systan
asked on
For CodedK and 8080Diver, but Delphi experts can comment too
Continuetion of the discussion, since I've Awarded and close a previous link.
The last comment of 8080Diver:
8080_Diver:
systan,
Your last request closely resembles the following question (which I defy you to answer Yes or No):
Are you still molesting children?
Are you saying that you are writing the Wininit.dll and you are puttinng a string in the code at the point of the InternetOpenA function?
Or, are you saying that "there exists a WinInit.dll that exports the InternetOpenA function"?
Also, is the 00015912h a relative address or an absolute address?
Finally, are you analyzing this DLL as it resides in memory or as a binary data file that you read and analyze without loading in the usual fashion?
On the other hand, if you know that 00015912h is the address of the InternetOpen entry point, why do you need to search for it ?
Finally, your "code structure" is psuode-Delphi code but could not be written that way. You would need to find the position of '00015912' within the block of binary data that you have read from the WinInit.dll file but you would need to read blocks with an overlap of least 8 characters (so that you don't read in 00015 in one block and 912 in the next one.
Given that you are reading WinInit.dll as a data file and that you have the 00015912 as a text string within the file and that you are handling the block reads in an appropriate manner, then yes, that would be one technique for finding the entry point. Although, that technique cannot be generalized because you cannot guarantee that all DLL's will provide such convenient markers. ;-)
The last comment of 8080Diver:
8080_Diver:
systan,
Your last request closely resembles the following question (which I defy you to answer Yes or No):
Are you still molesting children?
Are you saying that you are writing the Wininit.dll and you are puttinng a string in the code at the point of the InternetOpenA function?
Or, are you saying that "there exists a WinInit.dll that exports the InternetOpenA function"?
Also, is the 00015912h a relative address or an absolute address?
Finally, are you analyzing this DLL as it resides in memory or as a binary data file that you read and analyze without loading in the usual fashion?
On the other hand, if you know that 00015912h is the address of the InternetOpen entry point, why do you need to search for it ?
Finally, your "code structure" is psuode-Delphi code but could not be written that way. You would need to find the position of '00015912' within the block of binary data that you have read from the WinInit.dll file but you would need to read blocks with an overlap of least 8 characters (so that you don't read in 00015 in one block and 912 in the next one.
Given that you are reading WinInit.dll as a data file and that you have the 00015912 as a text string within the file and that you are handling the block reads in an appropriate manner, then yes, that would be one technique for finding the entry point. Although, that technique cannot be generalized because you cannot guarantee that all DLL's will provide such convenient markers. ;-)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, iM back,
@codedK
>is that you want to get the list of the
procedures & functions that an application is using.
NO,
you mean like this:
procedure somepro;
begin
writeln('hello');
end;
function anum:byte;
begin
result:=1;
end;
//So, I read the .exe and determined somepro? anum? NO, not that
But this one:
procedure opennet;
var
hSession: HINTERNET;
begin
hSession := InternetOpen('MyApp', INTERNET_OPEN_TYPE_PRECONF IG, nil, nil, 0);
end; //sample only
//////// So, I will determine if Executable is using <"InternetOpen">
That is want I want.
Another sample:
procedure findafile;
var
searchResult : TSearchRec; ///////////////// if possible that knowing the Executable is using <"TSearchRec"> also. (if possible also)
begin
if FindFirst('Unit1.d*', faAnyFile, searchResult) = 0 then
begin
repeat
//sample only
until FindNext(searchResult) <> 0;
FindClose(searchResult);
end;
end;
//////// So, I will determined if Executable is using the function <"FindFrist"> and then the Executable is using also <"FindClose">
OK, I have read your comments
>Another thing you can do is hook every api known and launch an application and check the apis that this application uses and the parameters that the application passes.
But this will only catch API calls.
OK, whats that mean? "will only catch API calls"
If this could make a solution so why not.
>Another thing would be combine my first solution with a Delphi map file.
OK, if is possible, then I should try.
>And if you have the source there is no reason to do that from the beginning.
Oh, I don't know why you said that.
Now, I'm thinking...
Thank you
@codedK
>is that you want to get the list of the
procedures & functions that an application is using.
NO,
you mean like this:
procedure somepro;
begin
writeln('hello');
end;
function anum:byte;
begin
result:=1;
end;
//So, I read the .exe and determined somepro? anum? NO, not that
But this one:
procedure opennet;
var
hSession: HINTERNET;
begin
hSession := InternetOpen('MyApp', INTERNET_OPEN_TYPE_PRECONF
end; //sample only
//////// So, I will determine if Executable is using <"InternetOpen">
That is want I want.
Another sample:
procedure findafile;
var
searchResult : TSearchRec; ///////////////// if possible that knowing the Executable is using <"TSearchRec"> also. (if possible also)
begin
if FindFirst('Unit1.d*', faAnyFile, searchResult) = 0 then
begin
repeat
//sample only
until FindNext(searchResult) <> 0;
FindClose(searchResult);
end;
end;
//////// So, I will determined if Executable is using the function <"FindFrist"> and then the Executable is using also <"FindClose">
OK, I have read your comments
>Another thing you can do is hook every api known and launch an application and check the apis that this application uses and the parameters that the application passes.
But this will only catch API calls.
OK, whats that mean? "will only catch API calls"
If this could make a solution so why not.
>Another thing would be combine my first solution with a Delphi map file.
OK, if is possible, then I should try.
>And if you have the source there is no reason to do that from the beginning.
Oh, I don't know why you said that.
Now, I'm thinking...
Thank you
Systan,
Actually, I never thought you were doing a naughty thing here. I just thought you might be analyzing a DLL.
In order to be able to search for the text (e.g. "InternetOpen"), you would have to have a something like the following in your code:
procedure opennet;
var
hSession: HINTERNET;
DummyString : string;
begin
DummyString := 'About to call InternetOpen';
hSession := InternetOpen('MyApp', INTERNET_OPEN_TYPE_PRECONF IG, nil, nil, 0);
end;
Just putting a comment in the code won't work because comments aren't compiled. You have to actually have to have the text as part of some line that gets compiled. You also may lose that line if you compile with the optimization turned on because, uless that variable and the value is used, the optimizer may consider it to be "dead code" and ignore it.
By the way, your answer to my question is below:
>Are you still molesting children?
NO, I'm not trying to do anything harm, honestly.
The implication of your answer is that you were, at one time, engaging in that activity. While I seriously doubt that is the case, it illustrates the fact that some questions simply cannot be answered with a "Yes." or "No." . . . they have to have more explanation that either of those two words (or at least the "No." answer) provides.
Similarly, whether or not you can find the calls you are looking for cannot be answered with "Yes." or "No." . . . it has to be a qualified "Maybe." at best.
>Another thing you can do is hook every api known and launch an application and check the apis that this application uses and the parameters that the application passes.
But this will only catch API calls.
OK, whats that mean? "will only catch API calls"
That means that, because you have hooked/sniffed the API calls, you will be able to catch the calls to the APIs; however, not all calls to DLL functions/procedures are API calls, so you won't ctch those calls.
If this could make a solution so why not.
For the reason stated above. Unless you have a way to "sniff" or intercept the calls, which can be done with API calls, they won't be apparent to you. If the DLL is compiled into the application (static rather than dynamic loading of it), then the function/procedure calls are, for all intents and purposes, pretty much like the calls to other functions and procedures in the main part of the application.
>Another thing would be combine my first solution with a Delphi map file.
OK, if is possible, then I should try.
>And if you have the source there is no reason to do that from the beginning.
Oh, I don't know why you said that.
As he said, unless you have the source code, you won't know what the map refers to; however, if you have the source code (so that you know what the map refers to), why not just look at the source code?
Actually, I never thought you were doing a naughty thing here. I just thought you might be analyzing a DLL.
In order to be able to search for the text (e.g. "InternetOpen"), you would have to have a something like the following in your code:
procedure opennet;
var
hSession: HINTERNET;
DummyString : string;
begin
DummyString := 'About to call InternetOpen';
hSession := InternetOpen('MyApp', INTERNET_OPEN_TYPE_PRECONF
end;
Just putting a comment in the code won't work because comments aren't compiled. You have to actually have to have the text as part of some line that gets compiled. You also may lose that line if you compile with the optimization turned on because, uless that variable and the value is used, the optimizer may consider it to be "dead code" and ignore it.
By the way, your answer to my question is below:
>Are you still molesting children?
NO, I'm not trying to do anything harm, honestly.
The implication of your answer is that you were, at one time, engaging in that activity. While I seriously doubt that is the case, it illustrates the fact that some questions simply cannot be answered with a "Yes." or "No." . . . they have to have more explanation that either of those two words (or at least the "No." answer) provides.
Similarly, whether or not you can find the calls you are looking for cannot be answered with "Yes." or "No." . . . it has to be a qualified "Maybe." at best.
>Another thing you can do is hook every api known and launch an application and check the apis that this application uses and the parameters that the application passes.
But this will only catch API calls.
OK, whats that mean? "will only catch API calls"
That means that, because you have hooked/sniffed the API calls, you will be able to catch the calls to the APIs; however, not all calls to DLL functions/procedures are API calls, so you won't ctch those calls.
If this could make a solution so why not.
For the reason stated above. Unless you have a way to "sniff" or intercept the calls, which can be done with API calls, they won't be apparent to you. If the DLL is compiled into the application (static rather than dynamic loading of it), then the function/procedure calls are, for all intents and purposes, pretty much like the calls to other functions and procedures in the main part of the application.
>Another thing would be combine my first solution with a Delphi map file.
OK, if is possible, then I should try.
>And if you have the source there is no reason to do that from the beginning.
Oh, I don't know why you said that.
As he said, unless you have the source code, you won't know what the map refers to; however, if you have the source code (so that you know what the map refers to), why not just look at the source code?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, I understand
Ok, I will ask once more, since this is connected to my questions
I have already the code to List all the functions and RVA by a DLL not running.
Can you give me a Delphi Code Web Link, that shows <To Get All DLL's Used By The Application>?
I've seen it, using Lister(Pluggin) of TotalCommander
Or if you have already the code, I hope you can share it.
And I also found out that the Lister(TCPluggin) could know the functions used by the application, even is compressed by upx.
wininet.dll
Import Lookup Table RVA: 00000000h (Unbound IAT)
TimeDateStamp: 00000000h
ForwarderChain: 00000000h
DLL Name RVA: 00057FE6h
Import Address Table RVA: 00056704h
First thunk RVA: 00056704h
Ordn Name
----- -----
0 InternetReadFile
0 InternetOpenUrlA
0 InternetOpenA
0 InternetCloseHandle
0 HttpQueryInfoA
Thank you
Ok, I will ask once more, since this is connected to my questions
I have already the code to List all the functions and RVA by a DLL not running.
Can you give me a Delphi Code Web Link, that shows <To Get All DLL's Used By The Application>?
I've seen it, using Lister(Pluggin) of TotalCommander
Or if you have already the code, I hope you can share it.
And I also found out that the Lister(TCPluggin) could know the functions used by the application, even is compressed by upx.
wininet.dll
Import Lookup Table RVA: 00000000h (Unbound IAT)
TimeDateStamp: 00000000h
ForwarderChain: 00000000h
DLL Name RVA: 00057FE6h
Import Address Table RVA: 00056704h
First thunk RVA: 00056704h
Ordn Name
----- -----
0 InternetReadFile
0 InternetOpenUrlA
0 InternetOpenA
0 InternetCloseHandle
0 HttpQueryInfoA
Thank you
ASKER
Ok, please skip my last question about:
<To Get All DLL's Used By The Application>
Now, please help me with this: I have now the code to know what functions the Application is using.
The problem with this, it is not stable, sometimes can get "InternetOpenA" and sometimes not, whats wrong with the code?
It only gets "InternetOpenA" in the first time of reading the exefile.
here is the code: (please make it stable)
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
StdCtrls;
const
IMAGE_DOS_SIGNATURE = $5A4D; { MZ }
IMAGE_OS2_SIGNATURE = $454E; { NE }
IMAGE_OS2_SIGNATURE_LE = $454C; { LE }
IMAGE_VXD_SIGNATURE = $454C; { LE }
IMAGE_NT_SIGNATURE = $00004550; { PE00 }
IMAGE_SIZEOF_SHORT_NAME = 8;
IMAGE_SIZEOF_SECTION_HEADE R = 40;
IMAGE_NUMBEROF_DIRECTORY_E NTRIES = 16;
IMAGE_RESOURCE_NAME_IS_STR ING = $80000000;
IMAGE_RESOURCE_DATA_IS_DIR ECTORY = $80000000;
IMAGE_OFFSET_STRIP_HIGH = $7FFFFFFF;
DIRECTORY_ENTRY_EXPORT = 0; // Export Directory
IMAGE_DIRECTORY_ENTRY_IMPO RT = 1; // Import Directory
IMAGE_DIRECTORY_ENTRY_RESO URCE = 2; // Resource Directory
IMAGE_DIRECTORY_ENTRY_EXCE PTION = 3; // Exception Directory
IMAGE_DIRECTORY_ENTRY_SECU RITY = 4; // Security Directory
IMAGE_DIRECTORY_ENTRY_BASE RELOC = 5; // Base Relocation Table
IMAGE_DIRECTORY_ENTRY_DEBU G = 6; // Debug Directory
IMAGE_DIRECTORY_ENTRY_COPY RIGHT = 7; // Description String
IMAGE_DIRECTORY_ENTRY_GLOB ALPTR = 8; // Machine Value (MIPS GP)
IMAGE_DIRECTORY_ENTRY_TLS = 9; // TLS Directory
IMAGE_DIRECTORY_ENTRY_LOAD _CONFIG = 10; // Load Configuration Directory
IMAGE_DIRECTORY_ENTRY_BOUN D_IMPORT = 11; // Bound Import Directory in headers
IMAGE_DIRECTORY_ENTRY_IAT = 12;
type
plist_entry = ^LIST_ENTRY;
LIST_ENTRY = record
Flink:pLIST_ENTRY;
Blink:pLIST_ENTRY;
end;
type IMAGE_EXPORT_DIRECTORY= packed record
Characteristics:DWORD;
TimeDateStamp:DWORD;
MajorVersion:WORD;
MinorVersion:WORD;
Name:DWORD;
Base:DWORD;
NumberOfFunctions:DWORD;
NumberOfNames:DWORD;
pAddressOfFunctions:PDWORD ;
pAddressOfNames:PDWORD;
pAddressOfNameOrdinals:PWO RD;
end;
PIMAGE_EXPORT_DIRECTORY= ^IMAGE_EXPORT_DIRECTORY;
type FPO_DATA =packed record
ulOffStart: DWORD; // offset 1st byte of function code
cbProcSize:DWORD ; // # bytes in function
cdwLocals:DWORD; // # bytes in locals/4
cdwParams:WORD ; // # bytes in params/4
cbProlog:WORD; // # bytes in prolog
cbRegs:WORD; // # regs saved
fHasSEH:WORD; // TRUE if SEH in func
fUseBP:WORD; // TRUE if EBP has been allocated
reserved:WORD; // reserved for future use
cbFrame:WORD; // frame type
end;
PFPO_DATA=^FPO_DATA;
type
IMAGE_FUNCTION_ENTRY=packe d record
StartingAddress:dword;
EndingAddress:dword;
EndOfPrologue:dword;
end;
PIMAGE_FUNCTION_ENTRY=^IMA GE_FUNCTIO N_ENTRY;
type
PIMAGE_DOS_HEADER = ^IMAGE_DOS_HEADER;
IMAGE_DOS_HEADER = packed record { DOS .EXE header }
e_magic : WORD; { Magic number }
e_cblp : WORD; { Bytes on last page of file }
e_cp : WORD; { Pages in file }
e_crlc : WORD; { Relocations }
e_cparhdr : WORD; { Size of header in paragraphs }
e_minalloc : WORD; { Minimum extra paragraphs needed }
e_maxalloc : WORD; { Maximum extra paragraphs needed }
e_ss : WORD; { Initial (relative) SS value }
e_sp : WORD; { Initial SP value }
e_csum : WORD; { Checksum }
e_ip : WORD; { Initial IP value }
e_cs : WORD; { Initial (relative) CS value }
e_lfarlc : WORD; { File address of relocation table }
e_ovno : WORD; { Overlay number }
e_res : packed array [0..3] of WORD; { Reserved words }
e_oemid : WORD; { OEM identifier (for e_oeminfo) }
e_oeminfo : WORD; { OEM information; e_oemid specific }
e_res2 : packed array [0..9] of WORD; { Reserved words }
e_lfanew : Longint; { File address of new exe header }
end;
PIMAGE_FILE_HEADER = ^IMAGE_FILE_HEADER;
IMAGE_FILE_HEADER = packed record
Machine : WORD;
NumberOfSections : WORD;
TimeDateStamp : DWORD;
PointerToSymbolTable : DWORD;
NumberOfSymbols : DWORD;
SizeOfOptionalHeader : WORD;
Characteristics : WORD;
end;
PIMAGE_DATA_DIRECTORY = ^IMAGE_DATA_DIRECTORY;
IMAGE_DATA_DIRECTORY = packed record
VirtualAddress : DWORD;
Size : DWORD;
end;
PIMAGE_OPTIONAL_HEADER = ^IMAGE_OPTIONAL_HEADER;
IMAGE_OPTIONAL_HEADER = packed record
{ Standard fields. }
Magic : WORD;
MajorLinkerVersion : Byte;
MinorLinkerVersion : Byte;
SizeOfCode : DWORD;
SizeOfInitializedData : DWORD;
SizeOfUninitializedData : DWORD;
AddressOfEntryPoint : DWORD;
BaseOfCode : DWORD;
BaseOfData : DWORD;
{ NT additional fields. }
ImageBase : DWORD;
SectionAlignment : DWORD;
FileAlignment : DWORD;
MajorOperatingSystemVersio n : WORD;
MinorOperatingSystemVersio n : WORD;
MajorImageVersion : WORD;
MinorImageVersion : WORD;
MajorSubsystemVersion : WORD;
MinorSubsystemVersion : WORD;
Reserved1 : DWORD;
SizeOfImage : DWORD;
SizeOfHeaders : DWORD;
CheckSum : DWORD;
Subsystem : WORD;
DllCharacteristics : WORD;
SizeOfStackReserve : DWORD;
SizeOfStackCommit : DWORD;
SizeOfHeapReserve : DWORD;
SizeOfHeapCommit : DWORD;
LoaderFlags : DWORD;
NumberOfRvaAndSizes : DWORD;
DataDirectory : packed array [0..IMAGE_NUMBEROF_DIRECTO RY_ENTRIES -1] of IMAGE_DATA_DIRECTORY;
end;
PIMAGE_SECTION_HEADER = ^IMAGE_SECTION_HEADER;
IMAGE_SECTION_HEADER = packed record
Name : packed array [0..IMAGE_SIZEOF_SHORT_NAM E-1] of Char;
PhysicalAddress : DWORD; // or VirtualSize (union);
VirtualAddress : DWORD;
SizeOfRawData : DWORD;
PointerToRawData : DWORD;
PointerToRelocations : DWORD;
PointerToLinenumbers : DWORD;
NumberOfRelocations : WORD;
NumberOfLinenumbers : WORD;
Characteristics : DWORD;
end;
PIMAGE_NT_HEADERS = ^IMAGE_NT_HEADERS;
IMAGE_NT_HEADERS = packed record
Signature : DWORD;
FileHeader : IMAGE_FILE_HEADER;
OptionalHeader : IMAGE_OPTIONAL_HEADER;
end;
PIMAGE_RESOURCE_DIRECTORY = ^IMAGE_RESOURCE_DIRECTORY;
IMAGE_RESOURCE_DIRECTORY = packed record
Characteristics : DWORD;
TimeDateStamp : DWORD;
MajorVersion : WORD;
MinorVersion : WORD;
NumberOfNamedEntries : WORD;
NumberOfIdEntries : WORD;
end;
PIMAGE_RESOURCE_DIRECTORY_ ENTRY = ^IMAGE_RESOURCE_DIRECTORY_ ENTRY;
IMAGE_RESOURCE_DIRECTORY_E NTRY = packed record
Name: DWORD; // Or ID: Word (Union)
OffsetToData: DWORD;
end;
PIMAGE_RESOURCE_DATA_ENTRY = ^IMAGE_RESOURCE_DATA_ENTRY ;
IMAGE_RESOURCE_DATA_ENTRY = packed record
OffsetToData : DWORD;
Size : DWORD;
CodePage : DWORD;
Reserved : DWORD;
end;
PIMAGE_RESOURCE_DIR_STRING _U = ^IMAGE_RESOURCE_DIR_STRING _U;
IMAGE_RESOURCE_DIR_STRING_ U = packed record
Length : WORD;
NameString : array [0..0] of WCHAR;
end;
type LOADED_IMAGE = record
ModuleName:pchar;
hFile:thandle;
MappedAddress:pchar;
FileHeader:PIMAGE_NT_HEADE RS;
LastRvaSection:PIMAGE_SECT ION_HEADER ;
NumberOfSections:integer;
Sections:PIMAGE_SECTION_HE ADER ;
Characteristics:integer;
fSystemImage:boolean;
fDOSImage:boolean;
Links:LIST_ENTRY;
SizeOfImage:integer;
end;
PLOADED_IMAGE= ^LOADED_IMAGE;
type IMAGE_LOAD_CONFIG_DIRECTOR Y = packed record
Characteristics:DWORD;
TimeDateStamp:DWORD;
MajorVersion:WORD;
MinorVersion:WORD;
GlobalFlagsClear:DWORD;
GlobalFlagsSet:DWORD;
CriticalSectionDefaultTime out:DWORD;
DeCommitFreeBlockThreshold :DWORD;
DeCommitTotalFreeThreshold :DWORD;
LockPrefixTable:Pointer;
MaximumAllocationSize:DWOR D;
VirtualMemoryThreshold:DWO RD;
ProcessHeapFlags:DWORD;
ProcessAffinityMask:DWORD;
Reserved: array[0..2] of DWORD;
end;
PIMAGE_LOAD_CONFIG_DIRECTO RY=^IMAGE_ LOAD_CONFI G_DIRECTOR Y;
type IMAGE_IMPORT_BY_NAME = packed record
Hint:WORD;
Name:DWORD;
end;
PIMAGE_IMPORT_BY_NAME=^IMA GE_IMPORT_ BY_NAME;
type IMAGE_THUNK_DATA =packed record
ForwarderString:PBYTE;
Func:PDWORD;
Ordinal:DWORD;
AddressOfData:PIMAGE_IMPOR T_BY_NAME;
end;
PIMAGE_THUNK_DATA=^IMAGE_T HUNK_DATA;
type IMAGE_IMPORT_DESCRIPTOR= packed record
Characteristics:DWORD;
TimeDateStamp:DWORD;
ForwarderChain:DWORD;
Name:DWORD;
FirstThunk:DWORD;
end;
PIMAGE_IMPORT_DESCRIPTOR = ^IMAGE_IMPORT_DESCRIPTOR;
type
TForm1 = class(TForm)
Button1: TButton;
Memo1: TMemo;
OpenDialog1: TOpenDialog;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
procedure ProcessFile;
end;
var
Form1: TForm1;
h1,hmap:integer;
bptr:pointer;
gptr:pbyte;
ntsign:plongword;
doshd:PIMAGE_DOS_HEADER;
pehd:PIMAGE_FILE_HEADER;
peoptn:PIMAGE_OPTIONAL_HEA DER;
sectionheads:array of PIMAGE_SECTION_HEADER;
offsetmem:longword;
idataphysicaladress:pbyte;
idata:PIMAGE_IMPORT_DESCRI PTOR;
modulename,functionname:pc har;
dptr:plongword;
ord:word;
pexpdir:PIMAGE_EXPORT_DIRE CTORY;
pexpnames:pdword;
expfname:pchar;
implementation
{$R *.DFM}
procedure TForm1.Button1Click(Sender : TObject);
begin
memo1.Lines.Clear;
processfile;
end;
procedure TForm1.ProcessFile;
var
i,j:integer;
begin
if opendialog1.Execute=false then
exit
else
h1:=fileopen(opendialog1.F ileName,fm ShareDenyN one or fmOpenRead);
hmap:=CreateFileMapping(h1 ,nil,PAGE_ READONLY,0 ,0,nil);
doshd:=PIMAGE_DOS_HEADER(m apviewoffi le(hmap,FI LE_MAP_REA D,0,0,0));
bptr:=doshd;
memo1.Lines.Clear;
memo1.lines.add('DOS Header');
memo1.Lines.Add(' -e_magic='+inttostr(doshd. e_magic));
memo1.Lines.Add(' -e_cblp='+inttostr(doshd.e _cblp));
memo1.Lines.Add(' -e_cp='+inttostr(doshd.e_c p));
memo1.Lines.Add(' -e_crlc='+inttostr(doshd.e _crlc));
memo1.Lines.Add(' -e_cparhdr='+inttostr(dosh d.e_cparhd r));
memo1.Lines.Add(' -e_minalloc='+inttostr(dos hd.e_minal loc));
memo1.Lines.Add(' -e_maxalloc='+inttostr(dos hd.e_maxal loc));
memo1.Lines.Add(' -e_ss='+inttostr(doshd.e_s s));
memo1.Lines.Add(' -e_sp='+inttostr(doshd.e_s p));
memo1.Lines.Add(' -e_csum='+inttostr(doshd.e _csum));
memo1.Lines.Add(' -e_ip='+inttostr(doshd.e_i p));
memo1.Lines.Add(' -e_cs='+inttostr(doshd.e_c s));
memo1.Lines.Add(' -e_lfarlc='+inttostr(doshd .e_lfarlc) );
memo1.Lines.Add(' -e_ovno='+inttostr(doshd.e _ovno));
memo1.Lines.Add(' -e_oemid='+inttostr(doshd. e_oemid));
memo1.Lines.Add(' -e_oeminfo='+inttostr(dosh d.e_oeminf o));
memo1.Lines.Add(' -e_lfanew='+inttostr(doshd .e_lfanew) );
gptr:=bptr;
inc(gptr,doshd.e_lfanew);
ntsign:=plongword(gptr);
if (ntsign^=IMAGE_NT_SIGNATUR E) then
begin
memo1.Lines.Add('NT Signature<'+inttostr(IMAGE _NT_SIGNAT URE)+'>='+ inttostr(n tsign^));
memo1.Lines.Add('Windows Executable');
memo1.lines.add('--------- ---------- ---------- ---------- ---');
gptr:=bptr;
inc(gptr,doshd.e_lfanew+4) ;
pehd:=PIMAGE_FILE_HEADER(g ptr);
memo1.lines.add('PE Header');
memo1.Lines.Add(' -Machine='+inttostr(pehd.M achine));
memo1.Lines.Add(' -Number of Sections='+inttostr(pehd.N umberOfSec tions));
memo1.Lines.Add(' -TimeDateStamp='+IntToStr( pehd.TimeD ateStamp)) ;
memo1.Lines.Add(' -PointerToSymbolTable='+In tToStr(peh d.PointerT oSymbolTab le));
memo1.Lines.Add(' -Number of Symbols='+IntToStr(pehd.Nu mberOfSymb ols));
memo1.Lines.Add(' -SizeOfOptionalHeader='+In tToStr(peh d.SizeOfOp tionalHead er));
memo1.Lines.Add(' -Characteristics='+IntToSt r(pehd.Cha racteristi cs));
memo1.lines.add('--------- ---------- ---------- ---------- ---');
gptr:=pbyte(pehd);
inc(gptr,sizeof(IMAGE_FILE _HEADER));
peoptn:=PIMAGE_OPTIONAL_HE ADER(gptr) ;
memo1.lines.add('PE Optional Header');
memo1.Lines.Add(' -Magic='+inttostr(peoptn.M agic));
memo1.Lines.Add(' -MajorLinkerVersion='+intt ostr(peopt n.MajorLin kerVersion ));
memo1.Lines.Add(' -MinorLinkerVersion='+intt ostr(peopt n.MinorLin kerVersion ));
memo1.Lines.Add(' -SizeOfCode='+inttostr(peo ptn.SizeOf Code));
memo1.Lines.Add(' -SizeOfInitializedData='+i nttostr(pe optn.SizeO fInitializ edData));
memo1.Lines.Add(' -SizeOfUninitializedData=' +inttostr( peoptn.Siz eOfUniniti alizedData ));
memo1.Lines.Add(' -AddressOfEntryPoint='+int tostr(peop tn.Address OfEntryPoi nt));
memo1.Lines.Add(' -BaseOfCode='+inttostr(peo ptn.BaseOf Code));
memo1.Lines.Add(' -BaseOfData='+inttostr(peo ptn.BaseOf Data));
memo1.Lines.Add(' -ImageBase='+inttostr(peop tn.ImageBa se));
memo1.Lines.Add(' -SectionAlignment='+inttos tr(peoptn. SectionAli gnment));
memo1.Lines.Add(' -FileAlignment='+inttostr( peoptn.Fil eAlignment ));
memo1.Lines.Add(' -MajorOperatingSystemVersi on='+intto str(peoptn .MajorOper atingSyste mVersion)) ;
memo1.Lines.Add(' -MinorOperatingSystemVersi on='+intto str(peoptn .MinorOper atingSyste mVersion)) ;
memo1.Lines.Add(' -MajorImageVersion='+intto str(peoptn .MajorImag eVersion)) ;
memo1.Lines.Add(' -MinorImageVersion='+intto str(peoptn .MinorImag eVersion)) ;
memo1.Lines.Add(' -MajorSubsystemVersion='+i nttostr(pe optn.Major SubsystemV ersion));
memo1.Lines.Add(' -MinorSubsystemVersion ='+inttostr(peoptn.MinorSu bsystemVer sion ));
memo1.Lines.Add(' -Reserved1 ='+inttostr(peoptn.Reserve d1));
memo1.Lines.Add(' -SizeOfImage ='+inttostr(peoptn.SizeOfI mage));
memo1.Lines.Add(' -SizeOfHeaders ='+inttostr(peoptn.SizeOfH eaders));
memo1.Lines.Add(' -CheckSum ='+inttostr(peoptn.CheckSu m));
memo1.Lines.Add(' -SubSystem ='+inttostr(peoptn.Subsyst em));
memo1.Lines.Add(' -DllCharacteristics ='+inttostr(peoptn.DllChar acteristic s));
memo1.Lines.Add(' -SizeOfStackReserve ='+inttostr(peoptn.SizeOfS tackReserv e));
memo1.Lines.Add(' -SizeOfStackCommit ='+inttostr(peoptn.SizeOfS tackCommit ));
memo1.Lines.Add(' -SizeOfHeapReserve ='+inttostr(peoptn.SizeOfH eapReserve ));
memo1.Lines.Add(' -SizeOfHeapCommit ='+inttostr(peoptn.SizeOfH eapCommit) );
memo1.Lines.Add(' -LoaderFlags ='+inttostr(peoptn.LoaderF lags));
memo1.Lines.Add(' -NumberOfRvaAndSizes ='+inttostr(peoptn.NumberO fRvaAndSiz es));
memo1.lines.add('--------- ---------- ---------- ---------- ---');
setlength(sectionheads,peh d.NumberOf Sections);
for i:=0 to pehd.NumberOfSections -1 do
begin
gptr:=pbyte(peoptn);
inc(gptr,sizeof(IMAGE_OPTI ONAL_HEADE R)+i*sizeo f(IMAGE_SE CTION_HEAD ER));
sectionheads[i]:=PIMAGE_SE CTION_HEAD ER(gptr);
end;
if peoptn.DataDirectory[IMAGE _DIRECTORY _ENTRY_EXP ORT].Size= 0 then
begin
memo1.lines.add('No Export Table Present');
memo1.lines.add('--------- ---------- ---------- ---------- ---');
end
else
begin
memo1.lines.add('Export Table Present');
for i:=pehd.NumberOfSections-1 downto 0 do
begin
if peoptn.DataDirectory[IMAGE _DIRECTORY _ENTRY_EXP ORT].Virtu alAddress> =sectionhe ads[i].Vir tualAddres s then
begin
offsetmem:=sectionheads[i] .PointerTo RawData-se ctionheads [i].Virtua lAddress;
break;
end;
end;
gptr:=bptr;
inc(gptr,offsetmem+peoptn. DataDirect ory[IMAGE_ DIRECTORY_ ENTRY_EXPO RT].Virtua lAddress);
pexpdir:=PIMAGE_EXPORT_DIR ECTORY(gpt r);
pexpnames:=pdword(longint( bptr)+inte ger(PIMAGE _EXPORT_DI RECTORY(gp tr).pAddre ssOfNames) );
for i:=0 to pexpdir.NumberOfNames-1 do
begin
expfname:=pchar(integer(bp tr)+intege r(pexpname s^));
memo1.lines.add(' -'+expfname);
inc(pexpnames);
end;
memo1.lines.add('--------- ---------- ---------- ---------- ---');
end;
if peoptn.DataDirectory[IMAGE _DIRECTORY _ENTRY_IMP ORT].Size= 0 then
memo1.lines.add('No Import Table Present')
else
begin
memo1.lines.add('Import Table Present');
for i:=pehd.NumberOfSections-1 downto 0 do
begin
if peoptn.DataDirectory[IMAGE _DIRECTORY _ENTRY_IMP ORT].Virtu alAddress> =sectionhe ads[i].Vir tualAddres s then
begin
offsetmem:=sectionheads[i] .PointerTo RawData-se ctionheads [i].Virtua lAddress;
break;
end;
end;
gptr:=bptr;
inc(gptr,offsetmem+peoptn. DataDirect ory[IMAGE_ DIRECTORY_ ENTRY_IMPO RT].Virtua lAddress);
idataphysicaladress:=gptr;
i:=0;
j:=0;
while true do
begin
gptr:=idataphysicaladress;
inc(gptr,i*sizeof(IMAGE_IM PORT_DESCR IPTOR));
idata :=PIMAGE_IMPORT_DESCRIPTOR (gptr);
if idata.Name = 0 then
break;
gptr:=bptr;
inc(gptr,offsetmem+idata.N ame);
modulename:=pchar(gptr);
memo1.Lines.Add('Module Name:_____________'+ modulename);
while true do
begin
if (idata.FirstThunk + j*4)= 0 then
break;
gptr:=bptr;
inc(gptr,offsetmem+idata.F irstThunk +j*4);
dptr:=plongword(gptr);
gptr:=bptr;
inc(gptr,offsetmem+dptr^);
if isbadcodeptr(gptr) then
break;
ord:=pword(gptr)^;
inc(gptr,2);
functionname:=pchar(gptr);
if isbadcodeptr(functionname) then
break;
if functionname=nil then
break;
memo1.Lines.Add(' -Ord:'+inttohex(ord,3)+' Function Name:===='+ functionname);
inc(j);
end;
inc(i);
end;
end;
end;
UnmapViewOfFile(bptr);
closehandle(hmap);
fileclose(h1);
end;
end.
And below is my attach that i test with:
testfiles.zip
<To Get All DLL's Used By The Application>
Now, please help me with this: I have now the code to know what functions the Application is using.
The problem with this, it is not stable, sometimes can get "InternetOpenA" and sometimes not, whats wrong with the code?
It only gets "InternetOpenA" in the first time of reading the exefile.
here is the code: (please make it stable)
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
StdCtrls;
const
IMAGE_DOS_SIGNATURE = $5A4D; { MZ }
IMAGE_OS2_SIGNATURE = $454E; { NE }
IMAGE_OS2_SIGNATURE_LE = $454C; { LE }
IMAGE_VXD_SIGNATURE = $454C; { LE }
IMAGE_NT_SIGNATURE = $00004550; { PE00 }
IMAGE_SIZEOF_SHORT_NAME = 8;
IMAGE_SIZEOF_SECTION_HEADE
IMAGE_NUMBEROF_DIRECTORY_E
IMAGE_RESOURCE_NAME_IS_STR
IMAGE_RESOURCE_DATA_IS_DIR
IMAGE_OFFSET_STRIP_HIGH = $7FFFFFFF;
DIRECTORY_ENTRY_EXPORT = 0; // Export Directory
IMAGE_DIRECTORY_ENTRY_IMPO
IMAGE_DIRECTORY_ENTRY_RESO
IMAGE_DIRECTORY_ENTRY_EXCE
IMAGE_DIRECTORY_ENTRY_SECU
IMAGE_DIRECTORY_ENTRY_BASE
IMAGE_DIRECTORY_ENTRY_DEBU
IMAGE_DIRECTORY_ENTRY_COPY
IMAGE_DIRECTORY_ENTRY_GLOB
IMAGE_DIRECTORY_ENTRY_TLS = 9; // TLS Directory
IMAGE_DIRECTORY_ENTRY_LOAD
IMAGE_DIRECTORY_ENTRY_BOUN
IMAGE_DIRECTORY_ENTRY_IAT = 12;
type
plist_entry = ^LIST_ENTRY;
LIST_ENTRY = record
Flink:pLIST_ENTRY;
Blink:pLIST_ENTRY;
end;
type IMAGE_EXPORT_DIRECTORY= packed record
Characteristics:DWORD;
TimeDateStamp:DWORD;
MajorVersion:WORD;
MinorVersion:WORD;
Name:DWORD;
Base:DWORD;
NumberOfFunctions:DWORD;
NumberOfNames:DWORD;
pAddressOfFunctions:PDWORD
pAddressOfNames:PDWORD;
pAddressOfNameOrdinals:PWO
end;
PIMAGE_EXPORT_DIRECTORY= ^IMAGE_EXPORT_DIRECTORY;
type FPO_DATA =packed record
ulOffStart: DWORD; // offset 1st byte of function code
cbProcSize:DWORD ; // # bytes in function
cdwLocals:DWORD; // # bytes in locals/4
cdwParams:WORD ; // # bytes in params/4
cbProlog:WORD; // # bytes in prolog
cbRegs:WORD; // # regs saved
fHasSEH:WORD; // TRUE if SEH in func
fUseBP:WORD; // TRUE if EBP has been allocated
reserved:WORD; // reserved for future use
cbFrame:WORD; // frame type
end;
PFPO_DATA=^FPO_DATA;
type
IMAGE_FUNCTION_ENTRY=packe
StartingAddress:dword;
EndingAddress:dword;
EndOfPrologue:dword;
end;
PIMAGE_FUNCTION_ENTRY=^IMA
type
PIMAGE_DOS_HEADER = ^IMAGE_DOS_HEADER;
IMAGE_DOS_HEADER = packed record { DOS .EXE header }
e_magic : WORD; { Magic number }
e_cblp : WORD; { Bytes on last page of file }
e_cp : WORD; { Pages in file }
e_crlc : WORD; { Relocations }
e_cparhdr : WORD; { Size of header in paragraphs }
e_minalloc : WORD; { Minimum extra paragraphs needed }
e_maxalloc : WORD; { Maximum extra paragraphs needed }
e_ss : WORD; { Initial (relative) SS value }
e_sp : WORD; { Initial SP value }
e_csum : WORD; { Checksum }
e_ip : WORD; { Initial IP value }
e_cs : WORD; { Initial (relative) CS value }
e_lfarlc : WORD; { File address of relocation table }
e_ovno : WORD; { Overlay number }
e_res : packed array [0..3] of WORD; { Reserved words }
e_oemid : WORD; { OEM identifier (for e_oeminfo) }
e_oeminfo : WORD; { OEM information; e_oemid specific }
e_res2 : packed array [0..9] of WORD; { Reserved words }
e_lfanew : Longint; { File address of new exe header }
end;
PIMAGE_FILE_HEADER = ^IMAGE_FILE_HEADER;
IMAGE_FILE_HEADER = packed record
Machine : WORD;
NumberOfSections : WORD;
TimeDateStamp : DWORD;
PointerToSymbolTable : DWORD;
NumberOfSymbols : DWORD;
SizeOfOptionalHeader : WORD;
Characteristics : WORD;
end;
PIMAGE_DATA_DIRECTORY = ^IMAGE_DATA_DIRECTORY;
IMAGE_DATA_DIRECTORY = packed record
VirtualAddress : DWORD;
Size : DWORD;
end;
PIMAGE_OPTIONAL_HEADER = ^IMAGE_OPTIONAL_HEADER;
IMAGE_OPTIONAL_HEADER = packed record
{ Standard fields. }
Magic : WORD;
MajorLinkerVersion : Byte;
MinorLinkerVersion : Byte;
SizeOfCode : DWORD;
SizeOfInitializedData : DWORD;
SizeOfUninitializedData : DWORD;
AddressOfEntryPoint : DWORD;
BaseOfCode : DWORD;
BaseOfData : DWORD;
{ NT additional fields. }
ImageBase : DWORD;
SectionAlignment : DWORD;
FileAlignment : DWORD;
MajorOperatingSystemVersio
MinorOperatingSystemVersio
MajorImageVersion : WORD;
MinorImageVersion : WORD;
MajorSubsystemVersion : WORD;
MinorSubsystemVersion : WORD;
Reserved1 : DWORD;
SizeOfImage : DWORD;
SizeOfHeaders : DWORD;
CheckSum : DWORD;
Subsystem : WORD;
DllCharacteristics : WORD;
SizeOfStackReserve : DWORD;
SizeOfStackCommit : DWORD;
SizeOfHeapReserve : DWORD;
SizeOfHeapCommit : DWORD;
LoaderFlags : DWORD;
NumberOfRvaAndSizes : DWORD;
DataDirectory : packed array [0..IMAGE_NUMBEROF_DIRECTO
end;
PIMAGE_SECTION_HEADER = ^IMAGE_SECTION_HEADER;
IMAGE_SECTION_HEADER = packed record
Name : packed array [0..IMAGE_SIZEOF_SHORT_NAM
PhysicalAddress : DWORD; // or VirtualSize (union);
VirtualAddress : DWORD;
SizeOfRawData : DWORD;
PointerToRawData : DWORD;
PointerToRelocations : DWORD;
PointerToLinenumbers : DWORD;
NumberOfRelocations : WORD;
NumberOfLinenumbers : WORD;
Characteristics : DWORD;
end;
PIMAGE_NT_HEADERS = ^IMAGE_NT_HEADERS;
IMAGE_NT_HEADERS = packed record
Signature : DWORD;
FileHeader : IMAGE_FILE_HEADER;
OptionalHeader : IMAGE_OPTIONAL_HEADER;
end;
PIMAGE_RESOURCE_DIRECTORY = ^IMAGE_RESOURCE_DIRECTORY;
IMAGE_RESOURCE_DIRECTORY = packed record
Characteristics : DWORD;
TimeDateStamp : DWORD;
MajorVersion : WORD;
MinorVersion : WORD;
NumberOfNamedEntries : WORD;
NumberOfIdEntries : WORD;
end;
PIMAGE_RESOURCE_DIRECTORY_
IMAGE_RESOURCE_DIRECTORY_E
Name: DWORD; // Or ID: Word (Union)
OffsetToData: DWORD;
end;
PIMAGE_RESOURCE_DATA_ENTRY
IMAGE_RESOURCE_DATA_ENTRY = packed record
OffsetToData : DWORD;
Size : DWORD;
CodePage : DWORD;
Reserved : DWORD;
end;
PIMAGE_RESOURCE_DIR_STRING
IMAGE_RESOURCE_DIR_STRING_
Length : WORD;
NameString : array [0..0] of WCHAR;
end;
type LOADED_IMAGE = record
ModuleName:pchar;
hFile:thandle;
MappedAddress:pchar;
FileHeader:PIMAGE_NT_HEADE
LastRvaSection:PIMAGE_SECT
NumberOfSections:integer;
Sections:PIMAGE_SECTION_HE
Characteristics:integer;
fSystemImage:boolean;
fDOSImage:boolean;
Links:LIST_ENTRY;
SizeOfImage:integer;
end;
PLOADED_IMAGE= ^LOADED_IMAGE;
type IMAGE_LOAD_CONFIG_DIRECTOR
Characteristics:DWORD;
TimeDateStamp:DWORD;
MajorVersion:WORD;
MinorVersion:WORD;
GlobalFlagsClear:DWORD;
GlobalFlagsSet:DWORD;
CriticalSectionDefaultTime
DeCommitFreeBlockThreshold
DeCommitTotalFreeThreshold
LockPrefixTable:Pointer;
MaximumAllocationSize:DWOR
VirtualMemoryThreshold:DWO
ProcessHeapFlags:DWORD;
ProcessAffinityMask:DWORD;
Reserved: array[0..2] of DWORD;
end;
PIMAGE_LOAD_CONFIG_DIRECTO
type IMAGE_IMPORT_BY_NAME = packed record
Hint:WORD;
Name:DWORD;
end;
PIMAGE_IMPORT_BY_NAME=^IMA
type IMAGE_THUNK_DATA =packed record
ForwarderString:PBYTE;
Func:PDWORD;
Ordinal:DWORD;
AddressOfData:PIMAGE_IMPOR
end;
PIMAGE_THUNK_DATA=^IMAGE_T
type IMAGE_IMPORT_DESCRIPTOR= packed record
Characteristics:DWORD;
TimeDateStamp:DWORD;
ForwarderChain:DWORD;
Name:DWORD;
FirstThunk:DWORD;
end;
PIMAGE_IMPORT_DESCRIPTOR = ^IMAGE_IMPORT_DESCRIPTOR;
type
TForm1 = class(TForm)
Button1: TButton;
Memo1: TMemo;
OpenDialog1: TOpenDialog;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
procedure ProcessFile;
end;
var
Form1: TForm1;
h1,hmap:integer;
bptr:pointer;
gptr:pbyte;
ntsign:plongword;
doshd:PIMAGE_DOS_HEADER;
pehd:PIMAGE_FILE_HEADER;
peoptn:PIMAGE_OPTIONAL_HEA
sectionheads:array of PIMAGE_SECTION_HEADER;
offsetmem:longword;
idataphysicaladress:pbyte;
idata:PIMAGE_IMPORT_DESCRI
modulename,functionname:pc
dptr:plongword;
ord:word;
pexpdir:PIMAGE_EXPORT_DIRE
pexpnames:pdword;
expfname:pchar;
implementation
{$R *.DFM}
procedure TForm1.Button1Click(Sender
begin
memo1.Lines.Clear;
processfile;
end;
procedure TForm1.ProcessFile;
var
i,j:integer;
begin
if opendialog1.Execute=false then
exit
else
h1:=fileopen(opendialog1.F
hmap:=CreateFileMapping(h1
doshd:=PIMAGE_DOS_HEADER(m
bptr:=doshd;
memo1.Lines.Clear;
memo1.lines.add('DOS Header');
memo1.Lines.Add(' -e_magic='+inttostr(doshd.
memo1.Lines.Add(' -e_cblp='+inttostr(doshd.e
memo1.Lines.Add(' -e_cp='+inttostr(doshd.e_c
memo1.Lines.Add(' -e_crlc='+inttostr(doshd.e
memo1.Lines.Add(' -e_cparhdr='+inttostr(dosh
memo1.Lines.Add(' -e_minalloc='+inttostr(dos
memo1.Lines.Add(' -e_maxalloc='+inttostr(dos
memo1.Lines.Add(' -e_ss='+inttostr(doshd.e_s
memo1.Lines.Add(' -e_sp='+inttostr(doshd.e_s
memo1.Lines.Add(' -e_csum='+inttostr(doshd.e
memo1.Lines.Add(' -e_ip='+inttostr(doshd.e_i
memo1.Lines.Add(' -e_cs='+inttostr(doshd.e_c
memo1.Lines.Add(' -e_lfarlc='+inttostr(doshd
memo1.Lines.Add(' -e_ovno='+inttostr(doshd.e
memo1.Lines.Add(' -e_oemid='+inttostr(doshd.
memo1.Lines.Add(' -e_oeminfo='+inttostr(dosh
memo1.Lines.Add(' -e_lfanew='+inttostr(doshd
gptr:=bptr;
inc(gptr,doshd.e_lfanew);
ntsign:=plongword(gptr);
if (ntsign^=IMAGE_NT_SIGNATUR
begin
memo1.Lines.Add('NT Signature<'+inttostr(IMAGE
memo1.Lines.Add('Windows Executable');
memo1.lines.add('---------
gptr:=bptr;
inc(gptr,doshd.e_lfanew+4)
pehd:=PIMAGE_FILE_HEADER(g
memo1.lines.add('PE Header');
memo1.Lines.Add(' -Machine='+inttostr(pehd.M
memo1.Lines.Add(' -Number of Sections='+inttostr(pehd.N
memo1.Lines.Add(' -TimeDateStamp='+IntToStr(
memo1.Lines.Add(' -PointerToSymbolTable='+In
memo1.Lines.Add(' -Number of Symbols='+IntToStr(pehd.Nu
memo1.Lines.Add(' -SizeOfOptionalHeader='+In
memo1.Lines.Add(' -Characteristics='+IntToSt
memo1.lines.add('---------
gptr:=pbyte(pehd);
inc(gptr,sizeof(IMAGE_FILE
peoptn:=PIMAGE_OPTIONAL_HE
memo1.lines.add('PE Optional Header');
memo1.Lines.Add(' -Magic='+inttostr(peoptn.M
memo1.Lines.Add(' -MajorLinkerVersion='+intt
memo1.Lines.Add(' -MinorLinkerVersion='+intt
memo1.Lines.Add(' -SizeOfCode='+inttostr(peo
memo1.Lines.Add(' -SizeOfInitializedData='+i
memo1.Lines.Add(' -SizeOfUninitializedData='
memo1.Lines.Add(' -AddressOfEntryPoint='+int
memo1.Lines.Add(' -BaseOfCode='+inttostr(peo
memo1.Lines.Add(' -BaseOfData='+inttostr(peo
memo1.Lines.Add(' -ImageBase='+inttostr(peop
memo1.Lines.Add(' -SectionAlignment='+inttos
memo1.Lines.Add(' -FileAlignment='+inttostr(
memo1.Lines.Add(' -MajorOperatingSystemVersi
memo1.Lines.Add(' -MinorOperatingSystemVersi
memo1.Lines.Add(' -MajorImageVersion='+intto
memo1.Lines.Add(' -MinorImageVersion='+intto
memo1.Lines.Add(' -MajorSubsystemVersion='+i
memo1.Lines.Add(' -MinorSubsystemVersion ='+inttostr(peoptn.MinorSu
memo1.Lines.Add(' -Reserved1 ='+inttostr(peoptn.Reserve
memo1.Lines.Add(' -SizeOfImage ='+inttostr(peoptn.SizeOfI
memo1.Lines.Add(' -SizeOfHeaders ='+inttostr(peoptn.SizeOfH
memo1.Lines.Add(' -CheckSum ='+inttostr(peoptn.CheckSu
memo1.Lines.Add(' -SubSystem ='+inttostr(peoptn.Subsyst
memo1.Lines.Add(' -DllCharacteristics ='+inttostr(peoptn.DllChar
memo1.Lines.Add(' -SizeOfStackReserve ='+inttostr(peoptn.SizeOfS
memo1.Lines.Add(' -SizeOfStackCommit ='+inttostr(peoptn.SizeOfS
memo1.Lines.Add(' -SizeOfHeapReserve ='+inttostr(peoptn.SizeOfH
memo1.Lines.Add(' -SizeOfHeapCommit ='+inttostr(peoptn.SizeOfH
memo1.Lines.Add(' -LoaderFlags ='+inttostr(peoptn.LoaderF
memo1.Lines.Add(' -NumberOfRvaAndSizes ='+inttostr(peoptn.NumberO
memo1.lines.add('---------
setlength(sectionheads,peh
for i:=0 to pehd.NumberOfSections -1 do
begin
gptr:=pbyte(peoptn);
inc(gptr,sizeof(IMAGE_OPTI
sectionheads[i]:=PIMAGE_SE
end;
if peoptn.DataDirectory[IMAGE
begin
memo1.lines.add('No Export Table Present');
memo1.lines.add('---------
end
else
begin
memo1.lines.add('Export Table Present');
for i:=pehd.NumberOfSections-1
begin
if peoptn.DataDirectory[IMAGE
begin
offsetmem:=sectionheads[i]
break;
end;
end;
gptr:=bptr;
inc(gptr,offsetmem+peoptn.
pexpdir:=PIMAGE_EXPORT_DIR
pexpnames:=pdword(longint(
for i:=0 to pexpdir.NumberOfNames-1 do
begin
expfname:=pchar(integer(bp
memo1.lines.add(' -'+expfname);
inc(pexpnames);
end;
memo1.lines.add('---------
end;
if peoptn.DataDirectory[IMAGE
memo1.lines.add('No Import Table Present')
else
begin
memo1.lines.add('Import Table Present');
for i:=pehd.NumberOfSections-1
begin
if peoptn.DataDirectory[IMAGE
begin
offsetmem:=sectionheads[i]
break;
end;
end;
gptr:=bptr;
inc(gptr,offsetmem+peoptn.
idataphysicaladress:=gptr;
i:=0;
j:=0;
while true do
begin
gptr:=idataphysicaladress;
inc(gptr,i*sizeof(IMAGE_IM
idata :=PIMAGE_IMPORT_DESCRIPTOR
if idata.Name = 0 then
break;
gptr:=bptr;
inc(gptr,offsetmem+idata.N
modulename:=pchar(gptr);
memo1.Lines.Add('Module Name:_____________'+ modulename);
while true do
begin
if (idata.FirstThunk + j*4)= 0 then
break;
gptr:=bptr;
inc(gptr,offsetmem+idata.F
dptr:=plongword(gptr);
gptr:=bptr;
inc(gptr,offsetmem+dptr^);
if isbadcodeptr(gptr) then
break;
ord:=pword(gptr)^;
inc(gptr,2);
functionname:=pchar(gptr);
if isbadcodeptr(functionname)
break;
if functionname=nil then
break;
memo1.Lines.Add(' -Ord:'+inttohex(ord,3)+' Function Name:===='+ functionname);
inc(j);
end;
inc(i);
end;
end;
end;
UnmapViewOfFile(bptr);
closehandle(hmap);
fileclose(h1);
end;
end.
And below is my attach that i test with:
testfiles.zip
ASKER
I was supposed to award points directly, I'll try again to accept multiple points.
ASKER
Thank you
ASKER
//---------------------
Ok, a followup question, one last answer please, just YES or NO, no following sentence
if its hard to get the function name inside the application(.exe), what if I assigned or PUT the entry_point or the address of the function that I am searching for:
like this:
Wininet.DLL exports TAble:
...
00015912h 264 InternetOpenA
00013491h 229 InternetConnectA
...
note:
00015912 (the address/entrypoint of InternetOpen in Wininet.DLL) I will put it in my code as string
code structure:
if "00015912" is found at "InternetEXE.exe" then
begin
showmessage('Internet open is found')
end;
iS this a possible technique?
//---------------------
Answered by: 8080Diver on the question body I posted.
Continuetion:
@8080Diver, hi
>Are you still molesting children?
NO, I'm not trying to do anything harm, honestly.
>>and you are puttinng a string in the code at the point of the InternetOpenA function?
YES, not only "InternetOpen"
>Or, are you saying that "there exists a WinInit.dll that exports the InternetOpenA function"?
NO, I'm not looking for a .DLL, I am looking for the Executable Application that has not been launch that contains a function "InternetOpen" or any other functions the application is using.
>Also, is the 00015912h a relative address or an absolute address?
YES, its the relative address
I don't know about absolute address, but if is usable to get the functions used, YES
>Finally, are you analyzing this DLL as it resides in memory or as a binary data file that you read and analyze without loading in the usual fashion?
NO, I'm not analyzing the DLL,
YES, as a binary data file that to be read and analyze without loading in the usual fashion
>On the other hand, if you know that 00015912h is the address of the InternetOpen entry point, why do you need to search for it ?
I'm not really after the "InternetOpen" , I'm only searching it because it is the only function that I was remind to use to search, later on if I know the code, I will search for other functions.
And I just want to let you know that I am not making any BAD application, why do i? instead of BAD, why not making it for a good use later on.
I'm not making a <virus>. why should i, it doesn't point me to the right direction.
As I know many other e-e user's manage to ask question that is very clear that there using it for making a <virus>. I have observed that, and I know you have too.
To be frank again, I'm not using it to build a <virus>.
>Finally, your "code structure" is psuode-Delphi code but could not be written that way. You would need to find the position of '00015912' within the block of binary data that you have read from the WinInit.dll file but you would need to read blocks with an overlap of least 8 characters (so that you don't read in 00015 in one block and 912 in the next one.
OK
>Given that you are reading WinInit.dll as a data file and that you have the 00015912 as a text string within the file and that you are handling the block reads in an appropriate manner, then yes, that would be one technique for finding the entry point. Although, that technique cannot be generalized because you cannot guarantee that all DLL's will provide such convenient markers. ;-)
NO, I'm not reading the DLL as a data file, I'm reading the Executable, But if is needed to read the DLL because the Executable(.exe) points the function to the DLL, then i will.
Thanks 8080Diver
@CodedK,
I'll post an answer to your questions and ideas, Later, lol, I have to read all the comments, enable for us to communicate well.
Ok, let me finish my dinner. lol
Thank you very much.