Skip to content

Commit

Permalink
Improve compatibility with some targets
Browse files Browse the repository at this point in the history
  • Loading branch information
@Hendi48
Hendi48 committed Jan 14, 2023
1 parent 5c70453 commit b581164
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 8 deletions.
20 changes: 12 additions & 8 deletions Dumper.pas
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,22 +105,24 @@ destructor TDumper.Destroy;

procedure TDumper.CollectNTFwd;
var
hNetapi: HMODULE;
hNetapi, hSrvcli: HMODULE;
begin
CollectForwards(FForwards, GetModuleHandle(kernel32), 0);
if FHUsr <> 0 then
CollectForwards(FForwardsType2, GetModuleHandle(user32), FHUsr);
CollectForwards(FForwardsOle32, GetModuleHandle('ole32.dll'), 0);
hNetapi := LoadLibrary('netapi32.dll');
hSrvcli := LoadLibrary('srvcli.dll');
CollectForwards(FForwardsNetapi32, hNetapi, 0);
FreeLibrary(hSrvcli);
FreeLibrary(hNetapi);
end;

procedure TDumper.CollectForwards(Fwds: TForwardDict; hModReal, hModScan: HMODULE);
var
ModScan: PByte;
ExpDir: PImageExportDirectory;
i, Posi: Integer;
i, DotPos: Integer;
a: PCardinal;
Fwd: PAnsiChar;
hMod: HMODULE;
Expand All @@ -135,17 +137,19 @@ procedure TDumper.CollectForwards(Fwds: TForwardDict; hModReal, hModScan: HMODUL
for i := 0 to ExpDir.NumberOfFunctions - 1 do
begin
Fwd := PAnsiChar(ModScan + a^); // e.g. NTDLL.RtlAllocateHeap
Posi := Pos(AnsiString('.'), Fwd);
if (Length(Fwd) in [10..90]) and (((Posi > 0) and (Posi < 15)) or (Pos(AnsiString('api-ms-win'), Fwd) > 0)) and (Pos(AnsiString('.#'), Fwd) = 0) then
DotPos := Pos(AnsiString('.'), Fwd);
if (Length(Fwd) in [10..90]) and (((DotPos > 0) and (DotPos < 15)) or (Pos(AnsiString('api-ms-win'), Fwd) > 0)) and (Pos(AnsiString('.#'), Fwd) = 0) then
begin
hMod := GetModuleHandleA(PAnsiChar(Copy(Fwd, 1, Posi - 1)));
hMod := GetModuleHandleA(PAnsiChar(Copy(Fwd, 1, DotPos - 1)));
if hMod > 0 then
begin
// Not using the normal GetProcAddress because it can return apphelp hooks (e.g., CoCreateInstance when running as admin)
ProcAddr := GetLocalProcAddr(hMod, PAnsiChar(Copy(Fwd, Posi + 1, 50)));
ProcAddr := GetLocalProcAddr(hMod, PAnsiChar(Copy(Fwd, DotPos + 1, 50)));
Fwds.AddOrSetValue(ProcAddr, PByte(hModReal) + a^);
//Log(ltInfo, Format('%s @ %p', [PAnsiChar(Copy(Fwd, Posi + 1, 50)), ProcAddr]));
end;
//Log(ltInfo, Format('%s @ %p', [PAnsiChar(Copy(Fwd, DotPos + 1, 50)), ProcAddr]));
end
//else
// Log(ltFatal, Format('Forward target not loaded: %s', [string(AnsiString(PAnsiChar(Copy(Fwd, 1, DotPos - 1))))]));
end;
Inc(a);
end;
Expand Down
2 changes: 2 additions & 0 deletions PEInfo.pas
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,8 @@ function TPEHeader.CreateSection(const Name: AnsiString; Size: Cardinal): PPESec
begin
Misc.VirtualSize := Size;
VirtualAddress := Prev.VirtualAddress + Prev.Misc.VirtualSize;
if (VirtualAddress and $FFF) <> 0 then
VirtualAddress := (VirtualAddress + $1000) and (not $FFF);
PointerToRawData := Prev.PointerToRawData + Prev.SizeOfRawData;
SizeOfRawData := Size;
Characteristics := IMAGE_SCN_MEM_READ or IMAGE_SCN_CNT_INITIALIZED_DATA;
Expand Down

0 comments on commit b581164

Please sign in to comment.