Author Topic: IAT, and qsort()  (Read 3882 times)

0 Members and 1 Guest are viewing this topic.

Offline Hdx

  • The Hdx!
  • Full Member
  • ***
  • Posts: 311
  • <3 Java/Cpp/VB/QB
    • View Profile
IAT, and qsort()
« on: June 28, 2007, 02:35:35 pm »
Ron, any ideas on how I can populate the IAT save getting a DB of all the function address in all window's DLL's?
Also, what exactly does qsort() do? I think I know what ti does, I jsut need to process how to implement it in java.
After that, lockdown is done 100%
<3
I still don't have net -.- HOPEFULLY the 6th. Bastards.
~Hdx
http://img140.exs.cx/img140/6720/hdxnew6lb.gif
09/08/05 - Clan SBs @ USEast
 [19:59:04.000] <DeadHelp> We don't like customers.
 [19:59:05.922] <DeadHelp> They're assholes
 [19:59:08.094] <DeadHelp> And they're never right.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: IAT, and qsort()
« Reply #1 on: June 28, 2007, 04:09:03 pm »
I have no idea what you're talking about in the first part.

The second part, it just sorts the array.

Offline Hdx

  • The Hdx!
  • Full Member
  • ***
  • Posts: 311
  • <3 Java/Cpp/VB/QB
    • View Profile
Re: IAT, and qsort()
« Reply #2 on: June 28, 2007, 05:27:15 pm »
Bottom of lockdown.c->hash_file()
you have a for loop calling hash1
Which is calling it for each of the sections of the pe file.
the .rdata section is like the 3rd one (depends on the file)
Take a look at DATA_DIRECTORY(13): Import Address Table
It ALWAYS points to the beginning of the .rdata in memory.
hash2 nabs sections of memory where the pe sections are stored.
The 1st one hashed from .rdata is the IAT.

Bah.. look at your code you should know!
Oh wait you still have them as eax,esi,var_20, ptr_section
Anyways... I jsut need to know how to populate the IAT like the loader does.
Except in java, and without GetModuleHandle()
... though like I said I could write a function that nabs out all that info.

And as for qsort, how does ti sort the data? I saw sort_func which makes seince, but what does qsort do with that info?
walk through the memory space.. if sort_func(ptr, ptr+4) = -1 move ptr+4 -4, if 1 move ....
w/e i'll figure it out tonight and hopefully get lockdown working in java.
~Hdx
http://img140.exs.cx/img140/6720/hdxnew6lb.gif
09/08/05 - Clan SBs @ USEast
 [19:59:04.000] <DeadHelp> We don't like customers.
 [19:59:05.922] <DeadHelp> They're assholes
 [19:59:08.094] <DeadHelp> And they're never right.

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: IAT, and qsort()
« Reply #3 on: June 28, 2007, 10:40:37 pm »
qsort is the function for quicksort, a fast (generally logarithmic time), well-known swapping-based sorting algorithm.

There is also extensive information on the Portable Executable file format, including a file that can be downloaded from Microsoft.  It describes COFF, PE, and PE+, and you should be able to derive information for the IAT from that.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Hdx

  • The Hdx!
  • Full Member
  • ***
  • Posts: 311
  • <3 Java/Cpp/VB/QB
    • View Profile
Re: IAT, and qsort()
« Reply #4 on: June 30, 2007, 05:44:28 pm »
Well I've been reading the docs.
I jsut wanted some input.
I got msot of the IAT working cept for when the function is forwarded. I forward to the exact address that the dll it's pointing to exports.
but thats obviously wrong as it does nto match up with the real IAT created useing c's LoadLibrary()
EXA:
Mine: Kernel32.RtlMoveMemory -> NTDLL.RtlMoveMemory -> 0x7c92819b
Real: Kernel32.RtlMoveMemory -> NTDLL.RtlMovememory -> 0x7c903151
As for qsort. I should be able to implement that with a little research. Thanks for the link.
~Hdx
[edit]
Hahaha qsort is simple! I did it in like 2 mins after reading the wiki.
The only problem is the recursion causes overflow errors when the stack is greater then 0x100000 bytes.
Anyways i'm still having issues witht he IAT.
~Hdx
« Last Edit: July 02, 2007, 01:19:46 pm by HdxBmx27 »
http://img140.exs.cx/img140/6720/hdxnew6lb.gif
09/08/05 - Clan SBs @ USEast
 [19:59:04.000] <DeadHelp> We don't like customers.
 [19:59:05.922] <DeadHelp> They're assholes
 [19:59:08.094] <DeadHelp> And they're never right.