Aqui les traigo esta funcion que ahorra espacio cuando usas muchas importaciones y a parte, sirve para ocultar lo que importas al no quedar rastro visible de las cadenas de las apis
GetProcAddressByHash.c
FARPROC WINAPI GetProcAddressByHash(HINSTANCE hModule,ulong hash){
register PIMAGE_NT_HEADERS PE;
register FARPROC proc = null;
register PIMAGE_EXPORT_DIRECTORY ExpDir = null;
register char** ExportNames = null;
//Comprovamos la marca de DOS
if(*((ushort*)hModule)==IMAGE_DOS_SIGNATURE){
//localizamos la cabecera PE
PE = (PIMAGE_NT_HEADERS)(((IMAGE_DOS_HEADER*)hModule)->e_lfanew+(ulong)hModule);
//Compruebo la firma de PE y que halla tabla de importaciones
if(PE->Signature == IMAGE_NT_SIGNATURE
&& PE->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size){
//Localizo el directorio de exportaciones
ExpDir = (PIMAGE_EXPORT_DIRECTORY)(PE->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]
.VirtualAddress+(ulong)hModule);
#ifdef DEBUG
DebugPrintf("GPA","ExpDir = %p,EXPORT_DIRECTORY = %x",ExpDir,PE->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]
.VirtualAddress);
#endif
//Localizo los nombres de simbolos exportados y busco la funcion
ExportNames = (char**)(ExpDir->AddressOfNames+(ulong)hModule);
register int i;
for(i = 0;ExportNames[i];i++){
//Comparo los hash para buscar la funcion
if(fnv32(ExportNames[i]+(ulong)hModule) == hash){
ulong* funtionRVAs = (ulong*)(ExpDir->AddressOfFunctions+(ulong)hModule);
ushort* ordinalRVAs = (ushort*)(ExpDir->AddressOfNameOrdinals+(ulong)hModule);
//Calculamos la direccion de la funcion
proc = (FARPROC)(funtionRVAs[ordinalRVAs[i]] +(ulong)hModule);
break;
}
}
}
}
return proc;
}
fnv.c
#define FNV_PRIME_32 16777619
#define FNV_OFFSET_32 2166136261U
ulong fnv32(register const char *s){
register ulong hash = FNV_OFFSET_32;
while(*s)
hash = (hash ^ (*(s++)))*FNV_PRIME_32;
return hash;
}
This site uses cookies own and third. If you continue to browse consider to accept the use of cookies.