x64dbg插件之Emotet家族样本查找导入表

#include "plugin.h"

#include <string>
using namespace std;

const char* EmotetCmd = "Emotet";


//Emotet 1234
static bool cbEmotetDumpIAT(int argc, char* argv[])
{
    //dprintf("[++++]argc count is %d\n", argc);
    //dputs(argv[0]);
    if (argc < 2)
        return false;       //需要import_api_address_table的基地址
    
    //解析基地址
    string full_cmd = argv[0];
    auto blank_pos = full_cmd.find(' ');
    if (blank_pos == string::npos)
        return false;

    string base = full_cmd.substr(blank_pos + 1);
    auto ullbase = stoull(base, nullptr, 16);
    dprintf("[++++]import_api_address_table base : 0x%p\n", ullbase);
    
    PVOID func_pointer;
    for (int i = 0; i < 0x10000;i++) {
        DbgMemRead(ullbase + sizeof(void*) * i, &func_pointer, sizeof(void*));
        if (func_pointer) {
            //dprintf("[++++]function : 0x%p\n", func_pointer);
            
            //获得这个函数地址对应的函数名字

            const char* func_name = (const char*)ImporterGetAPIName((ULONG_PTR)func_pointer);
            if (func_name)
                dputs(func_name);
            }
        
    }

    return true;
}
//Initialize your plugin data here.
bool pluginInit(PLUG_INITSTRUCT* initStruct)
{
    dputs("[++++]Emotet analyzing tool\n");
    return true; //Return false to cancel loading the plugin.
}

//Deinitialize your plugin data here.
void pluginStop()
{
    _plugin_unregistercommand(pluginHandle, EmotetCmd);
}

//Do GUI/Menu related things here.
void pluginSetup()
{
    _plugin_registercommand(pluginHandle, EmotetCmd, cbEmotetDumpIAT, true);
}