关闭

不生成导入表调用API函数

112人阅读 评论(0) 收藏 举报
分类:
DWORD myGetApiAddr(HMODULE hModuleBaseAddr, PSTR lpApi)
{
    PIMAGE_DOS_HEADER pDosHeader = NULL;
    PIMAGE_NT_HEADERS pNtHeader = NULL;

    PIMAGE_EXPORT_DIRECTORY pExportDir = NULL;

    DWORD ret = 0;
    PDWORD AddrOfName = NULL;
    PDWORD AddrOfFunction = NULL;
    PWORD AddrOfOrder = NULL;
    DWORD count = 0;
    WORD order = 0;
    PSTR pName = NULL;

    pDosHeader = (PIMAGE_DOS_HEADER)(DWORD)hModuleBaseAddr;
    pNtHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew);
    //导出表描述
    pExportDir = (PIMAGE_EXPORT_DIRECTORY)((DWORD)hModuleBaseAddr + pNtHeader->OptionalHeader.DataDirectory[0].VirtualAddress);
    //名字表地址
    AddrOfName = (PDWORD)((DWORD)hModuleBaseAddr + pExportDir->AddressOfNames);
    //函数表
    AddrOfFunction = (PDWORD)((DWORD)hModuleBaseAddr + pExportDir->AddressOfFunctions);
    //序号表
    AddrOfOrder = (PWORD)((DWORD)hModuleBaseAddr + pExportDir->AddressOfNameOrdinals);

    for (int i = 0; i < pExportDir->NumberOfNames;i++)
    {
        //这是偏移,需要加上模块基址
        pName = (PSTR)(*AddrOfName + (DWORD)hModuleBaseAddr);
        printf("%s\n", pName);
        //如果相等
        if (strcmp(pName, lpApi) == 0)
        {
            order = *(AddrOfOrder + count)+pExportDir->Base-1;
            ret = *(AddrOfFunction + order) + (DWORD)(DWORD)hModuleBaseAddr;
            return ret;
        }
        count++;
        AddrOfName++;
    }

    return ret;
}
HMODULE getKernel32BaseAddrByPEB()
{
    PVOID pPeb = NULL;
    PVOID pLdr = NULL;
    PVOID pFlink = NULL;
    PVOID ptemp = NULL;
    PVOID BaseAddr = NULL;
    PVOID pFullName = NULL;

    __asm
    {
        mov eax, fs:[0x30]
        mov pPeb, eax
    }
    pLdr = (PVOID)*((PDWORD)((DWORD)pPeb + 0x0c));
    pFlink = (PVOID)*((PDWORD)((DWORD)pLdr + 0x14));//第一个
    ptemp = pFlink;
    //第3个就是kernel32
    ptemp = (PVOID)*((PDWORD)ptemp);//第二个
    ptemp = (PVOID)*((PDWORD)ptemp);//第三个
    BaseAddr = (PVOID)*((PDWORD)((DWORD)ptemp + 0x10));
    pFullName = (PVOID)*((PDWORD)((DWORD)ptemp + 0x20));

    wprintf(L"FullDllName is %s\n", pFullName);
    printf("BaseAddress is %x\n", BaseAddr);
    return (HMODULE)BaseAddr;
}
//动态调用API函数
void _dynamicCallApi()
{
    //声明函数指针 指向需要的原型 参数类型一定要与原型相同
    typedef FARPROC(WINAPI *_ApiGetProcAddress)(HMODULE, PSTR);
    typedef HINSTANCE(WINAPI  *_ApiLoadLibrary)(PSTR);
    typedef int(WINAPI *_ApiMessageBox)(HWND, PSTR, PSTR, UINT);

    HMODULE hDllKernel32;
    DWORD hDllUser32;

    LPSTR szLoadLibrary = "LoadLibraryA";
    PSTR szGetProcAddress = "GetProcAddress";
    PSTR szUser32 = "user32.dll";
    PSTR szMessageBox = "MessageBoxA";

    _ApiGetProcAddress _GetProcAddress;
    _ApiLoadLibrary _LoadLibrary;
    _ApiMessageBox _MessageBox;

    hDllKernel32 = getKernel32BaseAddrByPEB();

    _GetProcAddress = (_ApiGetProcAddress)myGetApiAddr(hDllKernel32, szGetProcAddress);

    _LoadLibrary = (_ApiLoadLibrary)(_GetProcAddress)(hDllKernel32, szLoadLibrary);

    hDllUser32 = (DWORD)(_LoadLibrary)(szUser32);

    _MessageBox = (_ApiMessageBox)(_GetProcAddress)((HMODULE)hDllUser32, szMessageBox);

    //成功调用了MessageBoxA
    (_MessageBox)(NULL, "aaaa", "bbbb", MB_OK);
    //还应该FreeLibrary 这里先不写了
    return;
}

int _tmain(int argc, _TCHAR* argv[])
{
    _dynamicCallApi();
    return 0;
}
0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:5031次
    • 积分:346
    • 等级:
    • 排名:千里之外
    • 原创:18篇
    • 转载:7篇
    • 译文:13篇
    • 评论:0条
    文章分类