OP 10 February, 2022 - 05:02 AM
I'm trying to map a PE file in memory but I got to this point where I get to a read access violation.
The error happens when reading the address of the function used from DLLs from IDT and adding them to the IAT table.
Here is the error that was thrown:
The error happens when reading the address of the function used from DLLs from IDT and adding them to the IAT table.
Here is the error that was thrown:
Code:
Exception thrown at 0x772D500B (ntdll.dll) in PELoader.exe: 0xC0000005: Access violation reading location 0x80000013.
Code:
for (int i = 0; import_descriptors[i].OriginalFirstThunk != 0; ++i) {
// Get the name of the dll, and import it
char* module_name = ImageBase + import_descriptors[i].Name;
HMODULE import_module = LoadLibraryA(module_name);
if (import_module == NULL) {
return NULL;
}
// the lookup table points to function names or ordinals => it is the IDT
IMAGE_THUNK_DATA* lookup_table = (IMAGE_THUNK_DATA*)(ImageBase + import_descriptors[i].OriginalFirstThunk);
// the address table is a copy of the lookup table at first
// but we put the addresses of the loaded function inside => that's the IAT
IMAGE_THUNK_DATA* address_table = (IMAGE_THUNK_DATA*)(ImageBase + import_descriptors[i].FirstThunk);
for (int i = 0; lookup_table[i].u1.AddressOfData != 0; ++i) {
void* function_handle = NULL;
// looping through the lookup table
DWORD lookup_addr = lookup_table[i].u1.AddressOfData;
if ((lookup_addr & IMAGE_ORDINAL_FLAG) == 0) {
// This is where I import by name
IMAGE_IMPORT_BY_NAME* image_import = (IMAGE_IMPORT_BY_NAME*)(ImageBase + lookup_addr);
char* funct_name = (char*)&(image_import->Name);
printf("[*] adding address of: %s\n", funct_name);
function_handle = (void*)GetProcAddress(import_module, funct_name);
}
else {
//the exception is thrown after this line is printed in the console
printf("--------------- this one has an Ordinal------\n");
// import by ordinal, directly
function_handle = (void*)GetProcAddress(import_module, (LPSTR)lookup_addr);
}
//the exception is thrown when checking if the function_handle is != null
if (function_handle == NULL) {return NULL;}
// change the IAT, and put the function address inside.
address_table[i].u1.Function = (DWORD)function_handle;
}
}