cracked.io | Best Forum Around | Free Premium Accounts

error while getting function ordinal from the IDT table - mapping PE - c++

by s0cialw4ste - 10 February, 2022 - 05:02 AM

This post is by a banned member (s0cialw4ste) - Unhide

s0cialw4ste

15
Posts

6
Threads

2 Years of service

OP 10 February, 2022 - 05:02 AM

I'm trying to map a PE file in memory but I got to this point where I get to a read access violation.

The error happens when reading the address of the function used from DLLs from IDT and adding them to the IAT table.

Here is the error that was thrown:

Code:
Exception thrown at 0x772D500B (ntdll.dll) in PELoader.exe: 0xC0000005: Access violation reading location 0x80000013.

Code:
for (int i = 0; import_descriptors[i].OriginalFirstThunk != 0; ++i) {

        // Get the name of the dll, and import it

        char* module_name = ImageBase + import_descriptors[i].Name;

        HMODULE import_module = LoadLibraryA(module_name);

        if (import_module == NULL) {

            return NULL;

        }

        // the lookup table points to function names or ordinals => it is the IDT

        IMAGE_THUNK_DATA* lookup_table = (IMAGE_THUNK_DATA*)(ImageBase + import_descriptors[i].OriginalFirstThunk);

        // the address table is a copy of the lookup table at first

        // but we put the addresses of the loaded function inside => that's the IAT

        IMAGE_THUNK_DATA* address_table = (IMAGE_THUNK_DATA*)(ImageBase + import_descriptors[i].FirstThunk);

    for (int i = 0; lookup_table[i].u1.AddressOfData != 0; ++i) {

            void* function_handle = NULL;

            // looping through the lookup table

            DWORD lookup_addr = lookup_table[i].u1.AddressOfData;

            if ((lookup_addr & IMAGE_ORDINAL_FLAG) == 0) {

                // This is where I import by name

                IMAGE_IMPORT_BY_NAME* image_import = (IMAGE_IMPORT_BY_NAME*)(ImageBase + lookup_addr);

                char* funct_name = (char*)&(image_import->Name);

                printf("[*] adding address of: %s\n", funct_name);

                function_handle = (void*)GetProcAddress(import_module, funct_name);

            }

            else {

                //the exception is thrown after this line is printed in the console

                printf("--------------- this one has an Ordinal------\n");

                // import by ordinal, directly

                function_handle = (void*)GetProcAddress(import_module, (LPSTR)lookup_addr);

            }

            //the exception is thrown when checking if the function_handle is != null

            if (function_handle == NULL) {return NULL;}

            // change the IAT, and put the function address inside.

            address_table[i].u1.Function = (DWORD)function_handle;

    }

}

Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account Sign up for a new account in our community. It's easy! Register a new account	or	Sign in Already have an account? Sign in here. Sign in now

Forum Jump:

Users browsing this thread: 1 Guest(s)

Login
Username:
Password:	Lost Password?
	Remember me

cracked.io | Best Forum Around | Free Premium Accounts

error while getting function ordinal from the IDT table - mapping PE - c++

About Cracked.io

Navigation

Extras

Help

Account