Skip to content

Commit 9c5315e

Browse files
Lz1yLz1y
authored
Update fixIAT.hpp
fix IAT by ordinal
1 parent a2975b4 commit 9c5315e

1 file changed

Lines changed: 11 additions & 1 deletion

File tree

RunPE-In-Memory/RunPEinMemory/fixIAT.hpp

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,16 @@ bool fixIAT(PVOID modulePtr)
2929
{
3030
IMAGE_THUNK_DATA32* fieldThunk = (IMAGE_THUNK_DATA32*)(DWORD(modulePtr) + offsetField + call_via);
3131
IMAGE_THUNK_DATA32* orginThunk = (IMAGE_THUNK_DATA32*)(DWORD(modulePtr) + offsetThunk + thunk_addr);
32+
PIMAGE_THUNK_DATA import_Int = (PIMAGE_THUNK_DATA)(lib_desc->OriginalFirstThunk + DWORD(modulePtr));
33+
34+
if (import_Int->u1.Ordinal & 0x80000000) {
35+
//Find Ordinal Id
36+
DWORD addr = (DWORD)GetProcAddress(LoadLibraryA(lib_name), (char *)(orginThunk->u1.Ordinal & 0xFFFF));
37+
PRINTF(" [V] API %x at %x\n", orginThunk->u1.Ordinal, addr);
38+
fieldThunk->u1.Function = addr;
39+
break;
40+
}
41+
3242
if (fieldThunk->u1.Function == NULL) break;
3343

3444
if (fieldThunk->u1.Function == orginThunk->u1.Function) {
@@ -46,4 +56,4 @@ bool fixIAT(PVOID modulePtr)
4656
}
4757
}
4858
return true;
49-
}
59+
}

0 commit comments

Comments
 (0)