how to get the address of the entry point in an API

[Nacho_dj]

Hello:

Just spend a little time reading these tutorials, sure you are finding there your answer:

http://spiff.tripnet.se/~iczelion/tutorials.html

In that web, go to "PE tutorials", and there, "Import table" and "Export table". You can find some tools to test all that these tutorials are teaching you.

Good luck!

Nacho_dj

Look at this code. It part of programm
which takes ntdll.dll(on disk file) and generates something like this
/*w2k3callx.h*/
MagicFoo (NtAcceptConnectPort, 24) //0
MagicFoo (NtAccessCheck, 32) //1
MagicFoo (NtAccessCheckAndAuditAlarm, 44) //2
MagicFoo (NtAccessCheckByType, 44) //3
MagicFoo (NtAccessCheckByTypeAndAuditAlarm, 64) //4
MagicFoo (NtAccessCheckByTypeResultList, 44) //5
MagicFoo (NtAccessCheckByTypeResultListAndAuditAlarm, 64) //6
MagicFoo (NtAccessCheckByTypeResultListAndAuditAlarmByHandle, 68) //7
MagicFoo (NtAddAtom, 12) //8
....

#####################################
...
#define MAKESECTVA(rva,sectva) (DWORD)rva-(DWORD)sectva
#define MAKERAW(rva,sraw,setcva) (DWORD)sraw+MAKESECTVA(rva,setcva)
...
void Export :: processdll(std::string dllname)
{
FILE *f_dll= fopen(dllname.c_str(),"rb");
struct pe_header_t hdr;

DWORD sectVA=0;

IMAGE_DOS_HEADER ddh;
IMAGE_NT_HEADERS32 hdr2;


char *sectdata;
char *exportData;

if(f_dll)
{
fread(&ddh,sizeof(ddh),1,f_dll);

fseek(f_dll,ddh.e_lfanew,FILE_BEGIN);

fread(&hdr2,sizeof(hdr2),1,f_dll);


#ifdef INFORMATE
printf("\n\tINFO:export va=%x(hex) ",hdr2.OptionalHeader.DataDirectory[0].VirtualAddress);
printf("\tsize=%d(decimal)",hdr2.OptionalHeader.DataDirectory[0].Size);
#endif
sectdata=(char *)malloc(sizeof(IMAGE_SECTION_HEADER)*hdr2.FileHeader.NumberOfSections);
fread(sectdata,sizeof(IMAGE_SECTION_HEADER)*hdr2.FileHeader.NumberOfSections,1,f_dll);

//PIMAGE_SECTION_HEADER sects = IMAGE_FIRST_SECTION32(&hdr2);
PIMAGE_SECTION_HEADER sects=(PIMAGE_SECTION_HEADER)sectdata;
BOOL wasfound=FALSE;
for(int i=0;i<hdr2.FileHeader.NumberOfSections;i++)
{
if(sects->VirtualAddress<=hdr2.OptionalHeader.DataDirectory[0].VirtualAddress &&
sects->VirtualAddress+sects->Misc.VirtualSize>hdr2.OptionalHeader.DataDirectory[0].VirtualAddress)
{
wasfound=TRUE;
break;
}
sects++;
}

if(wasfound)
{

exportData=(char *)malloc(hdr2.OptionalHeader.DataDirectory[0].Size);
if(exportData)
{
fseek(f_dll,
sects->PointerToRawData+
hdr2.OptionalHeader.DataDirectory[0].VirtualAddress-
sects->VirtualAddress
,FILE_BEGIN);
fread(exportData,
hdr2.OptionalHeader.DataDirectory[0].Size,
1,
f_dll);
PIMAGE_EXPORT_DIRECTORY pexp=(PIMAGE_EXPORT_DIRECTORY)exportData;
#ifdef INFORMATE
printf("\n\tINFO:exports number=%d(decimal)",pexp->NumberOfFunctions);
#endif

PDWORD address_t,name_t;
unsigned short *ordinal_t;
PDWORD raddress_t,rname_t;
unsigned short *rordinal_t;
raddress_t=address_t=(PDWORD)malloc(pexp->NumberOfFunctions*sizeof(DWORD));
fseek(f_dll,
MAKERAW(pexp->AddressOfFunctions,
sects->PointerToRawData,
sects->VirtualAddress
)
,FILE_BEGIN);
fread(address_t,pexp->NumberOfFunctions*sizeof(DWORD),1,f_dll);
rname_t=name_t=(PDWORD)malloc(pexp->NumberOfNames*sizeof(DWORD));
int offset=MAKERAW(pexp->AddressOfNames,
sects->PointerToRawData,
sects->VirtualAddress);
fseek(f_dll,
offset
,FILE_BEGIN);
fread(name_t,pexp->NumberOfNames*sizeof(DWORD),1,f_dll);
rordinal_t=ordinal_t=(unsigned short *)malloc(pexp->NumberOfNames*sizeof(DWORD));

offset=MAKERAW(pexp->AddressOfNameOrdinals,
sects->PointerToRawData,
sects->VirtualAddress);

fseek(f_dll,
offset
,FILE_BEGIN);

fread(ordinal_t,pexp->NumberOfNames*sizeof(unsigned short),1,f_dll);

for(int i=0;i<pexp->NumberOfFunctions;i++,address_t++,name_t++,ordinal_t++)
{
int ianumber=0;
unsigned char funcdata[15];
char funcname[1024];
std::string funcname2;

//(*address_t)
fseek(f_dll,
MAKERAW((*name_t),
sects->PointerToRawData,
sects->VirtualAddress)
,FILE_BEGIN);
fread(funcname,1024,1,f_dll);

if(used->find(dllname,funcname))
{
printf("\n\tFound %s",funcname);

//磬 滂耜?铕滂磬臌 脲驵?raw, ?? 徨?OrdinalBase
DWORD ordinal=*ordinal_t;



PIMAGE_SECTION_HEADER sects2=(PIMAGE_SECTION_HEADER)sectdata;
BOOL wasfound=FALSE;
for(int i=0;i<hdr2.FileHeader.NumberOfSections;i++)
{
if(sects2->VirtualAddress<=(raddress_t[ordinal]) &&
sects2->VirtualAddress+sects2->Misc.VirtualSize>(raddress_t[ordinal]))
{
wasfound=TRUE;
break;
}
sects2++;
}

if(wasfound)
{
fseek(f_dll,
MAKERAW(raddress_t[ordinal],
sects2->PointerToRawData,
sects2->VirtualAddress)
,FILE_BEGIN);

fread(funcdata,15,1,f_dll);
printf("\n\t");

/*for(int j=0;j<8;j++)
printf("%x ",funcdata[j]);*/

DWORD api_num=*((PDWORD)(&funcdata[1]));
DWORD ret_size=0x666;
if(funcdata[0xc]==(unsigned char)0xc2)
{
ret_size=*((unsigned short *)(&funcdata[13]));
}
else if(funcdata[0xc]==(unsigned char)0xc3)
ret_size=0;

if(ret_size!=0x666)
used->output(dllname,funcname,api_num,ret_size);
else
used->outputAlarm(dllname,funcname,api_num,ret_size);
}
#ifdef INFORMATE
else
{
printf("\nERROR:Section with function was not found in - %s",dllname.c_str());
}
#endif




//funcdata 耦溴疰栩 RVA 磬 趔黻鲨?





}

memset(funcname,0,strlen(funcname));
//(_dlldata [dllname])[funcname]=ianumber;
}
free(rordinal_t);
free(raddress_t);
free(rname_t);
free(exportData);
}
}
#ifdef INFORMATE
else
{
printf("\nERROR:Section with export data was not found in - %s",dllname.c_str());
}
#endif

free(sectdata);
fclose(f_dll);
}
#ifdef INFORMATE
else
{
printf("\nERROR:File access error - %s",dllname.c_str());
}
#endif
}