libmem
libmem copied to clipboard
Published
20 hours ago •
rdbo
rdbo
PE symbols enumeration procedure improper
https://github.com/rdbo/libmem/blob/fa4d3552c9d6d4d7044044e2d9ae996e0f165eb6/src/win/symbol.c
...
export_names = (DWORD *)(modbase + pexportdir->AddressOfNames);
export_funcs = (DWORD *)(modbase + pexportdir->AddressOfFunctions);
for (i = 0; i < pexportdir->NumberOfNames && i < pexportdir->NumberOfFunctions; ++i) {
symbol.name = (lm_string_t)(modbase + export_names[i]);
symbol.address = (lm_address_t)(module->base + export_funcs[i]);
...
When I try to hook ntdll.dll function, it failed to find the right address, It seems like LM_EnumSymbols did not handle exportdir->AddressOfOrdinals field.
I believe it should change to this
...
export_names = (DWORD *)(modbase + pexportdir->AddressOfNames);
export_funcs = (DWORD *)(modbase + pexportdir->AddressOfFunctions);
export_ordinals = (WORD *)(modbase + pexportdir->AddressOfOrdinals);
for (i = 0; i < pexportdir->NumberOfNames && i < pexportdir->NumberOfFunctions; ++i) {
symbol.name = (lm_string_t)(modbase + export_names[i]);
symbol.address = (lm_address_t)(module->base + export_funcs[export_ordinals [i]]);
...
