Computer Forensics

Data Acquired and Frozen

Browsing Posts in Undocumented Winnt API

Undocumented API: MapAndLoad()

2010/06/30 Sriram No comments

MapAndLoad()

The IMAGEHLP.DLL can also take care of memory mapping a PE file for you. The MapAndLoad() function maps the requested PE file in memory and fills in the LOADED_IMAGE structure with some useful information about the mapped file.

BOOL MapAndLoad(
LPSTR ImageName,
LPSTR DllPath,
PLOADED_IMAGE LoadedImage,
BOOL DotDll,
BOOL ReadOnly
);

PARAMETERS

ImageName Name of the PE file that is loaded.
DllPath Path used to locate the file if the name provided cannot be found. If NULL is passed, then normal rules for searching using the PATH environment variable are applied.
LoadedImage The structure LOADED_IMAGE is defined in the IMAGEHLP.H file. The structure has the following members:
ModuleName Name of the loaded file.
hFile Handle obtained through the call to CreateFile.
MappedAddress Memory address where the file is mapped.
FileHeader Pointer to the PE header within the mapped file.
LastRvaSection The function sets it to the first section (see ImageRvaToVa).
NumberOfSections Number of sections in the loaded PE file.
Sections Pointer to the first section header within the mapped file.
Characteristics Characteristics of the PE file (this is explained in more detail later in this chapter).
fSystemImage Flag indicating whether it is a kernel-mode driver/DLL.
fDOSImage Flag indicating whether it is a DOS executable.
Links List of loaded images.
SizeOfImage Size of the image.

The function sets the members in the structure appropriately after loading the PE file.

DotDll If the file needs to be searched and does not have an extension, then either the .exe or the .dll extension is used. If the DotDll flag is set to TRUE, the .dll extension is used; otherwise, the .exe extension is used.
ReadOnly If the flag is set to TRUE, the file is mapped as read-only.
VN:F [1.9.6_1107]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.6_1107]
Rating: 0 (from 0 votes)
Undocumented Winnt API , ,
Read more

ImageNtHeader()

2010/06/28 Sriram No comments

ImageNtHeader()

The ImageRvaToVa() function needs a pointer to the PE header. The ImageNtHeader exported from the IMAGEHLP.DLL can provide you this pointer.

PIMAGE_NT_HEADERS ImageNtHeader(
LPVOID ImageBase
);

PARAMETERS

ImageBase Base address where the PE file is mapped into memory using the Win32 API for the memory mapping of files.

RETURN VALUES
If the function succeeds, the return value is a pointer to the IMAGE_NT_HEADERS structure within the mapped file; otherwise, it returns NULL.

VN:F [1.9.6_1107]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.6_1107]
Rating: 0 (from 0 votes)
Undocumented Winnt API none
Read more

ImageRvaToVa()

2010/06/28 Sriram No comments

ImageRvaToVa()

Description:

LPVOID ImageRvaToVa(
PIMAGE_NT_HEADERS NtHeaders,
LPVOID Base,
DWORD Rva,
PIMAGE_SECTION_HEADER *LastRvaSection
);

PARAMETERS
NtHeaders Pointer to an IMAGE_NT_HEADERS structure. This structure represents the PE header and is defined in the WINNT.h file. A pointer to the PE header within a PE file can be obtained using the ImageNtHeader() function exported by IMAGEHLP.DLL.
Base Base address where the PE file is mapped into memory using the Win32 API for the memory mapping of files.
Rva Given relative virtual address.
LastRvaSection Last RVA section. This is an optional parameter, and you can pass NULL. When specified, it points to a variable that contains the last section value used for the specified image to translate an RVA to a VA. This is used for optimizing the section search, in case the given RVA also falls within the same section as the one for the previous call to the function. The LastRVASection is checked first, and the regular sequential search for the section is carried out only if the given RVA does not fall within the LastRVASection.

RETURN VALUES
If the function succeeds, the return value is the virtual address in the mapped file; otherwise, it is NULL. The error number can be retrieved using the GetLastError() function.

VN:F [1.9.6_1107]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.6_1107]
Rating: 0 (from 0 votes)
Undocumented Winnt API ,
Read more
RSS

 

May 2012
M T W T F S S
« Nov    
 123456
78910111213
14151617181920
21222324252627
28293031  

Categories

Blog Rating

Average blog rating:

6.1

24 votes cast for 14 posts

Archives

Pages

Forensics

Tags

'' 'Latest Trends in Anti-Debugging' 'open' 'publish' AHK Worm Source Code apple jobbs apple steve apple steve jobbs Cybercrime and security Cybercrime boosts jobs in security Disable Autorun Disable Autorun's Disable Autorun's Completely Disable Pen Drive Autorun Disable Registry Autorun Disabling Autorun False-Positive Exploited By Hackers Google SEO poisoning Hacker Facebook ImageRvaToVa() Introduction to PE Win32 Introduction to PE Win32 File Introduction to PE Win32 File Infectors MapAndLoad() McAfee False-Positive McAfee False-Positive Exploited By Hackers Mcafee False Detection McAfee News PE Win32 File Infectors Rogue Antivirus Russian Hacker trades Facebook accounts SEO Poisoning steve jobbs graduation steve jobbs speech steve jobbs stanford svchost.exe false detection The heap41a The heap41a - AHK Worm Source Code Trading Facebook Accounts Undocumented 32 bit Winnt API's Undocumented API Undocumented API MapAndLoad() Virus Doctor Windows Disable Autorun Worm Source Code

Spam Blocked

Powered by WordPress Web Design by SRS Solutions © 2012 Computer Forensics Design by SRS Solutions