#include "stdafx.h"
#include "stdio.h"
#include "windows.h"
int LoadAddr=NULL;
int GetAddr=NULL;
int kernel32Addr=NULL;
__declspec(naked) int GetApi()
{
_asm
{
Begin:
pushad
push ebp
xor ecx,ecx
mov esi,fs:0x30
mov esi, [esi + 0x0C];
mov esi, [esi + 0x1C];
next_module:
mov ebp, [esi + 0x08];
mov edi, [esi + 0x20];
mov esi, [esi];
cmp [edi + 12*2],cl
jne next_module
mov edi,ebp;BaseAddr of Kernel32.dll
// GetProcAddress地址的获取
// 有了kernel32的地址以后,我们就可以方便的通过遍历的方式查询到GetProcAddress的地址
sub esp,100
mov ebp,esp;
mov eax,[edi+3ch];//pe header
mov edx,[edi+eax+78h]
add edx,edi
mov ecx,[edx+18h];//number of functions
mov ebx,[edx+20h]
add ebx,edi;AddressOfName
search:
dec ecx
mov esi,[ebx+ecx*4]
add esi,edi;
mov eax,0x50746547;PteG("GetP")
cmp [esi],eax
jne search
mov eax,0x41636f72;Acor("rocA")
cmp [esi+4],eax
jne search
mov ebx,[edx+24h]
add ebx,edi;indexaddress
mov cx,[ebx+ecx*2]
mov ebx,[edx+1ch]
add ebx,edi
mov eax,[ebx+ecx*4]
add eax,edi
mov [ebp+76],eax;//将GetProcAddress地址存在ebp+76中
/* LoadLibraryA地址的获取,通过调用API函数GetProcAddress获取LoadLibraryA的地址*/
push 0;
push DWORD PTR 0x41797261;//Ayra("aryA")
push DWORD PTR 0x7262694c;//rbiL("Libr")
push DWORD PTR 0x64616f4c;//daoL("Load")
push esp
push edi
call [ebp+76]
mov [ebp+80],eax;//将LoadLibraryA地址存在ebp+80中
//add esp,0x78
//////////////////////////////////////////////////////////////////////////
mov byte ptr[esp+0x0],0x75
mov byte ptr[esp+0x1],0x73
mov byte ptr[esp+0x2],0x65
mov byte ptr[esp+0x3],0x72
mov byte ptr[esp+0x4],0x33
mov byte ptr[esp+0x5],0x32
mov byte ptr[esp+0x6],0x2e
mov byte ptr[esp+0x7],0x64
mov byte ptr[esp+0x8],0x6c
mov byte ptr[esp+0x9],0x6c
mov byte ptr[esp+0xA],0x00
push ESP
call [ebp+80]
//////////////////////////////////////////////////////////////////////////
mov [ebp+0x48],eax
//////////////////////////////////////////////////////////////////////////
mov byte ptr[esp+0x0],0x4D
mov byte ptr[esp+0x1],0x65
mov byte ptr[esp+0x2],0x73
mov byte ptr[esp+0x3],0x73
mov byte ptr[esp+0x4],0x61
mov byte ptr[esp+0x5],0x67
mov byte ptr[esp+0x6],0x65
mov byte ptr[esp+0x7],0x42
mov byte ptr[esp+0x8],0x6F
mov byte ptr[esp+0x9],0x78
mov byte ptr[esp+0xA],0x41
mov byte ptr[esp+0xB],0x00
push ESP
push [ebp+0x48]
call [ebp+76]
mov [ebp+44],eax
//////////////////////////////////////////////////////////////////////////
mov byte ptr[esp+0x0],0x68
mov byte ptr[esp+0x1],0x65
mov byte ptr[esp+0x2],0x6c
mov byte ptr[esp+0x3],0x6c
mov byte ptr[esp+0x4],0x6f
mov byte ptr[esp+0x5],0x6c
mov byte ptr[esp+0x6],0x79
mov byte ptr[esp+0x7],0x66
mov byte ptr[esp+0x8],0x00
mov byte ptr[esp+0x9],0x41
mov byte ptr[esp+0xA],0x41
mov byte ptr[esp+0xB],0x41
mov byte ptr[esp+0xC],0x41
mov byte ptr[esp+0x8],0x00
push ESP
lea ecx,[esp+4]
lea edx,[ecx+9]
push MB_OK
push ecx
push edx
push 0x00
call [ebp+44]
add esp,0x7c
popad
retn
};
}
void main()
{
_asm pushad
_asm call GetApi
_asm popad
原文:https://www.cnblogs.com/admrty/p/15257944.html