I need advice how those three tables (*AddressOfFunctions, *AddressOfNames, *AddressOfOrdinals) to use to emulate GetProcAddress (this API works different under NT and Win9x where it doesn;t support returning addresses by ordinal value)

I've read structure descruption and wrote a little func upon those, which though doesn't work as it should, but sometimes it does :stupid: . First I looked up the index in TableOfNames, this index mukltipled by two and added to start of table of ordinals, picked up the ordinal (word) value, substracted the Base value, multipled by four, and finally added to AddressOfFunctions. However this returns various awsume weird horrible results ;)

To ilustrate my lameness I attach the source. Any help is welcome, of curse

GetProcAddressClnt proc uses ecx edx edi hMod: DWORD, lpName: LPCSTR

local NumberOfNames: DWORD
local NumberOfFunctions: DWORD
local ExportTable: DWORD
local ordinal[8]: CHAR
local Ordinal: WORD

; Get addr's module
mov edx, hMod
test edx, edx
jz done
mov ecx, [edx+03Ch] ; PE_offset
test ecx, ecx
jz done
add ecx, edx
cmp dword ptr [ecx], 04550h ; "PE" sig
jnz done
mov ecx, [ecx+078h] ; EXPORT_TABLE_PTR
test ecx, ecx
jz done
add ecx, edx
mov ExportTable, ecx
cmp lpName, 0FFFFh
ja IsLiteral
mov eax, lpName
jmp OrdinalKnown
IsLiteral:
mov edi, [ecx+020h] ; AddressOfNames
test edi, edi
jz done
add edi, edx
mov ecx, [ecx+018h] ; NumberOfNames
mov NumberOfNames, ecx
name_lookup:
mov eax, [edi]
add edi, 04h
test eax, eax
loopz name_lookup
jz done
add eax, edx
push ecx
push edx
push lpName
push eax
call lstrcmp
pop edx
pop ecx
test eax, eax
loopnz name_lookup
jz @F
xor eax, eax
jmp done
@@:
mov eax, NumberOfNames
dec eax
sub eax, ecx
OrdinalKnown:
mov edi, ExportTable
mov edi, [edi+024h] ; AddressOfOrdinals
test edi, edi
jnz @F
xor eax, eax
jmp done
@@:
mov edx, hMod
add edi, edx
mov ax, word ptr [edi+2*eax]
movzx eax, ax
mov ecx, ExportTable
mov edi, [ecx+010h] ; Base
sub eax, edi
mov edi, [ecx+01Ch] ; AddressOfFunctions
test edi, edi
jnz @F
xor eax, eax
jmp done
@@:
add edi, edx
mov eax, [edi+eax*4]
test eax, eax
jz done
add eax, edx
done:
ret
GetProcAddressClnt endp
Posted on 2003-01-12 12:18:54 by _Servil_
y0da has an example of this on his site.

Posted on 2003-01-12 16:36:41 by stormix
Well :rolleyes: i've linked to his site before..

anyway here's the file attached.

-stormix
Posted on 2003-01-12 17:37:05 by stormix