- PVOID * ImportAddressList;
- PULONG FunctionNameList;
- UNICODE_STRING DllName;
- DWORD pName;
- WORD pHint;
- PVOID IATBase;
- ULONG OldProtect;
-
- DPRINT("ImportModule->Directory->dwRVAModuleName %s\n",
- (PCHAR)(ImageBase + ImportModuleDirectory->dwRVAModuleName));
-
- RtlCreateUnicodeStringFromAsciiz (&DllName,
- (PCHAR)(ImageBase + ImportModuleDirectory->dwRVAModuleName));
-
- Status = LdrGetDllHandle (0, 0, &DllName, &BaseAddress);
- if (!NT_SUCCESS(Status))
- {
- Status = LdrLoadDll(NULL,
- 0,
- &DllName,
- &BaseAddress);
- RtlFreeUnicodeString (&DllName);
- if (!NT_SUCCESS(Status))
- {
- DbgPrint("LdrFixupImports:failed to load %s\n"
- ,(PCHAR)(ImageBase
- + ImportModuleDirectory->dwRVAModuleName));
-
- return Status;
- }
- }
-
- /*
- * Get the import address list.
- */
- ImportAddressList = (PVOID *)(NTHeaders->OptionalHeader.ImageBase
- + ImportModuleDirectory->dwRVAFunctionAddressList);
-
- /*
- * Get the list of functions to import.
- */
- if (ImportModuleDirectory->dwRVAFunctionNameList != 0)
- {
- FunctionNameList = (PULONG) (
- ImageBase
- + ImportModuleDirectory->dwRVAFunctionNameList
- );
- }
- else
- {
- FunctionNameList =
- (PULONG)(ImageBase
- + ImportModuleDirectory->dwRVAFunctionAddressList);
- }
-
- /*
- * Get the size of IAT.
- */
- IATSize = 0;
- while (FunctionNameList[IATSize] != 0L)
- {
- IATSize++;
- }
-
- /*
- * Unprotect the region we are about to write into.
- */
- IATBase = (PVOID)ImportAddressList;
- Status = NtProtectVirtualMemory(NtCurrentProcess(),
- IATBase,
- IATSize * sizeof(PVOID*),
- PAGE_READWRITE,
- &OldProtect);
- if (!NT_SUCCESS(Status))
- {
- DbgPrint("LDR: Failed to unprotect IAT.\n");
- return(Status);
- }
-
- /*
- * Walk through function list and fixup addresses.
- */
- while (*FunctionNameList != 0L)
- {
- if ((*FunctionNameList) & 0x80000000)
- {
- Ordinal = (*FunctionNameList) & 0x7fffffff;
- *ImportAddressList =
- LdrGetExportByOrdinal(BaseAddress,
- Ordinal);
- }
- else
- {
- pName = (DWORD) (ImageBase + *FunctionNameList + 2);
- pHint = *(PWORD)(ImageBase + *FunctionNameList);
-
- *ImportAddressList =
- LdrGetExportByName(BaseAddress, (PUCHAR)pName, pHint);
- if ((*ImportAddressList) == NULL)
- {
- DbgPrint("Failed to import %s\n", pName);
- return STATUS_UNSUCCESSFUL;
- }
- }
- ImportAddressList++;
- FunctionNameList++;
- }
-
- /*
- * Protect the region we are about to write into.
- */
- Status = NtProtectVirtualMemory(NtCurrentProcess(),
- IATBase,
- IATSize * sizeof(PVOID*),
- OldProtect,
- &OldProtect);
- if (!NT_SUCCESS(Status))
- {
- DbgPrint("LDR: Failed to protect IAT.\n");
- return(Status);
- }
-
- ImportModuleDirectory++;
+ PVOID * ImportAddressList;
+ PULONG FunctionNameList;
+ UNICODE_STRING DllName;
+ DWORD pName;
+ WORD pHint;
+ PVOID IATBase;
+ ULONG OldProtect;
+
+ DPRINT("ImportModule->Directory->dwRVAModuleName %s\n",
+ (PCHAR)(ImageBase + ImportModuleDirectory->dwRVAModuleName));
+
+ RtlCreateUnicodeStringFromAsciiz (&DllName,
+ (PCHAR)(ImageBase + ImportModuleDirectory->dwRVAModuleName));
+
+ Status = LdrGetDllHandle (0, 0, &DllName, &BaseAddress);
+ if (!NT_SUCCESS(Status))
+ {
+ Status = LdrLoadDll(NULL,
+ 0,
+ &DllName,
+ &BaseAddress);
+ RtlFreeUnicodeString (&DllName);
+ if (!NT_SUCCESS(Status))
+ {
+ DbgPrint("LdrFixupImports:failed to load %s\n"
+ ,(PCHAR)(ImageBase
+ + ImportModuleDirectory->dwRVAModuleName));
+
+ return Status;
+ }
+ }
+
+ /*
+ * Get the import address list.
+ */
+ ImportAddressList = (PVOID *)(NTHeaders->OptionalHeader.ImageBase
+ + ImportModuleDirectory->dwRVAFunctionAddressList);
+
+ /*
+ * Get the list of functions to import.
+ */
+ if (ImportModuleDirectory->dwRVAFunctionNameList != 0)
+ {
+ FunctionNameList = (PULONG) (
+ ImageBase
+ + ImportModuleDirectory->dwRVAFunctionNameList
+ );
+ }
+ else
+ {
+ FunctionNameList =
+ (PULONG)(ImageBase
+ + ImportModuleDirectory->dwRVAFunctionAddressList);
+ }
+
+ /*
+ * Get the size of IAT.
+ */
+ IATSize = 0;
+ while (FunctionNameList[IATSize] != 0L)
+ {
+ IATSize++;
+ }
+
+ /*
+ * Unprotect the region we are about to write into.
+ */
+ IATBase = (PVOID)ImportAddressList;
+ Status = NtProtectVirtualMemory(NtCurrentProcess(),
+ IATBase,
+ IATSize * sizeof(PVOID*),
+ PAGE_READWRITE,
+ &OldProtect);
+ if (!NT_SUCCESS(Status))
+ {
+ DbgPrint("LDR: Failed to unprotect IAT.\n");
+ return(Status);
+ }
+
+ /*
+ * Walk through function list and fixup addresses.
+ */
+ while (*FunctionNameList != 0L)
+ {
+ if ((*FunctionNameList) & 0x80000000)
+ {
+ Ordinal = (*FunctionNameList) & 0x7fffffff;
+ *ImportAddressList =
+ LdrGetExportByOrdinal(BaseAddress,
+ Ordinal);
+ }
+ else
+ {
+ pName = (DWORD) (ImageBase + *FunctionNameList + 2);
+ pHint = *(PWORD)(ImageBase + *FunctionNameList);
+
+ *ImportAddressList =
+ LdrGetExportByName(BaseAddress, (PUCHAR)pName, pHint);
+ if ((*ImportAddressList) == NULL)
+ {
+ DbgPrint("Failed to import %s\n", pName);
+ return STATUS_UNSUCCESSFUL;
+ }
+ }
+ ImportAddressList++;
+ FunctionNameList++;
+ }
+
+ /*
+ * Protect the region we are about to write into.
+ */
+ Status = NtProtectVirtualMemory(NtCurrentProcess(),
+ IATBase,
+ IATSize * sizeof(PVOID*),
+ OldProtect,
+ &OldProtect);
+ if (!NT_SUCCESS(Status))
+ {
+ DbgPrint("LDR: Failed to protect IAT.\n");
+ return(Status);
+ }
+
+ ImportModuleDirectory++;