借个地方放下代码,研究的话也欢迎 不过没有注解,前提要对PE比较了解
.386.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
.data
szcaption db 'xbn',0
sztext db '找到KERNEL32的PE标志!',0
_lpapi db 'GetProcAddress',0
.code
_getkernelbase proc _dwkernelretaddress
local @dwret
pushad
mov @dwret,0
mov edi,_dwkernelretaddress
and edi,0ffff0000h
.repeat
.if WORD ptr [edi]==IMAGE_DOS_SIGNATURE
MOV ESI,EDI
ADD ESI,[ESI+003CH]
.if WORD ptr [esi]==IMAGE_NT_SIGNATURE
MOV @dwret,edi
.break
.endif
.endif
sub edi,10000h
.break .if edi<70000000h
.until FALSE
popad
mov eax,@dwret
ret
_getkernelbase endp
_getapi proc _dwkernelbase,_lpap1
local @ret
pushad
mov eax,_dwkernelbase
add eax,[eax+3ch]
assume eax:ptr IMAGE_NT_HEADERS
MOV eax,[eax].OptionalHeader.DataDirectory.VirtualAddress
add eax,_dwkernelbase
assume eax:ptr IMAGE_EXPORT_DIRECTORY
MOV ebx,[eax].AddressOfNames
add ebx,_dwkernelbase
xor edx,edx
.repeat
mov edi,ebx
mov esi,_lpap1
mov ecx,sizeof _lpap1
repz cmpsb
.if ZERO?
jmp @F
.endif
add ebx,4
inc edx
.until edx>=[eax].NumberOfNames
jmp _ret
@@:
shl edx,2
add ebx,[eax].AddressOfNameOrdinals
add ebx,_dwkernelbase
movzx ebx,WORD ptr [ebx]
shl ebx,2
add ebx,[eax].AddressOfFunctions
add ebx,_dwkernelbase
mov eax,[ebx]
add eax,_dwkernelbase
mov @ret,eax
_ret:
assume eax:nothing
popad
mov eax,@ret
ret
_getapi endp
start: mov eax,[esp]
invoke _getkernelbase,eax
invoke _getapi,eax,addr _lpapi
ret
end start
[ 本帖最后由 朱三哥 于 2012-12-13 23:43 编辑 ]
猪兄你抗起来