDescriptor->Name, (char*)fileMap + importDescriptor->Name);
+        printf("        FirstThunk: %08X\n", importDescriptor->FirstThunk);
+
+        auto thunkData = PIMAGE_THUNK_DATA(ULONG_PTR(fileMap) + importDescriptor->OriginalFirstThunk);
+        for (; thunkData->u1.Function; thunkData++)
+        {
+            auto data = thunkData->u1.Function;
+            if (data & IMAGE_ORDINAL_FLAG32)
+                printf("              Ordinal: %08X\n", data);
+            else if (data >= importDir.VirtualAddress && data < importDir.VirtualAddress + importDir.Size)
+                printf("      ForwarderString: %08X \"%s\"\n", data, (char*)fileMap + data);
+            else
+            {
+                auto importByName = PIMAGE_IMPORT_BY_NAME(ULONG_PTR(fileMap) + data);
+                printf("             Function: %08X \"%s\"\n", data, importByName->Name);
+            }
+        }
+
+        puts("");
+    }
+
+    return 0;
+}
No results found