Rewrite GlobalAPIHandler (Global.Engine.Importer)

Comments (8)

1. 

   Duncan reporter

   • changed title to Rewrite GlobalAPIHandler (Global.Engine.Importer)

   • 2014-03-10T23:59:51+00:00
2. 

   --

   questionable if working, all proxy to EngineGlobalAPIHandler which is buggy

   GetDLLName -> EngineGlobalAPIHandler
   GetAPIName -> EngineGlobalAPIHandler
   GetAPINameEx -> EngineGlobalAPIHandler
   GetAPIOrdinalNumber -> EngineGlobalAPIHandler
   GetRemoteAPIAddress -> EngineGlobalAPIHandler
   GetLocalAPIAddress-> EngineGlobalAPIHandler
   GetDLLNameFromDebuggee-> EngineGlobalAPIHandler
   GetAPIOrdinalNumberFromDebuggee -> EngineGlobalAPIHandler
   GetRemoteDLLBase -> EngineGlobalAPIHandler
   IsForwardedAPI -> EngineGlobalAPIHandler
   GetForwardedAPIName- > EngineGlobalAPIHandler
   GetForwardedAPIOrdinalNumber -> EngineGlobalAPIHandler
   GetForwardedDLLName -> EngineGlobalAPIHandler
   GetNearestAPIAddress -> EngineGlobalAPIHandler
   GetNearestAPIName -> EngineGlobalAPIHandler
   

   • 2014-03-12T14:17:25+00:00
3. 

   Duncan reporter

   This is the current state:

   ImporterGetDLLName -> ImporterGetDLLNameFromDebugee
   ImporterGetAPIName -> ImporterGetAPINameFromDebugee
   ImporterGetAPINameEx -> remove?
   ImporterGetAPIOrdinalNumber -> ImporterGetAPIOrdinalNumberFromDebugee
   ImporterGetRemoteAPIAddress -> EngineGetAddressRemote
   ImporterGetLocalAPIAddress -> EngineGetAddressLocal
   ImporterGetDLLNameFromDebugee -> EngineGetModuleBaseRemote
   ImporterGetRemoteDLLBase -> EngineGetAddressRemote
   ImporterIsForwardedAPI -> remove?
   GetForwardedAPIOrdinalNumber -> remove?
   GetNearestAPIAddress  -> EngineGlobalAPIHandler
   GetNearestAPIName -> EngineGlobalAPIHandler
   

   • 2014-03-12T16:20:43+00:00
4. 

   --

   ah great. I just found this list I made when refactoring ::Importer. didnt know current state

   isForwardedAPI might be useful

   • 2014-03-12T16:30:43+00:00
5. 

   Duncan reporter

   how can you ever detect this properly? multiple DLLs can point at an API, so it's random to return an address...

   • 2014-03-14T19:02:30+00:00
6. 

   --

   I thought IsForwardedAPI means checking if an API forwards to another. not if sth points on an API

   • 2014-03-17T22:10:40+00:00
7. 

   Duncan reporter

   it has something with APIAddress, which seems strange to me, because fowarded APIs dont have an rva, will check it in the original docs

   yep, it's like this: example:

   hModule = GetModuleHandleA("ntdll.dll");
   ImporterIsForwardedAPI(hProcess, GetProcAddress(hModule, "RtlAllocateHeap"));
   //Function would return TRUE because this API is a forward for kernel32.HeapAlloc
   

   • 2014-03-17T22:16:06+00:00
8. 

   --

   • assigned issue to
     
     Duncan

   • 2014-03-20T22:15:15+00:00
9. Log in to comment