Skip to content

PE symbols enumeration procedure improper #269

New issue
New issue
Open
Open
PE symbols enumeration procedure improper#269
@s0duku

Description

@s0duku
s0duku
opened on Dec 27, 2024

https://github.com/rdbo/libmem/blob/fa4d3552c9d6d4d7044044e2d9ae996e0f165eb6/src/win/symbol.c

...
export_names = (DWORD *)(modbase + pexportdir->AddressOfNames);
export_funcs = (DWORD *)(modbase + pexportdir->AddressOfFunctions);

for (i = 0; i < pexportdir->NumberOfNames && i < pexportdir->NumberOfFunctions; ++i) {
		symbol.name = (lm_string_t)(modbase + export_names[i]);
		symbol.address = (lm_address_t)(module->base + export_funcs[i]);

...

When I try to hook ntdll.dll function, it failed to find the right address, It seems like LM_EnumSymbols did not handle exportdir->AddressOfOrdinals field.

I believe it should change to this

...
export_names = (DWORD *)(modbase + pexportdir->AddressOfNames);
export_funcs = (DWORD *)(modbase + pexportdir->AddressOfFunctions);
export_ordinals = (WORD *)(modbase + pexportdir->AddressOfOrdinals);

for (i = 0; i < pexportdir->NumberOfNames && i < pexportdir->NumberOfFunctions; ++i) {
		symbol.name = (lm_string_t)(modbase + export_names[i]);
		symbol.address = (lm_address_t)(module->base + export_funcs[export_ordinals [i]]);
...

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions