大家帮忙看看吧--暴力搜索Kernel32.dll地址空间
NOV 2003-08-19 12:20:13 .386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
includelib kernel32.lib
.data
Mess db 'Hello!',0
szGetProcAddress db 'GetProcAddress',0
szMessageBox db 'MessageBoxA',0
szUser32 db 'user32.dll'
szLoadLibrary db 'LoadLibraryA',0
szExitProcess db 'ExitProcess',0
;---------------------------------------------------------
.data?
BaseKrenel dd ?
hUser32 dd ?
adGetProcAddress dd ?
adMessageBox dd ?
adLoadLibrary dd ?
adExitProcess dd ?
;---------------------------------------------------------
.code
_start:
mov edi,[esp]
and edi,0ffff0000h
.while TRUE
.if word ptr [edi] == IMAGE_DOS_SIGNATURE
mov esi,edi
add esi,[esi+003ch]
.if word ptr [esi] == IMAGE_NT_SIGNATURE
mov BaseKrenel,edi
.break
.endif
.endif
sub edi,010000h
.break .if edi < 070000000h
.endw
mov edx,BaseKrenel
;===========================================
; BaseKrenel=krenel32.dll基地址
;===========================================
assume edx:ptr IMAGE_DOS_HEADER
add edx,[edx].e_lfanew
assume edx:ptr IMAGE_NT_HEADERS
mov edx,[edx].OptionalHeader.DataDirectory.VirtualAddress
add edx,BaseKrenel
assume edx:ptr IMAGE_EXPORT_DIRECTORY
mov ebx,[edx].AddressOfNames
add ebx,BaseKrenel
xor eax,eax
.repeat
mov esi,offset szGetProcAddress
mov edi,[ebx]
add edi,BaseKrenel
push 14
pop ecx
repz cmpsb
.if ZERO?
.break
.endif
inc eax
add ebx,4
.until eax == [edx].NumberOfNames
mov ebx,[edx].AddressOfNameOrdinals
add ebx,BaseKrenel
shl eax,1
movzx ecx,word ptr [ebx+eax]
mov ebx,[edx].AddressOfFunctions
add ebx,BaseKrenel
shl ecx,2
mov eax,[ebx+ecx]
add eax,BaseKrenel
mov adGetProcAddress,eax
;-------------------------------------------------取GetProcAddress地址(UP)
push offset szLoadLibrary
push BaseKrenel
call adGetProcAddress
mov adLoadLibrary,eax
;-------------------------------------------------取LoadLibrary地址(UP)
push offset szExitProcess
push BaseKrenel
call adGetProcAddress
mov adExitProcess,eax
;-------------------------------------------------取ExitProcess地址(UP)
push offset szUser32
call adLoadLibrary
mov hUser32,eax
;-------------------------------------------------取user32.dll句柄(UP)
push offset szMessageBox
push hUser32
call adGetProcAddress
mov adMessageBox,eax
;-------------------------------------------------取MessageBox地址(UP)
push MB_OK
push offset Mess
push offset Mess
push NULL
call adMessageBox
push NULL
call adExitProcess
end _start