21,458
社区成员
发帖
与我相关
我的任务
分享大家帮忙看看吧--暴力搜索Kernel32.dll地址空间
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
includelib kernel32.lib
.data
Mess db 'Hello!',0
szGetProcAddress db 'GetProcAddress',0
szMessageBox db 'MessageBoxA',0
szUser32 db 'user32.dll'
szLoadLibrary db 'LoadLibraryA',0
szExitProcess db 'ExitProcess',0
;---------------------------------------------------------
.data?
BaseKrenel dd ?
hUser32 dd ?
adGetProcAddress dd ?
adMessageBox dd ?
adLoadLibrary dd ?
adExitProcess dd ?
;---------------------------------------------------------
.code
_start:
mov edi,[esp]
and edi,0ffff0000h
.while TRUE
.if word ptr [edi] == IMAGE_DOS_SIGNATURE
mov esi,edi
add esi,[esi+003ch]
.if word ptr [esi] == IMAGE_NT_SIGNATURE
mov BaseKrenel,edi
.break
.endif
.endif
sub edi,010000h
.break .if edi < 070000000h
.endw
mov edx,BaseKrenel
;===========================================
; BaseKrenel=krenel32.dll基地址
;===========================================
assume edx:ptr IMAGE_DOS_HEADER
add edx,[edx].e_lfanew
assume edx:ptr IMAGE_NT_HEADERS
mov edx,[edx].OptionalHeader.DataDirectory.VirtualAddress
add edx,BaseKrenel
assume edx:ptr IMAGE_EXPORT_DIRECTORY
mov ebx,[edx].AddressOfNames
add ebx,BaseKrenel
xor eax,eax
.repeat
mov esi,offset szGetProcAddress
mov edi,[ebx]
add edi,BaseKrenel
push 14
pop ecx
repz cmpsb
.if ZERO?
.break
.endif
inc eax
add ebx,4
.until eax == [edx].NumberOfNames
mov ebx,[edx].AddressOfNameOrdinals
add ebx,BaseKrenel
shl eax,1
movzx ecx,word ptr [ebx+eax]
mov ebx,[edx].AddressOfFunctions
add ebx,BaseKrenel
shl ecx,2
mov eax,[ebx+ecx]
add eax,BaseKrenel
mov adGetProcAddress,eax
;-------------------------------------------------取GetProcAddress地址(UP)
push offset szLoadLibrary
push BaseKrenel
call adGetProcAddress
mov adLoadLibrary,eax
;-------------------------------------------------取LoadLibrary地址(UP)
push offset szExitProcess
push BaseKrenel
call adGetProcAddress
mov adExitProcess,eax
;-------------------------------------------------取ExitProcess地址(UP)
push offset szUser32
call adLoadLibrary
mov hUser32,eax
;-------------------------------------------------取user32.dll句柄(UP)
push offset szMessageBox
push hUser32
call adGetProcAddress
mov adMessageBox,eax
;-------------------------------------------------取MessageBox地址(UP)
push MB_OK
push offset Mess
push offset Mess
push NULL
call adMessageBox
push NULL
call adExitProcess
end _start
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
includelib kernel32.lib
.data
Mess db 'Hello!',0
szGetProcAddress db 'GetProcAddress',0
szMessageBox db 'MessageBoxA',0
szUser32 db 'user32.dll'
szLoadLibrary db 'LoadLibraryA',0
szExitProcess db 'ExitProcess',0
;---------------------------------------------------------
.data?
BaseKrenel dd ?
hUser32 dd ?
adGetProcAddress dd ?
adMessageBox dd ?
adLoadLibrary dd ?
adExitProcess dd ?
;---------------------------------------------------------
.code
_start:
mov edi,[esp]
and edi,0ffff0000h
.while TRUE
.if word ptr [edi] == IMAGE_DOS_SIGNATURE
mov esi,edi
add esi,[esi+003ch]
.if word ptr [esi] == IMAGE_NT_SIGNATURE
mov BaseKrenel,edi
.break
.endif
.endif
sub edi,010000h
.break .if edi < 070000000h
.endw
mov edx,BaseKrenel
;===========================================
; BaseKrenel=krenel32.dll基地址
;===========================================
assume edx:ptr IMAGE_DOS_HEADER
add edx,[edx].e_lfanew
assume edx:ptr IMAGE_NT_HEADERS
mov edx,[edx].OptionalHeader.DataDirectory.VirtualAddress
add edx,BaseKrenel
assume edx:ptr IMAGE_EXPORT_DIRECTORY
mov ebx,[edx].AddressOfNames
add ebx,BaseKrenel
xor eax,eax
.repeat
mov esi,offset szGetProcAddress
mov edi,[ebx]
add edi,BaseKrenel
push 14
pop ecx
repz cmpsb
.if ZERO?
.break
.endif
inc eax
add ebx,4
.until eax == [edx].NumberOfNames
mov ebx,[edx].AddressOfNameOrdinals
add ebx,BaseKrenel
shl eax,1
movzx ecx,word ptr [ebx+eax]
mov ebx,[edx].AddressOfFunctions
add ebx,BaseKrenel
shl ecx,2
mov eax,[ebx+ecx]
add eax,BaseKrenel
mov adGetProcAddress,eax
;-------------------------------------------------取GetProcAddress地址(UP)
push offset szLoadLibrary
push BaseKrenel
call adGetProcAddress
mov adLoadLibrary,eax
;-------------------------------------------------取LoadLibrary地址(UP)
push offset szExitProcess
push BaseKrenel
call adGetProcAddress
mov adExitProcess,eax
;-------------------------------------------------取ExitProcess地址(UP)
push offset szUser32
call adLoadLibrary
mov hUser32,eax
;-------------------------------------------------取user32.dll句柄(UP)
push offset szMessageBox
push hUser32
call adGetProcAddress
mov adMessageBox,eax
;-------------------------------------------------取MessageBox地址(UP)
push MB_OK
push offset Mess
push offset Mess
push NULL
call adMessageBox
push NULL
call adExitProcess
end _start
...全文
请发表友善的回复…
发表回复
NOV 2003-08-20
- 打赏
- 举报
这是改好的
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
includelib kernel32.lib
.data
Mess db 'Hello!',0
szGetProcAddress db 'GetProcAddress',0
szMessageBox db 'MessageBoxA',0
szUser32 db 'user32.dll',0
szLoadLibrary db 'LoadLibraryA',0
szExitProcess db 'ExitProcess',0
;---------------------------------------------------------
.data?
BaseKrenel dd ?
hUser32 dd ?
adGetProcAddress dd ?
adMessageBox dd ?
adLoadLibrary dd ?
adExitProcess dd ?
;---------------------------------------------------------
.code
_start:
mov edi,[esp]
and edi,0ffff0000h
.while TRUE
.if word ptr [edi] == IMAGE_DOS_SIGNATURE
mov esi,edi
add esi,[esi+003ch]
.if word ptr [esi] == IMAGE_NT_SIGNATURE
mov BaseKrenel,edi
.break
.endif
.endif
sub edi,010000h
.break .if edi < 070000000h
.endw
mov edx,BaseKrenel
;===========================================
; BaseKrenel=krenel32.dll基地址
;===========================================
assume edx:ptr IMAGE_DOS_HEADER
add edx,[edx].e_lfanew
assume edx:ptr IMAGE_NT_HEADERS
mov edx,[edx].OptionalHeader.DataDirectory.VirtualAddress
add edx,BaseKrenel
assume edx:ptr IMAGE_EXPORT_DIRECTORY
mov ebx,[edx].AddressOfNames
add ebx,BaseKrenel
xor eax,eax
.repeat
mov esi,offset szGetProcAddress
mov edi,[ebx]
add edi,BaseKrenel
push 14
pop ecx
repz cmpsb
.if ZERO?
.break
.endif
inc eax
add ebx,4
.until eax == [edx].NumberOfNames
mov ebx,[edx].AddressOfNameOrdinals
add ebx,BaseKrenel
shl eax,1
movzx ecx,word ptr [ebx+eax]
mov ebx,[edx].AddressOfFunctions
add ebx,BaseKrenel
shl ecx,2
mov eax,[ebx+ecx]
add eax,BaseKrenel
mov adGetProcAddress,eax
;-------------------------------------------------取GetProcAddress地址(UP)
push offset szLoadLibrary
push BaseKrenel
call adGetProcAddress
mov adLoadLibrary,eax
;-------------------------------------------------取LoadLibrary地址(UP)
push offset szExitProcess
push BaseKrenel
call adGetProcAddress
mov adExitProcess,eax
;-------------------------------------------------取ExitProcess地址(UP)
push offset szUser32
call adLoadLibrary
mov hUser32,eax
;-------------------------------------------------取user32.dll句柄(UP)
push offset szMessageBox
push hUser32
call adGetProcAddress
mov adMessageBox,eax
;-------------------------------------------------取MessageBox地址(UP)
push MB_OK
push offset Mess
push offset Mess
push NULL
call adMessageBox
push NULL
call adExitProcess
end _start
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
includelib kernel32.lib
.data
Mess db 'Hello!',0
szGetProcAddress db 'GetProcAddress',0
szMessageBox db 'MessageBoxA',0
szUser32 db 'user32.dll',0
szLoadLibrary db 'LoadLibraryA',0
szExitProcess db 'ExitProcess',0
;---------------------------------------------------------
.data?
BaseKrenel dd ?
hUser32 dd ?
adGetProcAddress dd ?
adMessageBox dd ?
adLoadLibrary dd ?
adExitProcess dd ?
;---------------------------------------------------------
.code
_start:
mov edi,[esp]
and edi,0ffff0000h
.while TRUE
.if word ptr [edi] == IMAGE_DOS_SIGNATURE
mov esi,edi
add esi,[esi+003ch]
.if word ptr [esi] == IMAGE_NT_SIGNATURE
mov BaseKrenel,edi
.break
.endif
.endif
sub edi,010000h
.break .if edi < 070000000h
.endw
mov edx,BaseKrenel
;===========================================
; BaseKrenel=krenel32.dll基地址
;===========================================
assume edx:ptr IMAGE_DOS_HEADER
add edx,[edx].e_lfanew
assume edx:ptr IMAGE_NT_HEADERS
mov edx,[edx].OptionalHeader.DataDirectory.VirtualAddress
add edx,BaseKrenel
assume edx:ptr IMAGE_EXPORT_DIRECTORY
mov ebx,[edx].AddressOfNames
add ebx,BaseKrenel
xor eax,eax
.repeat
mov esi,offset szGetProcAddress
mov edi,[ebx]
add edi,BaseKrenel
push 14
pop ecx
repz cmpsb
.if ZERO?
.break
.endif
inc eax
add ebx,4
.until eax == [edx].NumberOfNames
mov ebx,[edx].AddressOfNameOrdinals
add ebx,BaseKrenel
shl eax,1
movzx ecx,word ptr [ebx+eax]
mov ebx,[edx].AddressOfFunctions
add ebx,BaseKrenel
shl ecx,2
mov eax,[ebx+ecx]
add eax,BaseKrenel
mov adGetProcAddress,eax
;-------------------------------------------------取GetProcAddress地址(UP)
push offset szLoadLibrary
push BaseKrenel
call adGetProcAddress
mov adLoadLibrary,eax
;-------------------------------------------------取LoadLibrary地址(UP)
push offset szExitProcess
push BaseKrenel
call adGetProcAddress
mov adExitProcess,eax
;-------------------------------------------------取ExitProcess地址(UP)
push offset szUser32
call adLoadLibrary
mov hUser32,eax
;-------------------------------------------------取user32.dll句柄(UP)
push offset szMessageBox
push hUser32
call adGetProcAddress
mov adMessageBox,eax
;-------------------------------------------------取MessageBox地址(UP)
push MB_OK
push offset Mess
push offset Mess
push NULL
call adMessageBox
push NULL
call adExitProcess
end _start
紫郢剑侠 2003-08-19
- 打赏
- 举报
钻研精神可嘉!
NOV 2003-08-19
- 打赏
- 举报
通过暴力搜索Kernel32.dll地址空间得到GetProcAddress和LoadLibrary等函数地址,进而调用user32.dll中的MessageBox输出一个消息框。用MASM32V8在98下编译连接通过,但运行就报错。我已经一天一夜没睡啦,大家帮忙看看吧,我先偷个懒睡会儿。
C0MSPY 2003-08-19
- 打赏
- 举报
看看我的:(原型来自hume,感谢hume!)
.586
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.CODE
VirusLen = vEnd-vBegin
vBegin:
;----------------定义----------------------------------
sGetModuleHandle db "GetModuleHandleA",0
sLoadLibrary db "LoadLibraryA",0
sGetProcAddress db "GetProcAddress",0
sCreateFile db "CreateFileA",0
sCreateFileMapping db "CreateFileMappingA",0
sMapViewOfFile db "MapViewOfFile",0
sUnmapViewOfFile db "UnmapViewOfFile",0
sExitProcess db "ExitProcess",0
sCloseHandle db "CloseHandle",0
sGetFileSize db "GetFileSize",0
sUser32Dll db "User32.dll",0
aGetModuleHandle dd 0
aLoadLibrary dd 0
aGetProcAddress dd 0
aCreateFile dd 0
aCreateFileMapping dd 0
aMapViewOfFile dd 0
aUnmapViewOfFile dd 0
aExitProcess dd 0
aCloseHandle dd 0
aGetFileSize dd 0
aKernel32Base dd 0
aUser32Dll dd 0
lpApiAddress label near
dd offset sGetModuleHandle
dd offset sLoadLibrary
dd offset sGetProcAddress
dd offset sCreateFile
dd offset sCreateFileMapping
dd offset sMapViewOfFile
dd offset sUnmapViewOfFile
dd offset sExitProcess
dd offset sCloseHandle
dd offset sGetFileSize
dd 0,0
hFile dd 0
hFileMapping dd 0
aFile dd 0
nFileSize dd 0
_Start:
;--------取得偏移到ebx中
call _GetOffset
_GetOffset:
pop ebx
sub ebx, offset _GetOffset
;--------取得Kernel32.dll基址到eax中
mov eax,[esp]
and eax,0FFFFF000h
xor edx,edx
_GetK32Base:
sub eax,1000h
mov dx, word ptr[eax+IMAGE_DOS_HEADER.e_lfanew]
test dx,0F000h
jnz _GetK32Base
cmp eax, dword ptr[eax+edx+IMAGE_NT_HEADERS.OptionalHeader.ImageBase]
jnz _GetK32Base
mov [ebx+offset aKernel32Base],eax
;--------取得各API的入口地址,并存入各API地址变量中
lea edi,[ebx+offset aGetModuleHandle]
lea esi,[ebx+offset lpApiAddress]
_LoopGet:
lodsd
cmp eax,0
jz _EndGet
add eax,ebx
push eax
push dword ptr[ebx+offset aKernel32Base]
call _GetApi
stosd
jmp _LoopGet
_EndGet:
jmp _Test
;-----------略-------------
;--------测试,显示对话框
sMessageBox db "MessageBoxA",0
sTitle db "PYWVirusTest",0
sDispMsg db "Hello,Haha,this is a virus of PYW!",0
_Test:
lea eax, [ebx+offset sUser32Dll]
push eax
call dword ptr [ebx+offset aLoadLibrary]
lea edx,[ebx+offset sMessageBox]
push edx
push eax
call dword ptr [ebx+offset aGetProcAddress] ;用GetProcAddress获得MessageBoxA的地址
push MB_OK
lea edx,[ebx+offset sTitle]
push edx
lea edx, [ebx+offset sDispMsg]
push edx
push 0
call eax
_Exit:
push 0
call [ebx+aExitProcess]
;---------不会执行,只是为了使Win2k加载
invoke ExitProcess,0
;---------------GetApi()-------------------------------------------
_GetApi proc aBase:DWORD,aApi:DWORD
local ADDROFEXPORTDIR:DWORD
local ADDROFFUN:DWORD
local ADDROFNAME:DWORD
local ADDROFNAMEORD:DWORD
local STRINDEX:DWORD
pushad
mov ebx,aBase
add ebx,IMAGE_DOS_HEADER.e_lfanew
mov ebx,[ebx]
add ebx,aBase
mov ebx,[ebx+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory.VirtualAddress]
add ebx,aBase ;现在EBX指向IMAGE_EXPORT_DIRECTORY
mov ADDROFEXPORTDIR,ebx
mov eax,[ebx+1ch]
add eax,aBase ;eax现在指向AddressOfFuctions
mov ADDROFFUN,eax
mov eax,[ebx+24h]
add eax,aBase ;eax现在指向AddressOfNameOrdinals
mov ADDROFNAMEORD,eax
mov eax,[ebx+20h]
add eax,aBase ;eax现在指向AddressOfNames
mov ADDROFNAME,eax
mov ecx,[ebx+18h] ;ecx现在为NumberOfNames
shl ecx,2
mov edx,0
__FIND_NEXT:
mov edi, aApi
mov esi,[eax]
add esi,aBase ;esi指向Kernel32中API名字符串
__LOOP:
cmpsb
jnz __DISMATCH
cmp byte ptr[esi],0
jnz __LOOP
__MATCH:
;edx为索引
jmp __FINDOUT
__DISMATCH:
inc edx
add eax,4
loop __FIND_NEXT
__DISFINDOUT:
xor eax,eax ;没找到,EAX=0
jmp __EXIT
__FINDOUT:
mov eax,ADDROFNAMEORD
shl edx,1
add eax,edx
xor edx,edx
mov dx,word ptr[eax]
mov eax,ADDROFFUN
;dec dx
shl dx,2
add eax,edx
mov eax,[eax]
add eax,aBase ;EAX返回API的入口地址
__EXIT:
mov [esp+7*4],eax ;注意,不要被popad冲掉eax的返回值
popad
ret
_GetApi endp
;------------------------------------------------------------------
vEnd:
END _Start
老兄,你的这一行:szUser32 db 'user32.dll' <----- 呵呵!!加上就对了!
.586
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.CODE
VirusLen = vEnd-vBegin
vBegin:
;----------------定义----------------------------------
sGetModuleHandle db "GetModuleHandleA",0
sLoadLibrary db "LoadLibraryA",0
sGetProcAddress db "GetProcAddress",0
sCreateFile db "CreateFileA",0
sCreateFileMapping db "CreateFileMappingA",0
sMapViewOfFile db "MapViewOfFile",0
sUnmapViewOfFile db "UnmapViewOfFile",0
sExitProcess db "ExitProcess",0
sCloseHandle db "CloseHandle",0
sGetFileSize db "GetFileSize",0
sUser32Dll db "User32.dll",0
aGetModuleHandle dd 0
aLoadLibrary dd 0
aGetProcAddress dd 0
aCreateFile dd 0
aCreateFileMapping dd 0
aMapViewOfFile dd 0
aUnmapViewOfFile dd 0
aExitProcess dd 0
aCloseHandle dd 0
aGetFileSize dd 0
aKernel32Base dd 0
aUser32Dll dd 0
lpApiAddress label near
dd offset sGetModuleHandle
dd offset sLoadLibrary
dd offset sGetProcAddress
dd offset sCreateFile
dd offset sCreateFileMapping
dd offset sMapViewOfFile
dd offset sUnmapViewOfFile
dd offset sExitProcess
dd offset sCloseHandle
dd offset sGetFileSize
dd 0,0
hFile dd 0
hFileMapping dd 0
aFile dd 0
nFileSize dd 0
_Start:
;--------取得偏移到ebx中
call _GetOffset
_GetOffset:
pop ebx
sub ebx, offset _GetOffset
;--------取得Kernel32.dll基址到eax中
mov eax,[esp]
and eax,0FFFFF000h
xor edx,edx
_GetK32Base:
sub eax,1000h
mov dx, word ptr[eax+IMAGE_DOS_HEADER.e_lfanew]
test dx,0F000h
jnz _GetK32Base
cmp eax, dword ptr[eax+edx+IMAGE_NT_HEADERS.OptionalHeader.ImageBase]
jnz _GetK32Base
mov [ebx+offset aKernel32Base],eax
;--------取得各API的入口地址,并存入各API地址变量中
lea edi,[ebx+offset aGetModuleHandle]
lea esi,[ebx+offset lpApiAddress]
_LoopGet:
lodsd
cmp eax,0
jz _EndGet
add eax,ebx
push eax
push dword ptr[ebx+offset aKernel32Base]
call _GetApi
stosd
jmp _LoopGet
_EndGet:
jmp _Test
;-----------略-------------
;--------测试,显示对话框
sMessageBox db "MessageBoxA",0
sTitle db "PYWVirusTest",0
sDispMsg db "Hello,Haha,this is a virus of PYW!",0
_Test:
lea eax, [ebx+offset sUser32Dll]
push eax
call dword ptr [ebx+offset aLoadLibrary]
lea edx,[ebx+offset sMessageBox]
push edx
push eax
call dword ptr [ebx+offset aGetProcAddress] ;用GetProcAddress获得MessageBoxA的地址
push MB_OK
lea edx,[ebx+offset sTitle]
push edx
lea edx, [ebx+offset sDispMsg]
push edx
push 0
call eax
_Exit:
push 0
call [ebx+aExitProcess]
;---------不会执行,只是为了使Win2k加载
invoke ExitProcess,0
;---------------GetApi()-------------------------------------------
_GetApi proc aBase:DWORD,aApi:DWORD
local ADDROFEXPORTDIR:DWORD
local ADDROFFUN:DWORD
local ADDROFNAME:DWORD
local ADDROFNAMEORD:DWORD
local STRINDEX:DWORD
pushad
mov ebx,aBase
add ebx,IMAGE_DOS_HEADER.e_lfanew
mov ebx,[ebx]
add ebx,aBase
mov ebx,[ebx+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory.VirtualAddress]
add ebx,aBase ;现在EBX指向IMAGE_EXPORT_DIRECTORY
mov ADDROFEXPORTDIR,ebx
mov eax,[ebx+1ch]
add eax,aBase ;eax现在指向AddressOfFuctions
mov ADDROFFUN,eax
mov eax,[ebx+24h]
add eax,aBase ;eax现在指向AddressOfNameOrdinals
mov ADDROFNAMEORD,eax
mov eax,[ebx+20h]
add eax,aBase ;eax现在指向AddressOfNames
mov ADDROFNAME,eax
mov ecx,[ebx+18h] ;ecx现在为NumberOfNames
shl ecx,2
mov edx,0
__FIND_NEXT:
mov edi, aApi
mov esi,[eax]
add esi,aBase ;esi指向Kernel32中API名字符串
__LOOP:
cmpsb
jnz __DISMATCH
cmp byte ptr[esi],0
jnz __LOOP
__MATCH:
;edx为索引
jmp __FINDOUT
__DISMATCH:
inc edx
add eax,4
loop __FIND_NEXT
__DISFINDOUT:
xor eax,eax ;没找到,EAX=0
jmp __EXIT
__FINDOUT:
mov eax,ADDROFNAMEORD
shl edx,1
add eax,edx
xor edx,edx
mov dx,word ptr[eax]
mov eax,ADDROFFUN
;dec dx
shl dx,2
add eax,edx
mov eax,[eax]
add eax,aBase ;EAX返回API的入口地址
__EXIT:
mov [esp+7*4],eax ;注意,不要被popad冲掉eax的返回值
popad
ret
_GetApi endp
;------------------------------------------------------------------
vEnd:
END _Start
老兄,你的这一行:szUser32 db 'user32.dll' <----- 呵呵!!加上就对了!
W32API 2003-08-19
- 打赏
- 举报
你的意思是代码进驻其它程序的地址空间,然后搜索 .dll 的地址,以便调用功能?
系统 dll 是由 WIN 映射到进程空间的,在每个进程空间的位置都是一样的啊,你的程序既然是在进程空间里面创建,那么其线性地址跟寄主进程是一样的啊。
系统 dll 是由 WIN 映射到进程空间的,在每个进程空间的位置都是一样的啊,你的程序既然是在进程空间里面创建,那么其线性地址跟寄主进程是一样的啊。
NOV 2003-08-19
- 打赏
- 举报
因为系统是用CreatProcess来执行程序的,所以一开始的地方用mov edi,[esp]来得到CreateProcess的返回地址,从而进入kernel32.dll的地址空间.之后以64K为一页向下查找.
如个加上重定位可以用在病毒上面.如果是病毒上又怎么可以直接调用API呢.
如个加上重定位可以用在病毒上面.如果是病毒上又怎么可以直接调用API呢.
noproblem_jyb 2003-08-19
- 打赏
- 举报
我不明白一上手那段code在干什么?如果是想得到kernel32.dll的基地址,使用GetModuleHandle即可。
HANDLE hKernel32 = GetModuleHandle(TEXT("kernel32.dll"));
if (! hKernel32)
// get module handle failed.
else
// you can do what you want to do
一个module handle其实就是一个PE文件经过memory mapping file后在内存中的地址,通过PE文件的格式,可以很轻易地找到每个exported function的地址。或者,通过简单的对GetProcAddress函数调用.
我有一点不明白,除了在reverse engineer,汇编在win32 programming中已经快失去了他的价值,你为什么不用C呢?即使是想练习汇编,也可以找个课题,来做一下reverse engineer嘛。
HANDLE hKernel32 = GetModuleHandle(TEXT("kernel32.dll"));
if (! hKernel32)
// get module handle failed.
else
// you can do what you want to do
一个module handle其实就是一个PE文件经过memory mapping file后在内存中的地址,通过PE文件的格式,可以很轻易地找到每个exported function的地址。或者,通过简单的对GetProcAddress函数调用.
我有一点不明白,除了在reverse engineer,汇编在win32 programming中已经快失去了他的价值,你为什么不用C呢?即使是想练习汇编,也可以找个课题,来做一下reverse engineer嘛。
NOV 2003-08-19
- 打赏
- 举报
唉,我知道错在哪里了。 C0MSPY(寒江独钓) 兄说得对,
szUser32 db 'user32.dll'
这一行少了个0.
TO W32API(李诚):
系统DLL是会映射到每个进程地址空间,但病毒本身是不合法的。也就不能合法的调用宿主程序导入表的函数了。如果要自己修改导入表太难啦,还不如自己的搜索来得方便。
szUser32 db 'user32.dll'
这一行少了个0.
TO W32API(李诚):
系统DLL是会映射到每个进程地址空间,但病毒本身是不合法的。也就不能合法的调用宿主程序导入表的函数了。如果要自己修改导入表太难啦,还不如自己的搜索来得方便。
