displaying the IAT list with an injected dll

Publicado por luchin On lunes, 22 de noviembre de 2010 0 comentarios

displaying the IAT list with an injected dll
Basically i want to write out to a file all the IAT list of the process i inject in to,so the code is like this

Code:
#include"stdafx.h"#include#include#include
#includestd::ofstream myfile;
#pragmacomment(lib,"Dbghelp.lib")
//#include void GetIAT();
void handle_imports(BYTE* image_base, PIMAGE_IMPORT_DESCRIPTOR imp_desc);
 
HANDLE Console;
DWORD Written;
char ConsoleBuffer[64];
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
GetIAT();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
void GetIAT()
{
AllocConsole();
BYTE* image_base = (BYTE*)GetModuleHandleA(NULL);
//printf("image_base: %p\n", image_base);
myfile.open("c:\\users\\Anddos\\Desktop\\iat-dll.txt");
if(!myfile.is_open())
{
MessageBox(NULL,"Failed to Make File","",0);
}
else{
MessageBox(NULL,"Created File","",0);
}
 
Console = GetStdHandle(STD_OUTPUT_HANDLE);
sprintf(ConsoleBuffer,"%p\n",image_base);
WriteConsole(Console,ConsoleBuffer,strlen(ConsoleBuffer),&Written,0);
// MessageBox(NULL,"GetAIT","",0);PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)image_base;
PIMAGE_NT_HEADERS nt_header = (PIMAGE_NT_HEADERS)(image_base + dos_header->e_lfanew);
PIMAGE_IMPORT_DESCRIPTOR imp_desc = (PIMAGE_IMPORT_DESCRIPTOR)(
image_base + nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
handle_imports(image_base, imp_desc);
 
 
}
void handle_imports(BYTE* image_base, PIMAGE_IMPORT_DESCRIPTOR imp_desc)
{
if (!imp_desc)
return;
//printf("imports:\n");sprintf(ConsoleBuffer,"%s\n","imports:");
// WriteConsole(Console,ConsoleBuffer,strlen(ConsoleBuffer),&Written,0);//sprintf(OutBuffer,"%s %d %s %d\n","NumVertices",NumVertices,"primCount",primCount);myfile << ConsoleBuffer;
 
// looping over all imported dlls// The last directory entry is empty (filled with null values)for (int i = 0; imp_desc[i].Characteristics != 0; i++)
{
//printf(" * %s\n", (char*)(image_base + imp_desc[i].Name));Sleep(500);
sprintf(ConsoleBuffer," * %s\n", (char*)(image_base + imp_desc[i].Name));
// WriteConsole(Console,ConsoleBuffer,strlen(ConsoleBuffer),&Written,0);myfile << ConsoleBuffer;
PIMAGE_THUNK_DATA orig_first_thunk = (PIMAGE_THUNK_DATA)(image_base + imp_desc[i].OriginalFirstThunk);
PIMAGE_THUNK_DATA first_thunk = (PIMAGE_THUNK_DATA)(image_base + imp_desc[i].FirstThunk);
// looping ovetr all imported functions// The last entry is set to zero (NULL) to indicate the end of the tablefor (int j = 0; orig_first_thunk[j].u1.Function != 0; j++)
{
PIMAGE_IMPORT_BY_NAME orig_imports_by_name = (PIMAGE_IMPORT_BY_NAME)(
image_base + orig_first_thunk[j].u1.AddressOfData);
//printf("\t%s (%08x)\n", (char*)orig_imports_by_name->Name, first_thunk[j].u1.Function);sprintf(ConsoleBuffer,"\t%s (%08x)\n", (char*)orig_imports_by_name->Name, first_thunk[j].u1.Function);
//WriteConsole(Console,ConsoleBuffer,strlen(ConsoleBuffer),&Written,0);myfile << ConsoleBuffer;
}
}
}
But the problem is when i inject in to popular games no list is displayed , but if i inject in to my own compiled programs i see the list fine , here is an example of the list it prouduces ...


imports:
* USER32.dll
LoadCursorA (751bd75b)
RegisterClassExA (751bdd6d)
CreateWindowExA (751ba5e6)
ShowWindow (751c0dbe)
PeekMessageA (751ded58)
TranslateMessage (751b7d79)
DispatchMessageA (751b8103)
GetAsyncKeyState (751c4858)
PostMessageA (751c3cbf)
PostQuitMessage (751c3927)
DefWindowProcA (76ef2893)
* WINMM.dll
timeGetTime (72b926f0)
* d3d9.dll
Direct3DCreate9 (73ec2236)
* d3dx9_41.dll
D3DXCreateFontA (7055ba18)
D3DXMatrixLookAtLH (705739d2)
D3DXMatrixPerspectiveFovLH (70573cbd)
D3DXMatrixRotationY (705731f9)
D3DXCreateTeapot (705f9c17)
D3DXCreateBox (705f962b)
D3DXLoadMeshFromXA (705b8abe)
D3DXCreateTextureFromFileA (7060190d)
* MSVCR90.dll
_exit (72fb2470)
_controlfp_s (7300a5e2)
_invoke_watson (72ffc7b3)
_except_handler4_common (730014d0)
_decode_pointer (72fb3607)
_onexit (72ffcada)
_lock (72fb2efa)
__dllonexit (72ffcb37)
_unlock (72fb2e16)
?terminate@@YAXXZ (72febb14)
_crt_debugger_hook (730012e1)
__set_app_type (72fb1be0)
_encode_pointer (72fb3582)
__p__fmode (72fb2ace)
__p__commode (72fb2a99)
_adjust_fdiv (7302c618)
__setusermatherr (72fb1bff)
_configthreadlocale (72ffdbd1)
_initterm_e (72fb2211)
??2@YAPAXI@Z (72ff3b39)
_amsg_exit (72fb2157)
__getmainargs (72fb2793)
_cexit (72fb248b)
memset (72fcb320)
_XcptFilter (72ffcc08)
_ismbblead (72fd0180)
exit (72fb2455)
_acmdln (7302ba2c)
_initterm (72fb21ee)
* KERNEL32.dll
SetUnhandledExceptionFilter (7685d03c)
GetSystemTimeAsFileTime (76851ef4)
GetCurrentProcessId (768511d8)
GetCurrentThreadId (76851450)
GetTickCount (768510fc)
QueryPerformanceCounter (7685166b)
IsDebuggerPresent (76854cf8)
InterlockedExchange (76851462)
UnhandledExceptionFilter (76879775)
GetCurrentProcess (76851568)
TerminateProcess (76869dd9)
GetStartupInfoA (76850df0)
InterlockedCompareExchange (768514a7)
Sleep (768510ef)


This is on 1 of my own compiled d3d apps....,so why do i not get the same kind of list on a popular game?, are they protected?

Publicado por luchin en 18:55

0 comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)
Twitter Delicious Facebook Digg Stumbleupon Favorites More