7etsuo · March 21, 2024 02:56
diff --git a/ExportFunctionAddressFinder.ps b/ExportFunctionAddressFinder.ps
 # This pseudocode assumes the existence of data structures for the export directory table
 # and functions to read from these structures based on Relative Virtual Addresses (RVA).

 # Structure definitions (simplified)
 struct ExportDirectoryTable {
    NamePointerTable namePointerTable;
    OrdinalTable ordinalTable;
    ExportAddressTable exportAddressTable;
 }

 struct NamePointerTable {
    list<RVA> pointersToNames;
 }

 struct OrdinalTable {
    list<int> ordinals;
 }

 struct ExportAddressTable {
    list<RVA> functionAddresses;
 }

 # Function to find the address of an exported function by name
 function getExportFunctionAddress(dllHandle, functionName):
    exportDirectory = getExportDirectoryTable(dllHandle)

    # Step 1: Look up the function name in the Export Name Pointer Table to find its RVA
    for i in range(exportDirectory.namePointerTable.pointersToNames.length):
        nameRVA = exportDirectory.namePointerTable.pointersToNames[i]
        exportedName = readStringAtRVA(dllHandle, nameRVA)

        # If the exported name matches the function we want, proceed
        if exportedName == functionName:
            # Step 2: Find the ordinal associated with the function name
            functionOrdinal = exportDirectory.ordinalTable.ordinals[i]

            # Step 3: Use the ordinal as an index to get the function's address from the Export Address Table
            functionAddressRVA = exportDirectory.exportAddressTable.functionAddresses[functionOrdinal]

            # Convert the function's RVA to an actual address in the DLL's memory space
            functionAddress = convertRVAToActualAddress(dllHandle, functionAddressRVA)
            return functionAddress

    # Function name not found
    return null

 # Let's say we want to call a function named "LoadLibraryAddress" from a loaded DLL
 dllBase = loadDLL("kernel32.dll")
 LoadLibraryAddress = getExportFunctionAddress(dllBase, "LoadLibrary")
 GetProcAddress = getExportFunctionAddress(dllBase, "GetProcAddress")

 if LoadLibraryAddress is not null:
    do something
 ...
	# This pseudocode assumes the existence of data structures for the export directory table
	# and functions to read from these structures based on Relative Virtual Addresses (RVA).

	# Structure definitions (simplified)
	struct ExportDirectoryTable {
	NamePointerTable namePointerTable;
	OrdinalTable ordinalTable;
	ExportAddressTable exportAddressTable;
	}

	struct NamePointerTable {
	list<RVA> pointersToNames;
	}

	struct OrdinalTable {
	list<int> ordinals;
	}

	struct ExportAddressTable {
	list<RVA> functionAddresses;
	}

	# Function to find the address of an exported function by name
	function getExportFunctionAddress(dllHandle, functionName):
	exportDirectory = getExportDirectoryTable(dllHandle)

	# Step 1: Look up the function name in the Export Name Pointer Table to find its RVA
	for i in range(exportDirectory.namePointerTable.pointersToNames.length):
	nameRVA = exportDirectory.namePointerTable.pointersToNames[i]
	exportedName = readStringAtRVA(dllHandle, nameRVA)

	# If the exported name matches the function we want, proceed
	if exportedName == functionName:
	# Step 2: Find the ordinal associated with the function name
	functionOrdinal = exportDirectory.ordinalTable.ordinals[i]

	# Step 3: Use the ordinal as an index to get the function's address from the Export Address Table
	functionAddressRVA = exportDirectory.exportAddressTable.functionAddresses[functionOrdinal]

	# Convert the function's RVA to an actual address in the DLL's memory space
	functionAddress = convertRVAToActualAddress(dllHandle, functionAddressRVA)
	return functionAddress

	# Function name not found
	return null

	# Let's say we want to call a function named "LoadLibraryAddress" from a loaded DLL
	dllBase = loadDLL("kernel32.dll")
	LoadLibraryAddress = getExportFunctionAddress(dllBase, "LoadLibrary")
	GetProcAddress = getExportFunctionAddress(dllBase, "GetProcAddress")

	if LoadLibraryAddress is not null:
	do something
	...