WKL-Sec · February 28, 2024 18:22
diff --git a/GetProcAddressAlternative.cpp b/GetProcAddressAlternative.cpp
 // White Knight Labs - Offensive Development Course
 // GetProcAddress Replacement

 #include <windows.h>
 #include <iostream>

 typedef FARPROC (*pAPIFinder)(IN HMODULE modHandle, IN LPCSTR apiName);

 FARPROC APIFinder(IN HMODULE modHandle, IN LPCSTR apiName) {
    PBYTE baseAddr = (PBYTE)modHandle;
    PIMAGE_DOS_HEADER dosHdr = (PIMAGE_DOS_HEADER)baseAddr;
    if (dosHdr->e_magic != IMAGE_DOS_SIGNATURE) 
        return NULL;
    
    PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)(baseAddr + dosHdr->e_lfanew);
    if (ntHeaders->Signature != IMAGE_NT_SIGNATURE) 
        return NULL;

    IMAGE_OPTIONAL_HEADER optHeader = ntHeaders->OptionalHeader;
    PIMAGE_EXPORT_DIRECTORY expDir = (PIMAGE_EXPORT_DIRECTORY)(baseAddr + optHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
    PDWORD namesArr = (PDWORD)(baseAddr + expDir->AddressOfNames);
    PDWORD funcsArr = (PDWORD)(baseAddr + expDir->AddressOfFunctions);
    PWORD ordinalsArr = (PWORD)(baseAddr + expDir->AddressOfNameOrdinals);

    for (DWORD idx = 0; idx < expDir->NumberOfNames; idx++) {
        CHAR* funcName = (CHAR*)(baseAddr + namesArr[idx]);
        PVOID funcAddr = (PVOID)(baseAddr + funcsArr[ordinalsArr[idx]]);
        
        if (strcmp(apiName, funcName) == 0) {
            std::cout << "[ " << idx << " ] API Located - NAME: " << funcName << " - ADDRESS: " << funcAddr << std::endl;
            return (FARPROC)funcAddr;
        }
    }
    return NULL;
 }

 void* GetBaseAddressOfKernel32() {
    void* kernel32BaseAddress = nullptr;
    __asm {
        mov rdi, 0xFFFFFFFFFFFFFFFF
        inc rdi
        mov rax, 0
        lea rsi, [rax + 10h]
        add rsi, 50h
        mov rbx, gs:[rsi]
        lea rsi, [rbx + 10h + 8h]
        mov rbx, [rsi]
        lea rsi, [rbx + 10h + 10h]
        mov rbx, [rsi]
        mov rbx, [rbx]
        mov rbx, [rbx]
        lea rsi, [rbx + 10h + 10h]
        mov rbx, [rsi]
        mov rax, rbx
        mov kernel32BaseAddress, rax
    }
    return kernel32BaseAddress;
 }

 int main() {
    HMODULE kernel32Base = (HMODULE)GetBaseAddressOfKernel32();
    if (!kernel32Base) {
        printf("Failed to get base address of kernel32.dll\n");
        return -1;
    }

    FARPROC openProcessAddr = APIFinder(kernel32Base, "OpenProcess");
    if (!openProcessAddr) {
        printf("Failed to find the OpenProcess API address\n");
        return -1;
    }

    printf("Successfully found OpenProcess at address: 0x%p\n", openProcessAddr);
    return 0;
 }
	// White Knight Labs - Offensive Development Course
	// GetProcAddress Replacement

	#include <windows.h>
	#include <iostream>

	typedef FARPROC (*pAPIFinder)(IN HMODULE modHandle, IN LPCSTR apiName);

	FARPROC APIFinder(IN HMODULE modHandle, IN LPCSTR apiName) {
	PBYTE baseAddr = (PBYTE)modHandle;
	PIMAGE_DOS_HEADER dosHdr = (PIMAGE_DOS_HEADER)baseAddr;
	if (dosHdr->e_magic != IMAGE_DOS_SIGNATURE)
	return NULL;

	PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)(baseAddr + dosHdr->e_lfanew);
	if (ntHeaders->Signature != IMAGE_NT_SIGNATURE)
	return NULL;

	IMAGE_OPTIONAL_HEADER optHeader = ntHeaders->OptionalHeader;
	PIMAGE_EXPORT_DIRECTORY expDir = (PIMAGE_EXPORT_DIRECTORY)(baseAddr + optHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
	PDWORD namesArr = (PDWORD)(baseAddr + expDir->AddressOfNames);
	PDWORD funcsArr = (PDWORD)(baseAddr + expDir->AddressOfFunctions);
	PWORD ordinalsArr = (PWORD)(baseAddr + expDir->AddressOfNameOrdinals);

	for (DWORD idx = 0; idx < expDir->NumberOfNames; idx++) {
	CHAR* funcName = (CHAR*)(baseAddr + namesArr[idx]);
	PVOID funcAddr = (PVOID)(baseAddr + funcsArr[ordinalsArr[idx]]);

	if (strcmp(apiName, funcName) == 0) {
	std::cout << "[ " << idx << " ] API Located - NAME: " << funcName << " - ADDRESS: " << funcAddr << std::endl;
	return (FARPROC)funcAddr;
	}
	}
	return NULL;
	}

	void* GetBaseAddressOfKernel32() {
	void* kernel32BaseAddress = nullptr;
	__asm {
	mov rdi, 0xFFFFFFFFFFFFFFFF
	inc rdi
	mov rax, 0
	lea rsi, [rax + 10h]
	add rsi, 50h
	mov rbx, gs:[rsi]
	lea rsi, [rbx + 10h + 8h]
	mov rbx, [rsi]
	lea rsi, [rbx + 10h + 10h]
	mov rbx, [rsi]
	mov rbx, [rbx]
	mov rbx, [rbx]
	lea rsi, [rbx + 10h + 10h]
	mov rbx, [rsi]
	mov rax, rbx
	mov kernel32BaseAddress, rax
	}
	return kernel32BaseAddress;
	}

	int main() {
	HMODULE kernel32Base = (HMODULE)GetBaseAddressOfKernel32();
	if (!kernel32Base) {
	printf("Failed to get base address of kernel32.dll\n");
	return -1;
	}

	FARPROC openProcessAddr = APIFinder(kernel32Base, "OpenProcess");
	if (!openProcessAddr) {
	printf("Failed to find the OpenProcess API address\n");
	return -1;
	}

	printf("Successfully found OpenProcess at address: 0x%p\n", openProcessAddr);
	return 0;
	}