|
阅读:2779回复:0
看高手wowocock的文章,好仰慕他啊!
标 题:看看我的代码
发信人:wowocock 时 间:2002/08/22 08:55pm 详细信息: 看看我的代码 ;适用系统Win9x/me/2k/xp/nt .586p .model flat, stdcall option casemap :none ; case sensitive include \\masm32\\include\\windows.inc include \\masm32\\include\\kernel32.inc includelib \\masm32\\lib\\kernel32.lib include \\masm32\\include\\user32.inc includelib \\masm32\\lib\\user32.lib GetApiAddress PROTO :DWORD,:BYTE .data Kernel32Addrdd ? ExportKernel dd ? GetProcAddr dd ? GetModuleHandleAddr dd ? LoadLibraryAddr dd ? ExitProcessAddr dd ? aGetProcAddr db \"GetProcAddress\",0 GetProcAddLen equ $-aGetProcAddr-1 aGetModuleHandle db \"GetModuleHandle\",0 GetModuleHandleLen equ $-aGetModuleHandle-1 aLoadLibrary db \"LoadLibrary\",0 LoadLibraryLen equ $-aLoadLibrary-1 aExitProcess db \"ExitProcess\",0 ExitProcessLen equ $-aExitProcess-1 szTitle db \"Test\",0 temp1 db \" Kernel32.dll Address is:%8x:\",0dh,0ah db \" GetProcAddress Address is:%8x:\",0dh,0ah db \"GetModuleHandle Address is:%8x\",0dh,0ah db \" LoadLibrary Address is:%8x\",0dh,0ah db \" ExitProcess Address is:%8x\",0 temp2 db 256 dup(?) .code Start: mov eax,[esp] ;//取Kernel32返回地址 and ax,0f000h mov esi,eax ;//得到Kernel.PELoader代码位置(不精确) LoopFindKernel32: sub esi,1000h cmp word ptr[esi],\'ZM\' ;//搜索EXE文件头 jnz short LoopFindKernel32 GetPeHeader: movzx edi,word ptr[esi+3ch] add edi,esi cmp word ptr[edi],\'EP\' ;//确认是否PE文件头 jnz short LoopFindKernel32 ;esi->kernel32,edi->kernel32 PE HEADER ;//////////////////////////////////////////////////任务:查找GetProcAddress函数地址 mov Kernel32Addr,esi GetPeExportTable: mov ebp,[edi+78h];4+14h+60h add ebp,Kernel32Addr ;//得到输出函数表 mov ExportKernel,ebp push GetProcAddLen push offset aGetProcAddr call GetApiAddress mov GetProcAddr,eax push GetModuleHandleLen push offset aGetModuleHandle call GetApiAddress mov GetModuleHandleAddr,eax push LoadLibraryLen push offset aLoadLibrary call GetApiAddress mov LoadLibraryAddr,eax push ExitProcessLen push offset aExitProcess call GetApiAddress mov ExitProcessAddr,eax invoke wsprintf,addr temp2,addr temp1,Kernel32Addr,GetProcAddr,GetModuleHandleAddr,LoadLibraryAddr,ExitProcessAddr invoke MessageBoxA,0,addr temp2,addr szTitle,0 push 0 call dword ptr[ExitProcessAddr] GetApiAddress proc AddressOfName:dword,ApiLength:byte push ebx push esi push edi mov edi,ExportKernel assume edi:ptr IMAGE_EXPORT_DIRECTORY GetExportNameList: mov ebx,[edi].AddressOfNames ;//得到输出函数名表 add ebx,Kernel32Addr ;ebx->AddressOfNames(函数名字的指针地址). xor eax,eax ;//函数序号计数 mov edx,Kernel32Addr ;//暂存Kernel32模块句柄;edx->kernel32 push edi ;保存EDI LoopFindApiStr: add ebx,04 inc eax ;//增加函数计数 mov edi,[ebx] add edi,edx ;//得到一个Api函数名字符串.edi->函数名 StrGetProcAddress: mov esi,AddressOfName ;//得到Api名字字符串 cmpsd ;比较前4个字符是否相等 jnz short LoopFindApiStr ;eax=函数名的INDEX xor ecx,ecx mov cl, ApiLength sub cl,4 ;//比较剩余的GetProcAddress串 cld Goon: cmpsb jnz short LoopFindApiStr ;eax=函数名的INDEX loop Goon pop edi ;恢复EDI mov esi,edx movebx,[edi].AddressOfNameOrdinals addebx,esi ;//取函数序号地址列表,ebx->AddresssOfNameOrdinals movzx ecx,word ptr [ebx+eax*2] mov ebx,[edi].AddressOfFunctions add ebx,esi ;//得到Kernel32函数地址列表 mov ebx,[ebx+ecx*4] add ebx,esi ;//计算GetProcAddress函数地址 mov eax,ebx ;eax=API函数地址,esi=Kernel32.dll hModule pop edi pop esi pop ebx ret GetApiAddress endp end Start |
|
|
