by opc0de » 02 Mar 2011, 19:16
- program iat;
-
- uses Windows,classes,Dialogs,SysUtils;
-
- {$APPTYPE CONSOLE}
- type
- PImageImportDescriptor = ^TImageImportDescriptor;
- TImageImportDescriptor = packed record
- OriginalFirstThunk: DWORD;
- TimeDateStamp: DWORD;
- ForwarderChain: DWORD;
- Name: DWORD;
- FirstThunk: DWORD;
- end;
-
- type
- PImportByName = ^TImportByName;
- TImportByName = packed record
- Hint:Word;
- Name:array[0..255] of char;
- end;
-
- PImageThunkData = ^TImageThunkData;
- TImageThunkData = record
- case Integer of
- 0: (ForwarderString: PByte);
- 1: (Function_: PDWORD);
- 2: (Ordinal: ULONG);
- 3: (AddressOfData: PImportByName);
- end;
-
- var
- module:array of byte;
- FS:TFileStream;
- i:Integer;
- dwIatPos,modul,dwStart,dwFunc:DWORD;
- IDH:TImageDosHeader;
- INH:TImageNtHeaders;
- ISH:PImageSectionHeader;
- IIT:PImageImportDescriptor;
- IBN:TImportByName;
- ITD:PImageThunkData;
-
-
-
-
- function RVAToOffset(dwRVA:DWORD; dwVA:DWORD; dwRaw:DWORD):DWORD;
- begin
- Result := dwRVA - dwVA + dwRaw;
- end;
-
- begin
-
- FS:=TFIleStream.Create(paramstr(1),fmOpenRead);
- if Assigned(FS) then
- begin
- SetLength(module,FS.size+1);
- FS.ReadBuffer(module[0],fs.size);
- FS.Free;
- end
- else WriteLn('Error mapping file');
-
- CopyMemory(@IDH,@module[0],Sizeof(IDH));
- CopyMemory(@INH,@module[IDH._lfanew],Sizeof(INH));
- for i := 0 to INH.FileHeader.NumberOfSections - 1 do
- begin
- ISH := @module[IDH._lfanew + 248 + i * 40];
- if (INH.OptionalHeader.DataDirectory[1].VirtualAddress >= ISH^.VirtualAddress) and (INH.OptionalHeader.DataDirectory[1].VirtualAddress < (ISH^.VirtualAddress + ISH.Misc.VirtualSize)) then
- begin
- dwIATPos := RVAToOffset(INH.OptionalHeader.DataDirectory[1].VirtualAddress, ISH^.VirtualAddress, ISH^.PointerToRawData);
- Break;
- end;
- end;
- if dwIATPos>0 then
- begin
- IIT:=@module[dwIATPos];
- repeat
- modul:=IIT^.Name;
- modul:=RVAToOffset(modul,ISH^.VirtualAddress,ISH^.PointerToRawData);
- WriteLn(Pchar(@module[modul]));
- if IIT^.OriginalFirstThunk>0 then
- dwStart:=RVAToOffset(IIT^.OriginalFirstThunk,ISH.VirtualAddress,ISH.PointerToRawData)
- else
- dwStart:=RVAToOffset(IIT^.FirstThunk,ISH.VirtualAddress,ISH.PointerToRawData);
- dwFunc:=dwStart;
- ITD:=@module[dwFunc];
- Readln;
- repeat
- dwStart:=DWORD(ITD^.addressofdata);
- dwStart:=RVAToOffset(dwStart,ISH.VirtualAddress,ISH.PointerToRawData);
- CopyMemory(@IBN,@module[dwStart],SizeOf(IBN));
- WriteLn(IBN.Name);
- Inc(dwFunc,Sizeof(ITD));
- ITD:=@module[dwFunc];
- until DWORD(ITD^.AddressOfData)=0;
- Inc(dwIATPos,Sizeof(TImageImportDescriptor));
- IIT:=@module[dwIATPos+sizeof(TImageSectionHeader)];
- until IIT^.Name=0;
- ReadLn;
- end;
- end.
1p / 1 votes
Welcome to BitCell. Click here to register !
