.386
.model flat,stdcall
option casemap:none
.model flat,stdcall
option casemap:none
.data
correy db "made by correy",0
szGetProcAddress db "GetProcAddress",0
szLoadLibrary db 'LoadLibraryA',0
szUser32 db 'user32',0
szmessagebox db 'MessageBoxA',0
correy db "made by correy",0
szGetProcAddress db "GetProcAddress",0
szLoadLibrary db 'LoadLibraryA',0
szUser32 db 'user32',0
szmessagebox db 'MessageBoxA',0
.data?
pe dd ?;
OptionalHeader dd ?;
header dd ? ;
sizeOfOptionalHeader dd ?;
sections dd ?
nnps dd ?
e dd ?;
k dd ?;
apiaddress dd ?;
apinameaddress dd ?;
ordinaladdress dd ?;
apis dd ?
n dd ?;
i dd ?;
o dd ?;
f dd ?;
ob dd ?
ipapiloadlibrary dd ?
ipapiuser32 dd ?
ipapimessagebox dd ?
pe dd ?;
OptionalHeader dd ?;
header dd ? ;
sizeOfOptionalHeader dd ?;
sections dd ?
nnps dd ?
e dd ?;
k dd ?;
apiaddress dd ?;
apinameaddress dd ?;
ordinaladdress dd ?;
apis dd ?
n dd ?;
i dd ?;
o dd ?;
f dd ?;
ob dd ?
ipapiloadlibrary dd ?
ipapiuser32 dd ?
ipapimessagebox dd ?
.code
lenstr proc s
local z
mov eax,s
mov z,eax
xor eax,eax
pop ecx
comp:cmp byte ptr [ecx],0
je exit2
inc eax
inc ecx
jmp comp
exit2:ret
lenstr endp
local z
mov eax,s
mov z,eax
xor eax,eax
pop ecx
comp:cmp byte ptr [ecx],0
je exit2
inc eax
inc ecx
jmp comp
exit2:ret
lenstr endp
strcat proc s1,s2
invoke lenstr,s1
add s1,eax
mov esi,s2
mov edi,s1
invoke lenstr,s2
mov ecx,eax
rep movsb
ret
strcat endp
invoke lenstr,s1
add s1,eax
mov esi,s2
mov edi,s1
invoke lenstr,s2
mov ecx,eax
rep movsb
ret
strcat endp
start:
push [esp]
mov edi,[esp]
and edi,0ffff0000h
againk:push edi
cmp word ptr [edi],5a4dh
jne nextk
add edi,[edi+3ch]
cmp word ptr [edi],4550h
jne nextk
pop edi
mov eax,edi
jmp showk
nextk:pop edi
sub edi,10000h
jmp againk
showk:mov k,eax
add eax,3ch
mov eax,[eax]
add eax,k
mov pe,eax
push [esp]
mov edi,[esp]
and edi,0ffff0000h
againk:push edi
cmp word ptr [edi],5a4dh
jne nextk
add edi,[edi+3ch]
cmp word ptr [edi],4550h
jne nextk
pop edi
mov eax,edi
jmp showk
nextk:pop edi
sub edi,10000h
jmp againk
showk:mov k,eax
add eax,3ch
mov eax,[eax]
add eax,k
mov pe,eax
mov esi,pe
add esi,6
mov dx,word ptr [esi]
movsx edx,dx
mov sections,edx
add esi,6
mov dx,word ptr [esi]
movsx edx,dx
mov sections,edx
mov esi,pe
add esi,24
mov OptionalHeader,esi ;保存可选头的地址。
add esi,24
mov OptionalHeader,esi ;保存可选头的地址。
mov esi,pe
add esi,20
mov dx,word ptr [esi]
movsx edx,dx
mov sizeOfOptionalHeader,edx
add esi,20
mov dx,word ptr [esi]
movsx edx,dx
mov sizeOfOptionalHeader,edx
mov esi,OptionalHeader
add esi,sizeOfOptionalHeader
mov header,esi ;保存节头的地址。
add esi,sizeOfOptionalHeader
mov header,esi ;保存节头的地址。
mov esi,OptionalHeader
add esi,96
mov esi,[esi]
mov edi,esi
add esi,96
mov esi,[esi]
mov edi,esi
add esi,k
add edi,k
mov e,edi;导出节或导出目录表的首地址
add edi,k
mov e,edi;导出节或导出目录表的首地址
mov edi,e
add edi,12
mov edi,[edi]
add edi,k
add edi,12
mov edi,[edi]
add edi,k
mov edi,e
add edi,16
mov edi,[edi]
mov ob,edi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov edi,e
add edi,20
mov edi,[edi]
mov apis,edi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov edi,e
add edi,24
mov edi,[edi]
mov nnps,edi
add edi,16
mov edi,[edi]
mov ob,edi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov edi,e
add edi,20
mov edi,[edi]
mov apis,edi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov edi,e
add edi,24
mov edi,[edi]
mov nnps,edi
mov edi,e
add edi,28
mov edi,[edi]
add edi,k
mov apiaddress,edi ;导出地址表的首地址
add edi,28
mov edi,[edi]
add edi,k
mov apiaddress,edi ;导出地址表的首地址
mov edi,e
add edi,32
mov edi,[edi]
add edi,k
mov apinameaddress,edi ;导出名称指针表的首地址
add edi,32
mov edi,[edi]
add edi,k
mov apinameaddress,edi ;导出名称指针表的首地址
mov edi,e
add edi,36
mov edi,[edi]
add edi,k
mov ordinaladdress,edi ;导出序数表的首地址
add edi,36
mov edi,[edi]
add edi,k
mov ordinaladdress,edi ;导出序数表的首地址
invoke lenstr,addr szGetProcAddress
mov n,eax
mov n,eax
;求GetProcAddress函数在文件中的位置
mov ebx,apinameaddress
xor eax,eax
againke:push ebx
mov edi,[ebx]
add edi,k
mov esi,offset szGetProcAddress
mov ecx,n
repe cmpsb
je nextke
pop ebx
add ebx,4
inc eax
jmp againke
nextke:add eax,ob;加上基数
mov i,eax
;求GetProcAddress函数的序数
mov eax,i
mov ebx,ordinaladdress
shl eax,1
add eax,ebx
movzx eax,word ptr [eax]
mov o,eax
;求GetProcAddress函数的地址
mov eax,o
sub eax,ob;减去基数
mov ebx,apinameaddress
xor eax,eax
againke:push ebx
mov edi,[ebx]
add edi,k
mov esi,offset szGetProcAddress
mov ecx,n
repe cmpsb
je nextke
pop ebx
add ebx,4
inc eax
jmp againke
nextke:add eax,ob;加上基数
mov i,eax
;求GetProcAddress函数的序数
mov eax,i
mov ebx,ordinaladdress
shl eax,1
add eax,ebx
movzx eax,word ptr [eax]
mov o,eax
;求GetProcAddress函数的地址
mov eax,o
sub eax,ob;减去基数
mov ebx,apiaddress
shl eax,2
add eax,ebx
mov eax,[eax]
add eax,k
mov f,eax
;求loadlibrary函数的地址
push offset szLoadLibrary
push k
call eax
mov ipapiloadlibrary,eax
;求user32.dll文件的地址
push offset szUser32
call ipapiloadlibrary
mov ipapiuser32,eax
;求MessageBox函数的地址
push offset szmessagebox
push ipapiuser32
call f
mov ipapimessagebox,eax
;显示一个信息
push 0
push offset correy
push offset correy
push 0
call ipapimessagebox
pop esp
ret
end start
shl eax,2
add eax,ebx
mov eax,[eax]
add eax,k
mov f,eax
;求loadlibrary函数的地址
push offset szLoadLibrary
push k
call eax
mov ipapiloadlibrary,eax
;求user32.dll文件的地址
push offset szUser32
call ipapiloadlibrary
mov ipapiuser32,eax
;求MessageBox函数的地址
push offset szmessagebox
push ipapiuser32
call f
mov ipapimessagebox,eax
;显示一个信息
push 0
push offset correy
push offset correy
push 0
call ipapimessagebox
pop esp
ret
end start
没有评论:
发表评论