IAT, and qsort()

[Hdx]

Ron, any ideas on how I can populate the IAT save getting a DB of all the function address in all window's DLL's?
Also, what exactly does qsort() do? I think I know what ti does, I jsut need to process how to implement it in java.
After that, lockdown is done 100%
<3
I still don't have net -.- HOPEFULLY the 6th. Bastards.
~Hdx

[iago]

I have no idea what you're talking about in the first part.

The second part, it just sorts the array.

[Hdx]

Bottom of lockdown.c->hash_file()
you have a for loop calling hash1
Which is calling it for each of the sections of the pe file.
the .rdata section is like the 3rd one (depends on the file)
Take a look at DATA_DIRECTORY(13): Import Address Table
It ALWAYS points to the beginning of the .rdata in memory.
hash2 nabs sections of memory where the pe sections are stored.
The 1st one hashed from .rdata is the IAT.

Bah.. look at your code you should know!
Oh wait you still have them as eax,esi,var_20, ptr_section
Anyways... I jsut need to know how to populate the IAT like the loader does.
Except in java, and without GetModuleHandle()
... though like I said I could write a function that nabs out all that info.

And as for qsort, how does ti sort the data? I saw sort_func which makes seince, but what does qsort do with that info?
walk through the memory space.. if sort_func(ptr, ptr+4) = -1 move ptr+4 -4, if 1 move ....
w/e i'll figure it out tonight and hopefully get lockdown working in java.
~Hdx

[MyndFyre]

qsort is the function for quicksort, a fast (generally logarithmic time), well-known swapping-based sorting algorithm.

There is also extensive information on the Portable Executable file format, including a file that can be downloaded from Microsoft.  It describes COFF, PE, and PE+, and you should be able to derive information for the IAT from that.

[Hdx]

Well I've been reading the docs.
I jsut wanted some input.
I got msot of the IAT working cept for when the function is forwarded. I forward to the exact address that the dll it's pointing to exports.
but thats obviously wrong as it does nto match up with the real IAT created useing c's LoadLibrary()
EXA:
Mine: Kernel32.RtlMoveMemory -> NTDLL.RtlMoveMemory -> 0x7c92819b
Real: Kernel32.RtlMoveMemory -> NTDLL.RtlMovememory -> 0x7c903151
As for qsort. I should be able to implement that with a little research. Thanks for the link.
~Hdx
[edit]
Hahaha qsort is simple! I did it in like 2 mins after reading the wiki.
The only problem is the recursion causes overflow errors when the stack is greater then 0x100000 bytes.
Anyways i'm still having issues witht he IAT.
~Hdx