2012年7月4日星期三

NoImport.asm


.386
.model flat,stdcall
option casemap:none
.data
correy db "made by correy",0
szGetProcAddress db "GetProcAddress",0
szLoadLibrary db 'LoadLibraryA',0
szUser32 db 'user32',0
szmessagebox db 'MessageBoxA',0
.data?
pe dd ?;
OptionalHeader dd ?;
header dd ? ;
sizeOfOptionalHeader dd ?;
sections dd ?
nnps dd ?
e dd ?;
k dd ?;
apiaddress dd ?;
apinameaddress dd ?;
ordinaladdress dd ?;
apis dd ?
n dd ?;
i dd ?;
o dd ?;
f dd ?;
ob dd ?
ipapiloadlibrary dd ?
ipapiuser32 dd ?
ipapimessagebox dd ?
.code
lenstr proc s
local z
mov eax,s
mov z,eax
xor eax,eax
pop ecx
comp:cmp byte ptr [ecx],0
je exit2
inc eax
inc ecx
jmp comp
exit2:ret
lenstr endp
strcat proc s1,s2
invoke lenstr,s1
add s1,eax
mov esi,s2
mov edi,s1
invoke lenstr,s2
mov ecx,eax
rep movsb
ret
strcat endp
start:
push [esp]
mov edi,[esp]
and edi,0ffff0000h
againk:push edi
cmp word ptr [edi],5a4dh
jne nextk
add edi,[edi+3ch]
cmp word ptr [edi],4550h
jne nextk
pop edi
mov eax,edi
jmp showk
nextk:pop edi
sub edi,10000h
jmp againk
showk:mov k,eax
add eax,3ch
mov eax,[eax]
add eax,k
mov pe,eax
mov esi,pe
add esi,6
mov dx,word ptr [esi]
movsx edx,dx
mov sections,edx
mov esi,pe
add esi,24
mov OptionalHeader,esi ;保存可选头的地址。
mov esi,pe
add esi,20
mov dx,word ptr [esi]
movsx edx,dx
mov sizeOfOptionalHeader,edx
mov esi,OptionalHeader
add esi,sizeOfOptionalHeader
mov header,esi ;保存节头的地址。
mov esi,OptionalHeader
add esi,96
mov esi,[esi]
mov edi,esi
add esi,k
add edi,k
mov e,edi;导出节或导出目录表的首地址
mov edi,e
add edi,12
mov edi,[edi]
add edi,k
mov edi,e
add edi,16
mov edi,[edi]
mov ob,edi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov edi,e
add edi,20
mov edi,[edi]
mov apis,edi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov edi,e
add edi,24
mov edi,[edi]
mov nnps,edi
mov edi,e
add edi,28
mov edi,[edi]
add edi,k
mov apiaddress,edi ;导出地址表的首地址
mov edi,e
add edi,32
mov edi,[edi]
add edi,k
mov apinameaddress,edi ;导出名称指针表的首地址
mov edi,e
add edi,36
mov edi,[edi]
add edi,k
mov ordinaladdress,edi ;导出序数表的首地址
invoke lenstr,addr szGetProcAddress
mov n,eax
;求GetProcAddress函数在文件中的位置
mov ebx,apinameaddress
xor eax,eax
againke:push ebx
mov edi,[ebx]
add edi,k
mov esi,offset szGetProcAddress
mov ecx,n
repe cmpsb
je nextke
pop ebx
add ebx,4
inc eax
jmp againke
nextke:add eax,ob;加上基数
mov i,eax
;求GetProcAddress函数的序数
mov eax,i
mov ebx,ordinaladdress
shl eax,1
add eax,ebx
movzx eax,word ptr [eax]
mov o,eax
;求GetProcAddress函数的地址
mov eax,o
sub eax,ob;减去基数
mov ebx,apiaddress
shl eax,2
add eax,ebx
mov eax,[eax]
add eax,k
mov f,eax
;求loadlibrary函数的地址
push offset szLoadLibrary
push k
call eax
mov ipapiloadlibrary,eax
;求user32.dll文件的地址
push offset szUser32
call ipapiloadlibrary
mov ipapiuser32,eax
;求MessageBox函数的地址
push offset szmessagebox
push ipapiuser32
call f
mov ipapimessagebox,eax
;显示一个信息
push 0
push offset correy
push offset correy
push 0
call ipapimessagebox
pop esp
ret
end start

没有评论:

发表评论