├── .gitignore ├── LICENSE ├── README.md └── src ├── dumper.cpp ├── dumper.h ├── includes.h └── main.cpp /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Compiled Object files 5 | *.slo 6 | *.lo 7 | *.o 8 | *.obj 9 | 10 | # Precompiled Headers 11 | *.gch 12 | *.pch 13 | 14 | # Compiled Dynamic libraries 15 | *.so 16 | *.dylib 17 | *.dll 18 | 19 | # Fortran module files 20 | *.mod 21 | *.smod 22 | 23 | # Compiled Static libraries 24 | *.lai 25 | *.la 26 | *.a 27 | *.lib 28 | 29 | # Executables 30 | *.exe 31 | *.out 32 | *.app 33 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Win32-IAT 2 | Small attempt at a decent Import Address Table (IAT) Dumper 3 | 4 | ## About 5 | This small program dumps the RVA of imported functions from the Win32 Library. I don't remember how young I was when I made this but yeah this is not good. I don't recommend for any real world use. 6 | 7 | -------------------------------------------------------------------------------- /src/dumper.cpp: -------------------------------------------------------------------------------- 1 | #include "dumper.h" 2 | 3 | #pragma region ProgramGlobals 4 | char m_cBreaker[] = "==============================================================\n"; 5 | 6 | DWORD DMP::Handler::Win32SetRvaToDwordOffset(IMAGE_NT_HEADERS32* m_pNtHeader, DWORD m_dwRVA) 7 | { 8 | m_pSectionHeader = IMAGE_FIRST_SECTION(m_pNtHeader); 9 | m_wSections = m_pNtHeader->FileHeader.NumberOfSections; 10 | 11 | for (m_nTotalSections = 0; m_nTotalSections < m_wSections; m_nTotalSections++) 12 | { 13 | if (m_pSectionHeader->VirtualAddress <= m_dwRVA) 14 | if ((m_pSectionHeader->VirtualAddress + m_pSectionHeader->Misc.VirtualSize) > m_dwRVA) 15 | { 16 | m_dwRVA -= m_pSectionHeader->VirtualAddress; 17 | m_dwRVA += m_pSectionHeader->PointerToRawData; 18 | 19 | return (m_dwRVA); 20 | } 21 | m_pSectionHeader++; 22 | } 23 | 24 | return 0; 25 | } 26 | 27 | BOOL DMP::Win32Dumper::Win32DumpExecutableInformation() 28 | { 29 | DMP::Handler hd; 30 | PIMAGE_DOS_HEADER m_pDosHeader; 31 | PIMAGE_NT_HEADERS m_pImageHeader; 32 | 33 | PIMAGE_DATA_DIRECTORY m_pDataDirectory; 34 | PIMAGE_IMPORT_DESCRIPTOR m_pImportDescriptor; 35 | 36 | PIMAGE_THUNK_DATA32 m_pFirstThunk; 37 | PIMAGE_THUNK_DATA32 m_pOriginalFirstThunk; 38 | 39 | PIMAGE_IMPORT_BY_NAME m_pNameImg; 40 | PIMAGE_SECTION_HEADER m_pSectionHdr; 41 | 42 | char szFileName[MAX_PATH]; 43 | std::cout << "File: "; 44 | std::cin >> szFileName; 45 | 46 | HANDLE m_hFile = CreateFile(szFileName, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 47 | if (m_hFile == INVALID_HANDLE_VALUE) 48 | { 49 | std::cerr << "CreateFile()\n"; 50 | return FALSE; 51 | } 52 | 53 | HANDLE m_hFileMapper = CreateFileMapping(m_hFile, NULL, PAGE_READONLY, 0, 0, NULL); 54 | if (!m_hFileMapper) 55 | { 56 | std::cerr << "CreateFileMapping()\n"; 57 | return FALSE; 58 | } 59 | 60 | HANDLE m_hViewMap = MapViewOfFile(m_hFileMapper, FILE_MAP_READ, 0, 0, 0); 61 | if (!m_hViewMap) 62 | { 63 | std::cerr << "MapViewOfFile()\n"; 64 | return FALSE; 65 | } 66 | 67 | m_pDosHeader = reinterpret_cast(m_hViewMap); 68 | if (m_pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) 69 | { 70 | std::cerr << "m_pDosHeader->e_magic\n"; 71 | return FALSE; 72 | } else { 73 | std::cout << m_pDosHeader->e_magic << " (MZ-DOS) found, valid PE\nPE Header offset: 0x" << std::hex 74 | << m_pDosHeader->e_lfanew << '\n\n'; 75 | 76 | } 77 | m_pImageHeader = reinterpret_cast(reinterpret_cast(m_pDosHeader) + m_pDosHeader->e_lfanew); 78 | if (m_pImageHeader->Signature != IMAGE_NT_SIGNATURE) 79 | { 80 | std::cerr << "m_pImageHeader->Signature\n"; 81 | return FALSE; 82 | 83 | } else { 84 | std::cout << m_pImageHeader->Signature << " (PE00) signature found\n\nImageBase: 0x" 85 | << std::hex << m_pImageHeader->OptionalHeader.ImageBase << '\n'; 86 | if (m_pImageHeader->OptionalHeader.ImageBase != PE_DEFAULT_IMAGE_BASE) // 0x400000 87 | return FALSE; 88 | // CHECK THE SUBSYSTEMS(CLI, GUI) 89 | if (m_pImageHeader->OptionalHeader.Subsystem == IMAGE_SUBSYSTEM_WINDOWS_CUI) 90 | std::cout << szFileName << " is CLI Based\n\n"; 91 | else if (m_pImageHeader->OptionalHeader.Subsystem == IMAGE_SUBSYSTEM_WINDOWS_GUI) 92 | std::cout << szFileName << " is GUI Based\n\n"; 93 | else 94 | std::cout << szFileName << ": Unidentified\n"; 95 | } 96 | std::cout << "Address of Entry Point-> 0x" << std::hex << m_pImageHeader->OptionalHeader.AddressOfEntryPoint << '\n\n'; 97 | 98 | // GET THE ADDRESS OF THE DATA DIRECTORY OF THE FIRST IMAGE HEADER SEGMENT 99 | m_pDataDirectory = &m_pImageHeader->OptionalHeader.DataDirectory[1]; 100 | m_pImportDescriptor = reinterpret_cast(reinterpret_cast(m_pDosHeader) + hd.Win32SetRvaToDwordOffset( 101 | m_pImageHeader, m_pDataDirectory->VirtualAddress)); 102 | 103 | // HANDLE THUNK 32-BIT DATA 104 | m_pOriginalFirstThunk = reinterpret_cast(reinterpret_cast(m_pDosHeader) 105 | + hd.Win32SetRvaToDwordOffset(m_pImageHeader, m_pImportDescriptor->OriginalFirstThunk)); 106 | 107 | m_pSectionHdr = IMAGE_FIRST_SECTION(m_pImageHeader); 108 | // DUMP/OPT THE ENTRY POINT 109 | std::cout << "\nIAT Entrypoint: 0x" << std::hex << (m_pDataDirectory - m_pSectionHdr->VirtualAddress) 110 | + m_pSectionHdr->PointerToRawData << '\n'; 111 | std::cout << m_cBreaker; 112 | 113 | while (m_pImportDescriptor->OriginalFirstThunk != 0x00 && !m_isIATFound) 114 | { 115 | m_dwName = reinterpret_cast(reinterpret_cast(m_lpMap) + hd.Win32SetRvaToDwordOffset(m_pImageHeader, m_pImportDescriptor->Name)); 116 | m_pOriginalFirstThunk = reinterpret_cast(reinterpret_cast(m_pDosHeader) + hd.Win32SetRvaToDwordOffset( 117 | m_pImageHeader, m_pImportDescriptor->OriginalFirstThunk)); 118 | 119 | m_pFirstThunk = reinterpret_cast(reinterpret_cast(m_pDosHeader) + hd.Win32SetRvaToDwordOffset(m_pImageHeader, 120 | m_pImportDescriptor->FirstThunk)); 121 | 122 | while (m_pOriginalFirstThunk->u1.AddressOfData != 0x00 && !m_isIATFound) 123 | { 124 | m_pNameImg = reinterpret_cast(reinterpret_cast(m_pDosHeader) + hd.Win32SetRvaToDwordOffset(m_pImageHeader, 125 | m_pOriginalFirstThunk->u1.AddressOfData)); 126 | m_dwTest = (DWORD)m_pOriginalFirstThunk->u1.Function & (DWORD)IMAGE_ORDINAL_FLAG32; 127 | // OUTPUT THE IAT FUNCTIONS 128 | std::cout << "\nAddr: 0x" << std::hex << m_pOriginalFirstThunk->u1.Function << " (0x" << std::hex << 129 | m_pFirstThunk->u1.AddressOfData << ")" << "- Name: " << (const char *)m_pNameImg->Name << '\n'; 130 | 131 | /* 132 | if (m_dwTest == 0) 133 | if (strcmp("IsDebuggerPresent", (const char *)m_pNameImg->Name) == 0) 134 | { 135 | m_lpdwAddr = reinterpret_cast(m_pFirstThunk->u1.Function); 136 | 137 | m_isIATFound = TRUE; 138 | } 139 | */ 140 | m_pOriginalFirstThunk++; 141 | m_pFirstThunk++; 142 | } 143 | m_pImportDescriptor++; 144 | } 145 | 146 | CloseHandle(m_hFile); 147 | 148 | return 0; 149 | 150 | } 151 | -------------------------------------------------------------------------------- /src/dumper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifndef __DUMPER_H 3 | #define __DUMPER_H 4 | 5 | #include "includes.h" 6 | 7 | #define PE_DEFAULT_IMAGE_BASE 0x400000 8 | 9 | namespace DMP { 10 | 11 | class Handler { // offset handler (RVA -> DWORD value) 12 | 13 | private: 14 | int m_nTotalSections; 15 | WORD m_wSections; 16 | PIMAGE_SECTION_HEADER m_pSectionHeader; 17 | 18 | public: 19 | DWORD Win32SetRvaToDwordOffset(IMAGE_NT_HEADERS32* m_pNtHeader, DWORD m_dwRVA); 20 | }; 21 | 22 | class Win32Dumper { 23 | 24 | private: 25 | DWORD* m_lpdwAddr; 26 | DWORD m_dwName, m_dwTest; 27 | BOOL m_isIATFound = FALSE; 28 | LPVOID m_lpMap; 29 | 30 | public: 31 | BOOL Win32DumpExecutableInformation(); 32 | }; 33 | 34 | 35 | 36 | } 37 | 38 | 39 | #endif 40 | -------------------------------------------------------------------------------- /src/includes.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifndef __INCLUDES_H 3 | #define __INCLUDES_H 4 | #define _CRT_SECURE_NO_WARNINGS 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | 13 | #endif -------------------------------------------------------------------------------- /src/main.cpp: -------------------------------------------------------------------------------- 1 | #include "dumper.h" 2 | 3 | int main() 4 | { 5 | DMP::Win32Dumper dmp32; 6 | 7 | dmp32.Win32DumpExecutableInformation(); 8 | 9 | system("PAUSE"); 10 | 11 | return 0x00; 12 | } --------------------------------------------------------------------------------