export-resolver 1.0.3

A PE (Portable Executable) parser which will dynamically resolve virtual addresses of functions loaded in a PE. It will store these function virtual addresses in a structure for retrieval at the developers behest.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325

use std::arch::asm;
use std::ops::Add;
use std::os::windows::ffi::OsStringExt;
use std::slice::from_raw_parts;
use std::ffi::{c_void, OsString};
use windows::Win32::System::SystemServices::{IMAGE_DOS_HEADER, IMAGE_DOS_SIGNATURE, IMAGE_EXPORT_DIRECTORY, IMAGE_NT_SIGNATURE};
use windows::Win32::System::Diagnostics::Debug::IMAGE_NT_HEADERS64;
use std::fmt;

/// A structure containing the module name, function name, and export address for each function loaded
/// into the portable executable on x64 systems only.
struct ExportResolver<'a> {
    module: &'a str,
    base_address: usize, // to prevent repeat reads of the peb
    function: &'a str,
    address: usize,
}

#[derive(Debug)]
/// A list of module names, function names, and function export addresses of the respective function
/// within the memory space of the process this is called from. 
/// 
/// <section class="warning">
/// **IMPORTANT:** This tool may only be used for ethical, research or legal purposes. There is a massive learning benefit
/// to exploring this tool, or using it as part of a debugging process when reverse engineering malware or other tools.
/// 
/// This tool may also be used for red teamer's and penetration testers where you have the LAWFUL AUTHORITY to use this tool,
/// such as on a red team client engagement. In no way may this be used for illegal activity.
/// 
/// Tool only works on x64 by design.
/// </section>
/// 
/// # Example
/// 
/// ```rust
/// fn main() {
/// 
///     // Create a new instance of the ExportList
///     let mut exports = ExportList::new();
///     
///     // Add the desired functions to the ExportList structure, this will resolve and save the virtual addresses
///     // These calls may cause an Error if the function cannot be found; .add returns Result<(), ExportError>
///     let _ = exports.add("ntdll.dll", "NtOpenProcess");
///     let _ = exports.add("ntdll.dll", "NtQuerySystemTime");
/// 
///     // Attempt to get the virtual address; returns returns Result<(), ExportError> - an error will be returned where
///     // the input function name cannot be found in the vector of resolved functions (i.e. if the above step failed)
///     // or you have a typo.
///     let _nt = match exports.get_function_address("NtOpenProcess") {
///         Ok(v) => println!("NT: {:x}", v),
///         Err(e) => println!("Eeee {}", e),
///     };
/// }
/// ```
pub struct ExportList<'a> {
    list: Vec<ExportResolver<'a>>,
}

impl fmt::Debug for ExportResolver<'_> {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(
            f,
            "ExportResolver {{ module: \"{}\", function: \"{}\", address: {:#x} }}",
            self.module, self.function, self.address
        )
    }
}

#[derive(Debug)]
pub enum ExportError {
    FunctionNotFound { module: String, function: String },
    FunctionNotInList { function: String },
}

impl fmt::Display for ExportError {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            ExportError::FunctionNotFound { module, function } => {
                write!(f, "Failed to get function address for {} in {}", function, module)
            },

            ExportError::FunctionNotInList { function } => {
                write!(f, "Function {} could not be found in the list of resolved functions, are you sure it's there?.", function)
            }
        }
    }
}

impl std::error::Error for ExportError {}

impl<'a> ExportList<'a> {

    /// Instantiate a new instance of the export list
    pub fn new() -> ExportList<'a> {
        ExportList {
            list: Vec::new(),
        }
    }

    /// Add a new function to the list which will use the module name and function name to
    /// find the memory address of hte function within the export address table.
    /// 
    /// # Returns
    /// 
    /// The function operates on its own instance, but will return a result of the unit type, or an ExportError.
    /// 
    /// <section class="warning">
    /// This will only work for x64, and there is no guarantee the addresses will always be valid.
    /// </section>
    pub fn add(&mut self, module: &'a str, function: &'a str) -> Result<(), ExportError> {

        for item in &self.list {
            // if we have already resolved the module, then skip straight to it
            if item.module == module {
                let result = get_function_from_exports(module, function, Some(item.base_address))
                    .ok_or_else(|| ExportError::FunctionNotFound {
                        module: module.to_string(),
                        function: function.to_string(),
                    })?;

                self.list.push(result);
        
                return Ok(());
            }
        }

        // if we made it this far, there was no match in the current exports
        let result = get_function_from_exports(module, function, None)
            .ok_or_else(|| ExportError::FunctionNotFound {
                module: module.to_string(),
                function: function.to_string(),
            })?;

        self.list.push(result);

        Ok(())
        
    } 

    /// Get the function address of a function you have added to the vector of exports as a usize. This
    /// may be converted to a *const c_void if required to be used as a raw pointer.
    /// 
    /// <section class="warning">
    /// This will only work for x64, and there is no guarantee the addresses will always be valid.
    /// </section>
    pub fn get_function_address(&self, function_name: &str) -> Result<usize, ExportError> {

        self.list
            .iter()
            .find(|f| f.function == function_name)
            .map(|f| f.address)
            .ok_or_else(|| ExportError::FunctionNotInList {
                function: function_name.to_string(),
            })
    }

}

/// Get the base address of a specified module. Obtains the base address by reading from the TEB -> PEB -> 
/// PEB_LDR_DATA -> InMemoryOrderModuleList -> InMemoryOrderLinks -> DllBase 
/// 
/// Returns the DLL base address as a Option<usize> 
#[allow(unused_variables)]
#[allow(unused_assignments)]
fn get_module_base(module_name: &str) -> Option<usize> {

    let mut peb: usize;
    let mut ldr: usize;
    let mut in_memory_order_module_list: usize;
    let mut current_entry: usize;

    unsafe {
        // get the peb and module list
        asm!(
            "mov {peb}, gs:[0x60]",
            "mov {ldr}, [{peb} + 0x18]",
            "mov {in_memory_order_module_list}, [{ldr} + 0x10]", // points to the Flink
            peb = out(reg) peb,
            ldr = out(reg) ldr,
            in_memory_order_module_list = out(reg) in_memory_order_module_list,
        );

        // set the current entry to the head of the list
        current_entry = in_memory_order_module_list;
        
        // iterate the modules searching for 
        loop {
            // get the attributes we are after of the current entry
            let dll_base = *(current_entry.add(0x30) as *const usize);
            let module_name_address = *(current_entry.add(0x60) as *const usize);
            let module_length = *(current_entry.add(0x58) as *const u16);
            
            // check if the module name address is valid and not zero
            if module_name_address != 0 && module_length > 0 {
                // read the module name from memory
                let dll_name_slice = from_raw_parts(module_name_address as *const u16, (module_length / 2) as usize);
                let dll_name = OsString::from_wide(dll_name_slice);

                // do we have a match on the module name?
                if dll_name.to_string_lossy().eq_ignore_ascii_case(module_name) {
                    return Some(dll_base);
                }

            } else {
                return None;
            }

            // dereference current_entry which contains the value of the next LDR_DATA_TABLE_ENTRY (specifically a pointer to LIST_ENTRY 
            // within the next LDR_DATA_TABLE_ENTRY)
            current_entry = *(current_entry as *const usize);

            // If we have looped back to the start, break
            if current_entry == in_memory_order_module_list {
                return None;
            }
        }
    }
}

/// Get the function address of a function in a specified DLL from the DLL Base.
/// 
/// # Parameters 
/// * dll_name -> the name of the DLL / module you are wanting to query
/// * needle -> the function name (case sensitive) of the function you are looking for
/// 
/// # Returns
/// Option<*const c_void> -> the function address as a pointer
fn get_function_from_exports<'a>(dll_name: &'a str, needle: &'a str, dll_base: Option<usize>) -> Option<ExportResolver<'a>> {

    // if the dll_base was already found from a previous search then use that
    // otherwise, if it was None, make a call to get_module_base
    let dll_base: *mut c_void = match dll_base {
        Some(base) => base as *mut c_void,
        None => {
            match get_module_base(dll_name) {
                Some(a) => a as *mut c_void,
                None => {
                    return None;
                },
            }
        },
    };

    // check we match the DOS header, cast as pointer to tell the compiler to treat the memory
    // address as if it were a IMAGE_DOS_HEADER structure
    let dos_header: IMAGE_DOS_HEADER = unsafe { read_memory(dll_base as *const IMAGE_DOS_HEADER) };
    if dos_header.e_magic != IMAGE_DOS_SIGNATURE {
        return None;
    }

    // check the NT headers
    let nt_headers = unsafe { read_memory(dll_base.offset(dos_header.e_lfanew as isize) as *const IMAGE_NT_HEADERS64) };
    if nt_headers.Signature != IMAGE_NT_SIGNATURE {
        return None;
    }

    // get the export directory
    // https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_data_directory
    // found from first item in the DataDirectory; then we take the structure in memory at dll_base + RVA
    let export_dir_rva = nt_headers.OptionalHeader.DataDirectory[0].VirtualAddress;
    let export_offset = unsafe {dll_base.add(export_dir_rva as usize) };
    let export_dir: IMAGE_EXPORT_DIRECTORY = unsafe { read_memory(export_offset as *const IMAGE_EXPORT_DIRECTORY) };
    
    // get the addresses we need
    let address_of_functions_rva = export_dir.AddressOfFunctions as usize;
    let address_of_names_rva = export_dir.AddressOfNames as usize;
    let ordinals_rva = export_dir.AddressOfNameOrdinals as usize;

    let functions = unsafe { dll_base.add(address_of_functions_rva as usize) } as *const u32;
    let names = unsafe { dll_base.add(address_of_names_rva as usize) } as *const u32;
    let ordinals = unsafe { dll_base.add(ordinals_rva as usize) } as *const u16;

    // get the amount of names to iterate over
    let number_of_names = export_dir.NumberOfNames;

    for i in 0..number_of_names {
        // calculate the RVA of the function name
        let name_rva = unsafe { *names.offset(i.try_into().unwrap()) as usize };
        // actual memory address of the function name
        let name_addr = unsafe { dll_base.add(name_rva) };
        
        // read the function name
        let function_name = unsafe {
            let char = name_addr as *const u8;
            let mut len = 0;
            // iterate over the memory until a null terminator is found
            while *char.add(len) != 0 {
                len += 1;
            }

            std::slice::from_raw_parts(char, len)
        };

        let function_name = std::str::from_utf8(function_name).unwrap_or("Invalid UTF-8");
        if function_name.eq("Invalid UTF-8") {
            return None;
        }

        // if we have a match on our function name
        if function_name.eq(needle) {

            // calculate the RVA of the function address
            let ordinal = unsafe { *ordinals.offset(i.try_into().unwrap()) as usize };
            let fn_rva = unsafe { *functions.add(ordinal) as usize };
            // actual memory address of the function address
            let fn_addr = unsafe { dll_base.add(fn_rva) } as *const c_void;

            let result = ExportResolver {
                module: dll_name,
                base_address: dll_base as usize,
                function: needle,
                address: fn_addr as usize,
            };

            return Some(result);
        }
    }

    None
}

/// Read memory of any type
unsafe fn read_memory<T>(address: *const T) -> T {
    std::ptr::read(address)
}