Terkadang kita butuh mengambil checksum atau hash dari module/dll yang terload dengan tujuan menggunakannya untuk berbagai keperluan, ex Anti Tampering pada game <- . Nah snippet berikut akan mengenumerasi semua module yang terload (PEB) dan mengambil md5 dari first section, semoga berguna 
.
Latest Entries »
Just two litle snippet:
AnsiToFile: function for write ansistring value to file use native api
FileToAnsi: function for read file to ansistring use native api
playing PEB (Process Environment Block) again . Now try Extract PEB information from 64bit process, use Wow64 api.
about WoW64 :
[url]http://en.wikipedia.org/wiki/WoW64[/url]
[url]http://msdn.microsoft.com/en-us/library/aa384274(v=vs.85).aspx[/url]
Instead of using the x86 system-service call sequence, 32-bit binaries that make system calls are rebuilt to use a custom calling sequence. This calling sequence is inexpensive for WOW64 to intercept because it remains entirely in user mode. When the custom calling sequence is detected, the WOW64 CPU transitions back to native 64-bit mode and calls into Wow64.dll. Thunking is done in user mode to reduce the impact on the 64-bit kernel and to reduce the risk of a bug in the thunk that might cause a kernel-mode crash, data corruption, or a security hole. The thunks extract arguments from the 32-bit stack, extend them to 64 bits, then make the native system call.
just test code a crypter in xe2 (64bit). Bcoz in 64bit peb location moved and sizeof pointer is 8, some walking peb failed and u will get error .
Btw here u go alternative getmodulehandle compatible 32 and 64bit pe (xe2)
View full article »
Lagi test2 xe2 delphi yang mana sudah mendukung compile 64bit.. btw sekalian share nih alternative getprocaddress, support 32 and 64bit pe.
(method walking the export directory table for function address)
type
PUInt32 = ^UInt32;
UInt32 = LongWord;
PUInt64 = ^UInt64;
UInt64 = System.UInt64;
PSizeT = ^TSizeT;
TSizeT = {$IFDEF CPUX64} UInt64 {$ELSE} UInt32 {$ENDIF};
const
// PE header constants
IMAGE_NT_OPTIONAL_HDR32_MAGIC = $10b; // 32bit PE file
IMAGE_NT_OPTIONAL_HDR64_MAGIC = $20b; // 64bit PE file
Function xGetProcAddress(Module: TSizeT; ProcName: String):Pointer;
var
pIDH: PImageDosHeader absolute Module;
pINH : PImageNtHeaders32;
pIDD: PImageDataDirectory;
pIED: PImageExportDirectory;
pdwFuncs1,
pdwFuncs,
pdwNames: PULONG;
pdwOrdinals: PWORD;
dwOrd1, i, k: cardinal;
apiname:PAnsiChar;
begin
result := nil;
if (Module=0) then exit;
if (pIDH^.e_magic <> IMAGE_DOS_SIGNATURE) then exit;
pINH := Pointer(Pbyte(pIDH) + pIDH^._lfanew);
if (pINH^.Signature <> IMAGE_NT_SIGNATURE) then exit;
if pINH^.OptionalHeader.Magic = IMAGE_NT_OPTIONAL_HDR64_MAGIC then
pIDD := @PImageOptionalHeader64(@pINH^.OptionalHeader).DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]
else
pIDD := @pINH^.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
pIED := Pointer(Pbyte(pIDH) + pIDD^.VirtualAddress);
if (pIED=nil) then exit;
pdwFuncs := PULONG(Pbyte(pIDH) + Cardinal(pIED^.AddressOfFunctions));
pdwNames := PULONG(Pbyte(pIDH) + Cardinal(pIED^.AddressOfNames));
pdwOrdinals := PWORD(Pbyte(pIDH) + Cardinal(pIED^.AddressOfNameOrdinals));
pdwFuncs1 := pdwFuncs;
for I := 0 to pIED^.NumberOfFunctions do begin
dwOrd1 := pdwOrdinals^;
k := 0;
pdwFuncs := pdwFuncs1;
while (k < dwOrd1) do begin
inc(pdwFuncs);
inc(k);
end;
if (pdwFuncs^ < pIDD^.VirtualAddress) or (pdwFuncs^ >= pIDD^.VirtualAddress + pIDD^.Size) then begin
apiname := PAnsiChar(Pbyte(pIDH) + pdwNames^);
if (AnsiStrComp(apiname, Pansichar(AnsiString(ProcName))) = 0) then begin
result := Pointer(Pbyte(pIDH) + pdwFuncs^);
exit;
end;
end;
inc(pdwOrdinals);
inc(pdwNames);
end;
end;
