Pues traigo un programa que busca X funcion en X libreria en su propia Import Address Table. No hay mucha explicacion. Esta bastante chapucero solo queria que pudieran ver un codigo sencillo que haga esto ya que yo no encontre nada estos dias.
#include <string.h>
#include <stdio.h>
#include <windows.h>
int main()
{
const char libreria[]="KERNEL32.dll";
const char funcion[]="ExitProcess";
DWORD image_base=(DWORD)GetModuleHandleA(0);
PIMAGE_DOS_HEADER DOS;
PIMAGE_NT_HEADERS NT;
PIMAGE_IMPORT_DESCRIPTOR IT;
PIMAGE_IMPORT_BY_NAME *IMPORTED_FUNCTIONS;
PIMAGE_THUNK_DATA Funcion;
DWORD *IMPORTED_DLL_NAME;
DWORD *IMPORTED_FUNCTION_NAME;
unsigned int i=0;
DOS=(PIMAGE_DOS_HEADER)image_base;
NT=(PIMAGE_NT_HEADERS)(DOS->e_lfanew + image_base);
IT=(PIMAGE_IMPORT_DESCRIPTOR)(NT->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + image_base);
IMPORTED_DLL_NAME=(DWORD *)(IT->Name + image_base);
while( (IT->Name) != 0 )
{
IMPORTED_DLL_NAME=(DWORD *)(IT->Name + image_base);
if(!strcmp((char *)IMPORTED_DLL_NAME
, libreria
)) {
printf("%s\n", (char *)IMPORTED_DLL_NAME
); break;
}
IT++;
}
IMPORTED_FUNCTIONS=(PIMAGE_IMPORT_BY_NAME *)(IT->Characteristics + image_base);
for(i=0;;i++)
{
IMPORTED_FUNCTION_NAME=(DWORD *)((*IMPORTED_FUNCTIONS)->Name + image_base);
if(((*IMPORTED_FUNCTIONS
)!=0) && (!strcmp((char *)IMPORTED_FUNCTION_NAME
, funcion
))) {
printf("\t%s\n", (char *)IMPORTED_FUNCTION_NAME
); break;
}
IMPORTED_FUNCTIONS++;
}
Funcion=(PIMAGE_THUNK_DATA)(IT->FirstThunk + image_base);
Funcion+=i;
printf("\t\tDireccion funcion: %p \t Addr en IT: %p\n", *Funcion
, Funcion
); return 0;
}
Sa1uDoS