;made by correy
;Email:leguanyuan@126.com
;QQ:112426112
;rc me.rc
;ml /coff test.asm /link /subsystem:windows me.res
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
;Email:leguanyuan@126.com
;QQ:112426112
;rc me.rc
;ml /coff test.asm /link /subsystem:windows me.res
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
includelib user32.lib
includelib kernel32.lib
includelib kernel32.lib
.data
correy db "made by correy",0
h db "%8x",0
edata db "导出节或导出目录表的首地址",0
eat db "导出地址表的地址:export address table rva:",0
enp db "导出名称指针表地址:",0
ordinalbaseaddr db "导出序数表的地址:ordinal base address:",0
dllnameaddr db "dll name address:",0
dllname db "dll name :",0
ordinalbase db "ordinal base:",0
np db "name pointer rva:",0
ot db "ordinal table rva:",0
ate db "address table entries",0
nnp db "number of name pointers",0
apiname db "函数名字是:api name is:",0
apiaddr db "api address is:",0
correy db "made by correy",0
h db "%8x",0
edata db "导出节或导出目录表的首地址",0
eat db "导出地址表的地址:export address table rva:",0
enp db "导出名称指针表地址:",0
ordinalbaseaddr db "导出序数表的地址:ordinal base address:",0
dllnameaddr db "dll name address:",0
dllname db "dll name :",0
ordinalbase db "ordinal base:",0
np db "name pointer rva:",0
ot db "ordinal table rva:",0
ate db "address table entries",0
nnp db "number of name pointers",0
apiname db "函数名字是:api name is:",0
apiaddr db "api address is:",0
.data?
ofn OPENFILENAME <>
buffer db 256 DUP (?)
pe dd ?
OptionalHeader dd ?
header dd ?
magic word ?
sizeOfOptionalHeader dd ?
sections dd ?
v dd ?
nnps dd ?
e dd ?
k dd ?
apiaddress dd ?
apinameaddress dd ?
ordinaladdress dd ?
apis dd ?
ofn OPENFILENAME <>
buffer db 256 DUP (?)
pe dd ?
OptionalHeader dd ?
header dd ?
magic word ?
sizeOfOptionalHeader dd ?
sections dd ?
v dd ?
nnps dd ?
e dd ?
k dd ?
apiaddress dd ?
apinameaddress dd ?
ordinaladdress dd ?
apis dd ?
.code
start:
mov edi,[esp]
and edi,0ffff0000h
againk:
push edi
cmp word ptr [edi],5a4dh
jne nextk
add edi,[edi+3ch]
cmp word ptr [edi],4550h
jne nextk
pop edi
mov eax,edi
jmp showk
nextk:
pop edi
sub edi,10000h
jmp againk
showk:
mov k,eax
invoke wsprintf,addr buffer,addr h,eax
invoke MessageBox,0,addr buffer,addr correy,0
;invoke MessageBox,0,k,addr correy,0
mov eax,k
add eax,3ch
mov eax,[eax]
add eax,k
mov pe,eax
;invoke MessageBox,0,eax,addr correy,0
mov esi,pe
add esi,6
mov dx,word ptr [esi]
movsx edx,dx
mov sections,edx
mov esi,pe
add esi,24
mov OptionalHeader,esi ;保存可选头的地址。
mov esi,pe
add esi,20
mov dx,word ptr [esi]
movsx edx,dx
mov sizeOfOptionalHeader,edx
mov esi,OptionalHeader
add esi,sizeOfOptionalHeader
mov header,esi ;保存节头的地址。
mov esi,OptionalHeader
add esi,96
mov esi,[esi]
mov edi,esi
add esi,k
invoke wsprintf,addr buffer,addr h,esi
invoke MessageBox,0,addr buffer,addr edata,0
add edi,k
mov e,edi;导出节或导出目录表的首地址
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;dll name rva
mov edi,e
add edi,12
mov edi,[edi]
add edi,k
push eax
invoke wsprintf,addr buffer,addr h,edi
;invoke MessageBox,0,addr buffer,addr dllnameaddr,0
pop eax
invoke MessageBox,0,edi,addr dllname,0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov edi,e
add edi,16
mov edi,[edi]
invoke wsprintf,addr buffer,addr h,edi
;invoke MessageBox,0,addr buffer,addr ordinalbase,0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov edi,e
add edi,20
mov edi,[edi]
mov apis,edi
invoke wsprintf,addr buffer,addr h,edi
;invoke MessageBox,0,addr buffer,addr ate,0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov edi,e
add edi,24
mov edi,[edi]
mov nnps,edi
invoke wsprintf,addr buffer,addr h,edi
;invoke MessageBox,0,addr buffer,addr nnp,0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
pushad
mov edi,e
add edi,28
mov edi,[edi]
add edi,k
mov apiaddress,edi ;导出地址表的首地址
and edi,0ffff0000h
againk:
push edi
cmp word ptr [edi],5a4dh
jne nextk
add edi,[edi+3ch]
cmp word ptr [edi],4550h
jne nextk
pop edi
mov eax,edi
jmp showk
nextk:
pop edi
sub edi,10000h
jmp againk
showk:
mov k,eax
invoke wsprintf,addr buffer,addr h,eax
invoke MessageBox,0,addr buffer,addr correy,0
;invoke MessageBox,0,k,addr correy,0
mov eax,k
add eax,3ch
mov eax,[eax]
add eax,k
mov pe,eax
;invoke MessageBox,0,eax,addr correy,0
mov esi,pe
add esi,6
mov dx,word ptr [esi]
movsx edx,dx
mov sections,edx
mov esi,pe
add esi,24
mov OptionalHeader,esi ;保存可选头的地址。
mov esi,pe
add esi,20
mov dx,word ptr [esi]
movsx edx,dx
mov sizeOfOptionalHeader,edx
mov esi,OptionalHeader
add esi,sizeOfOptionalHeader
mov header,esi ;保存节头的地址。
mov esi,OptionalHeader
add esi,96
mov esi,[esi]
mov edi,esi
add esi,k
invoke wsprintf,addr buffer,addr h,esi
invoke MessageBox,0,addr buffer,addr edata,0
add edi,k
mov e,edi;导出节或导出目录表的首地址
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;dll name rva
mov edi,e
add edi,12
mov edi,[edi]
add edi,k
push eax
invoke wsprintf,addr buffer,addr h,edi
;invoke MessageBox,0,addr buffer,addr dllnameaddr,0
pop eax
invoke MessageBox,0,edi,addr dllname,0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov edi,e
add edi,16
mov edi,[edi]
invoke wsprintf,addr buffer,addr h,edi
;invoke MessageBox,0,addr buffer,addr ordinalbase,0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov edi,e
add edi,20
mov edi,[edi]
mov apis,edi
invoke wsprintf,addr buffer,addr h,edi
;invoke MessageBox,0,addr buffer,addr ate,0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov edi,e
add edi,24
mov edi,[edi]
mov nnps,edi
invoke wsprintf,addr buffer,addr h,edi
;invoke MessageBox,0,addr buffer,addr nnp,0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
pushad
mov edi,e
add edi,28
mov edi,[edi]
add edi,k
mov apiaddress,edi ;导出地址表的首地址
push eax
invoke wsprintf,addr buffer,addr h,edi
invoke MessageBox,0,addr buffer,addr eat,0
pop eax
popad
invoke wsprintf,addr buffer,addr h,edi
invoke MessageBox,0,addr buffer,addr eat,0
pop eax
popad
pushad
mov edi,e
add edi,32
mov edi,[edi]
add edi,k
mov apinameaddress,edi ;导出名称指针表的首地址
push eax
invoke wsprintf,addr buffer,addr h,edi
invoke MessageBox,0,addr buffer,addr enp,0
pop eax
popad
mov edi,e
add edi,32
mov edi,[edi]
add edi,k
mov apinameaddress,edi ;导出名称指针表的首地址
push eax
invoke wsprintf,addr buffer,addr h,edi
invoke MessageBox,0,addr buffer,addr enp,0
pop eax
popad
pushad
mov edi,e
add edi,36
mov edi,[edi]
add edi,k
mov ordinaladdress,edi ;导出名称指针表的首地址
push eax
invoke wsprintf,addr buffer,addr h,edi
invoke MessageBox,0,addr buffer,addr ordinalbaseaddr,0
pop eax
popad
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;显示函数的地址
mov edi,apiaddress
mov ecx,apis
showapiaddr:
push edi
mov edi,[edi]
add esi,k
invoke wsprintf,addr buffer,addr h,edi
;invoke MessageBox,0,addr buffer,addr apiaddr,0
pop edi
add edi,4
dec ecx
cmp ecx,0
;jne showapiaddr ;要想下面的运行需把此行屏蔽掉
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;显示函数的名字
mov edi,apinameaddress
mov ecx,nnps
showapi:
push edi
mov edi,[edi]
add edi,k
;invoke MessageBox,0,edi,addr apiname,0
pop edi
add edi,4
dec ecx
cmp ecx,0
jne showapi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;显示序数
mov eax,ordinaladdress
mov ecx,nnps
showo:
push eax
mov ax,word ptr [eax]
movzx eax,ax
invoke wsprintf,addr buffer,addr h,eax
invoke MessageBox,0,addr buffer,addr apiname,0
pop eax
add eax,2
dec ecx
cmp ecx,0
jne showo
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
invoke ExitProcess,NULL
end start
mov edi,e
add edi,36
mov edi,[edi]
add edi,k
mov ordinaladdress,edi ;导出名称指针表的首地址
push eax
invoke wsprintf,addr buffer,addr h,edi
invoke MessageBox,0,addr buffer,addr ordinalbaseaddr,0
pop eax
popad
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;显示函数的地址
mov edi,apiaddress
mov ecx,apis
showapiaddr:
push edi
mov edi,[edi]
add esi,k
invoke wsprintf,addr buffer,addr h,edi
;invoke MessageBox,0,addr buffer,addr apiaddr,0
pop edi
add edi,4
dec ecx
cmp ecx,0
;jne showapiaddr ;要想下面的运行需把此行屏蔽掉
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;显示函数的名字
mov edi,apinameaddress
mov ecx,nnps
showapi:
push edi
mov edi,[edi]
add edi,k
;invoke MessageBox,0,edi,addr apiname,0
pop edi
add edi,4
dec ecx
cmp ecx,0
jne showapi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;显示序数
mov eax,ordinaladdress
mov ecx,nnps
showo:
push eax
mov ax,word ptr [eax]
movzx eax,ax
invoke wsprintf,addr buffer,addr h,eax
invoke MessageBox,0,addr buffer,addr apiname,0
pop eax
add eax,2
dec ecx
cmp ecx,0
jne showo
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
invoke ExitProcess,NULL
end start
;made by correy
;Email:leguanyuan@126.com
;QQ:112426112
;rc me.rc
;ml /coff test.asm /link /subsystem:windows me.res
.386
.model flat, stdcall
option casemap :none
;Email:leguanyuan@126.com
;QQ:112426112
;rc me.rc
;ml /coff test.asm /link /subsystem:windows me.res
.386
.model flat, stdcall
option casemap :none
.code
start:
assume fs:nothing
mov eax, fs:[30h]
mov eax, [eax+0ch]
mov eax, [eax+1ch]
mov ebx,[eax+8] ;ebx是ntdll.dll的基地址
mov eax,[eax]
mov ecx,[eax+08h] ;ecx是kernel32.dll的基地址。
ret
end start
assume fs:nothing
mov eax, fs:[30h]
mov eax, [eax+0ch]
mov eax, [eax+1ch]
mov ebx,[eax+8] ;ebx是ntdll.dll的基地址
mov eax,[eax]
mov ecx,[eax+08h] ;ecx是kernel32.dll的基地址。
ret
end start
没有评论:
发表评论