C语言内嵌汇编API内存搜索引擎实例
本文实例讲述了C语言内嵌汇编API内存搜索引擎的方法,分享给大家供大家参考。具体实现方法如下:
//
#include \"stdafx.h\"
#include <Windows.h>
DWORD __stdcall GetStrLengthA(char* szName)
{
_asm
{
push edi
push ebx
mov eax, szName
mov edi, eax
mov ebx, eax
xor al, al
lstrscan:
scas byte ptr [edi] //字符扫描法检查字符串指针长度
jnz lstrscan
dec edi
sub edi, ebx
mov eax, edi
pop ebx
pop edi
}
}
DWORD __stdcall CalcBufferCRC(char* lpBuffer)
{
_asm
{
push ebx
push edi
push ecx
push ebp
mov ebx, lpBuffer
push ebx
call GetStrLengthA
mov edi, eax
shr edi, 2
xor ecx, ecx
loopBegin:
dec edi
jl loopOver
xor ecx, dword ptr [ebx]
add ebx, 4
jmp loopBegin
loopOver:
mov eax, ecx
pop ebp
pop ecx
pop edi
pop ebx
}
}
DWORD __stdcall GetProcAddressA(HANDLE hModule, DWORD dwExportCRC)
{
//DWORD lpProcNameCRC = ;
DWORD dwProcNumber;
LPVOID pProcAddress, pProcNameAddress, pProcIndexAddress;
_asm
{
push ebx
push esi
mov eax, hModule
mov edx,dwExportCRC // edx=函数名CRC32
mov ebx, eax // ebx=基址
mov eax, [ebx+0x3c] // eax=文件头偏移
mov esi, [ebx+eax+0x78] // esi=输出表偏移,文件头+可选头的长度=$78
lea esi, [ebx+esi+0x18] // esi=函数名数量 = 函数数量 [ebx+esi+$14]
lods dword ptr ds:[esi]
mov dwProcNumber, eax // eax=函数名数量
lods dword ptr ds:[esi]
mov pProcAddress, eax // eax=函数偏移量
lods dword ptr ds:[esi]
mov pProcNameAddress, eax // eax=函数名偏移量
lods dword ptr ds:[esi]
mov pProcIndexAddress, eax // eax=序列号偏移量
mov edx, dwProcNumber // edx=遍历次数
LoopBegin:
xor eax, eax // Result = 0
dec edx
jl LoopEnd
mov eax, pProcNameAddress
add eax, ebx // eax=函数名基地址
mov eax, dword ptr ds:[eax+edx*4]
add eax, ebx // eax=遍历函数名
push eax
call CalcBufferCRC
cmp eax, dwExportCRC // 对比CRC32
jnz LoopBegin
shl edx, 1
add edx, pProcIndexAddress // 函数基序列
movzx eax, word ptr ss:[edx+ebx]
shl eax, 2
add eax, pProcAddress // 函数基地址
mov eax, [eax+ebx]
add eax, ebx // Result = 函数地址
LoopEnd:
pop esi
pop ebx
}
}
DWORD __stdcall GetKernel32Module()
{
_asm
{
PUSH EBP
XOR ECX, ECX
//MOV ESI, [FS:ECX + 0x30] ; ESI = &(PEB) ([FS:0x30])
MOV ESI, FS:[0X30]
MOV ESI, [ESI + 0x0C] ; ESI = PEB->Ldr
MOV ESI, [ESI + 0x1C] ; ESI = PEB->Ldr.InInitOrder
next_module:
MOV EBP, [ESI + 0x08] ; EBP = InInitOrder[X].base_address
MOV EDI, [ESI + 0x20] ; EBP = InInitOrder[X].module_name (unicode)
MOV ESI, [ESI] ; ESI = InInitOrder[X].flink (next module)
CMP [EDI + 12*2], CL ; modulename[12] == 0 ?
JNE next_module ; No: try next module.
MOV EAX, EBP
POP EBP
}
}
int main(int argc, char* argv[])
{
printf(\"write by xiaoju !\\n\");
printf(\"*****************\\n\");
DWORD dwBaseKernel32 = GetKernel32Module();
printf(\"Kernel32的模块地址:%08x\\n\",dwBaseKernel32);
DWORD LoadLibraryCRC32= CalcBufferCRC(\"LoadLibraryA\") ;
printf(\"LoadLibraryA的CRC值(静态写到程序中):%08x\\n\\n\", LoadLibraryCRC32);
DWORD dwAddrLoadLibrary = GetProcAddressA((HANDLE)dwBaseKernel32, 0x577a7461);
printf(\"在程序中动态得到的LoadLibraryA的地址:%08x\\n\", dwAddrLoadLibrary);
getchar();
return 0;
}
本文地址:https://www.stayed.cn/item/16377
转载请注明出处。
本站部分内容来源于网络,如侵犯到您的权益,请 联系我
我的博客
人生若只如初见,何事秋风悲画扇。
我的标签
随笔档案
- 2024-02(2)
- 2023-06(1)
- 2023-05(1)
- 2023-04(14)
- 2023-03(3)
- 2023-01(6)
- 2022-12(5)
- 2022-11(5)
- 2022-07(2)
- 2022-06(4)
- 2022-05(3)
- 2022-03(1)
- 2021-12(6)
- 2021-11(1)
- 2021-10(3)
- 2021-09(5)
- 2021-07(5)
- 2021-02(2)
- 2021-01(7)
- 2020-12(18)
- 2020-11(14)
- 2020-10(12)
- 2020-09(10)
- 2020-08(22)
- 2020-07(2)
- 2020-06(1)
- 2020-04(5)
- 2020-03(9)
- 2020-02(7)
- 2020-01(9)
- 2019-12(8)
- 2019-11(10)
- 2019-10(11)
- 2019-09(17)
- 2019-08(16)
- 2019-07(6)
- 2019-06(3)
- 2019-04(1)
- 2019-03(8)
- 2019-02(5)
- 2019-01(1)
- 2018-11(2)
- 2018-10(3)
- 2018-09(1)
- 2018-08(3)
- 2018-07(3)
- 2018-06(7)
- 2018-04(4)
- 2018-03(5)
- 2018-02(4)
- 2018-01(22)
- 2017-12(3)
- 2017-11(5)
- 2017-10(15)
- 2017-09(26)
- 2017-08(1)
- 2017-07(3)