Drop resolved APIs which aren't actual exports

ergrelet · Jul 18, 2022 · 615392a · 615392a
1 parent dd62165
commit 615392a
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 8 deletions.
diff --git a/unlicense/frida_exec.py b/unlicense/frida_exec.py
@@ -73,7 +73,8 @@ def enumerate_exported_functions(self,
                                      ) -> Dict[int, Dict[str, Any]]:
         if self._exported_functions_cache is None or update_cache:
             value: List[Dict[
-                str, Any]] = self._frida_rpc.enumerate_exported_functions()
+                str, Any]] = self._frida_rpc.enumerate_exported_functions(
+                    self.main_module_name)
             exports_dict = {int(e["address"], 16): e for e in value}
             self._exported_functions_cache = exports_dict
             return exports_dict

diff --git a/unlicense/resources/frida.js b/unlicense/resources/frida.js
@@ -270,11 +270,17 @@ rpc.exports = {
             return module != null && module.name.toUpperCase() == moduleName.toUpperCase();
         });
     },
-    enumerateExportedFunctions: function () {
+    enumerateExportedFunctions: function (excludedModuleName) {
         const modules = Process.enumerateModules();
         let exports = [];
-        modules.forEach(module => {
-            exports = exports.concat(module.enumerateExports());
+        modules.forEach(m => {
+            if (m.name != excludedModuleName) {
+                m.enumerateExports().forEach(e => {
+                    if (e.type == "function") {
+                        exports = exports.concat(e);
+                    }
+                });
+            }
         });
         return exports;
     },

diff --git a/unlicense/winlicense3.py b/unlicense/winlicense3.py
@@ -167,10 +167,18 @@ def in_main_module(address: int) -> bool:
                     process_controller.write_process_memory(
                         iat_range.base, list(new_iat_data))
                     return len(new_iat_data), resolved_import_count
-                LOG.debug("Resolved API: %s -> %s", hex(wrapper_start),
-                          hex(resolved_api))
-                new_iat_data += struct.pack(ptr_format, resolved_api)
-                resolved_import_count += 1
+
+                if resolved_api not in exports_dict:
+                    # TODO: Investigate. When TLS callbacks are used,
+                    # `kernel32.ExitProcess` might not be resolved properly.
+                    LOG.warn(
+                        "A resolved API isn't an export, it'll be ignored.")
+                    new_iat_data += struct.pack(ptr_format, 0)
+                else:
+                    LOG.debug("Resolved API: %s -> %s", hex(wrapper_start),
+                              hex(resolved_api))
+                    new_iat_data += struct.pack(ptr_format, resolved_api)
+                    resolved_import_count += 1
             elif wrapper_start in exports_dict:
                 # Not wrapped, add as is
                 new_iat_data += struct.pack(ptr_format, wrapper_start)