Some months ago I did blog about a method I use to find out what’s behind hardcoded export addresses inside a disasmed file (it’s available at https://zairon.wordpress.com/2013/09/26/hardcoded-dll-export-address/). It works fine, but talking with a friend of mine I did realize that the entire process is a little bit mechanical. He told me about a possible configuration tool, just to ease the system. I finally had the time to create an Ida Python plugin based on his comments, it doesn’t fully respect what he had in mind but credit goes to Kayaker of course.
The zip file is available here and it contains two .py files: GetExportAddresses and APIAddressResolverPlugin (the gui based script):
This is the plugin dialog, and it’s used to configure everything. The idea is to have some directories, one for every OS files you are interested in. In the image you can clearly view I was dealing with XP_SP2 dlls. The control at the top of the plugin is used to select a specific directory, all the next operations will be done inside it. All the information about every dll are stored inside a single txt file named ExportAddresses.txt. The file is automatically created by the plugin itself when you select a directory without that file inside.
There are two listview controls inside the gui, the upper control lists all the available dll inside ExportAddresses.txt, the other one lists the exports inside a selected dll. The list view at the bottom is not really necessary indeed, but it can be usefull in case you need to have an idea about the addresses used by a specific dll.
To add a new dll you can use “Browse for a new DLL to add” button. You have to select a txt file created by GetExportAddresses.py, the other python file inside the zip. The file takes a dll as input and it produces a txt file with the information about the exported functions: the address of the function, the name of the dll and the name of the function.
To end the configuration process you only have to create the Python script able to check for the hardcoded address; just click on “Create GetExportedAddress.py” and the script will be created in the directory. With the use of this button you won’t have to change the path of ExportAddress.txt file each time you create a new OS dir. I haven’t added a script to re-solve all the possible hardcoded addresses because my idea is to solve few occasionally hidden addresses only.
It’s nothing special indeed, it’s handy in case you have to deal with different Oss and you don’t want to do all by hand.
Comments, criticisms, bug advices are always welcome, thank you.