1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
use crate::emu;
use crate::peb::peb64;
pub fn GetProcAddress(emu: &mut emu::Emu) {
let hndl = emu.regs().rcx;
let func_ptr = emu.regs().rdx;
let func = emu.maps.read_string(func_ptr).to_lowercase();
/*
if func == "zwcopyfilechunk" {
emu.regs_mut().rax = 0x7ff7e0001337;
log_red!(
emu,
"kernel32!GetProcAddress `{}!{}` =0x{:x}",
"kernel32",
"zwcopyfilechunk",
emu.regs().rax
);
return;
}*/
let mut flink = peb64::Flink::new(emu);
flink.load(emu);
let first_flink = flink.get_ptr();
loop {
if flink.export_table_rva > 0 {
for i in 0..flink.num_of_funcs {
if flink.pe_hdr == 0 {
continue;
}
let ordinal = flink.get_function_ordinal(emu, i);
// log::trace!("func name {}!{}", flink.mod_name, ordinal.func_name);
if ordinal.func_name.to_lowercase() == func {
emu.regs_mut().rax = ordinal.func_va;
log_red!(
emu,
"kernel32!GetProcAddress `{}!{}` =0x{:x}",
flink.mod_name,
ordinal.func_name,
emu.regs().rax
);
return;
}
}
}
flink.next(emu);
if flink.get_ptr() == first_flink {
break;
}
}
emu.regs_mut().rax = 0;
log::warn!("kernel32!GetProcAddress error searching {}", func);
}