DWORD myGetApiAddr(HMODULE hModuleBaseAddr, PSTR lpApi)
{
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNtHeader = NULL;
PIMAGE_EXPORT_DIRECTORY pExportDir = NULL;
DWORD ret = 0;
PDWORD AddrOfName = NULL;
PDWORD AddrOfFunction = NULL;
PWORD AddrOfOrder = NULL;
DWORD count = 0;
WORD order = 0;
PSTR pName = NULL;
pDosHeader = (PIMAGE_DOS_HEADER)(DWORD)hModuleBaseAddr;
pNtHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew);
//导出表描述
pExportDir = (PIMAGE_EXPORT_DIRECTORY)((DWORD)hModuleBaseAddr + pNtHeader->OptionalHeader.DataDirectory[0].VirtualAddress);
//名字表地址
AddrOfName = (PDWORD)((DWORD)hModuleBaseAddr + pExportDir->AddressOfNames);
//函数表
AddrOfFunction = (PDWORD)((DWORD)hModuleBaseAddr + pExportDir->AddressOfFunctions);
//序号表
AddrOfOrder = (PWORD)((DWORD)hModuleBaseAddr + pExportDir->AddressOfNameOrdinals);
for (int i = 0; i < pExportDir->NumberOfNames;i++)
{
//这是偏移,需要加上模块基址
pName = (PSTR)(*AddrOfName + (DWORD)hModuleBaseAddr);
printf("%s\n", pName);
//如果相等
if (strcmp(pName, lpApi) == 0)
{
order = *(AddrOfOrder + count)+pExportDir->Base-1;
ret = *(AddrOfFunction + order) + (DWORD)(DWORD)hModuleBaseAddr;
return ret;
}
count++;
AddrOfName++;
}
return ret;
}
HMODULE getKernel32BaseAddrByPEB()
{
PVOID pPeb = NULL;
PVOID pLdr = NULL;
PVOID pFlink = NULL;
PVOID ptemp = NULL;
PVOID BaseAddr = NULL;
PVOID pFullName = NULL;
__asm
{
mov eax, fs:[0x30]
mov pPeb, eax
}
pLdr = (PVOID)*((PDWORD)((DWORD)pPeb + 0x0c));
pFlink = (PVOID)*((PDWORD)((DWORD)pLdr + 0x14));//第一个
ptemp = pFlink;
//第3个就是kernel32
ptemp = (PVOID)*((PDWORD)ptemp);//第二个
ptemp = (PVOID)*((PDWORD)ptemp);//第三个
BaseAddr = (PVOID)*((PDWORD)((DWORD)ptemp + 0x10));
pFullName = (PVOID)*((PDWORD)((DWORD)ptemp + 0x20));
wprintf(L"FullDllName is %s\n", pFullName);
printf("BaseAddress is %x\n", BaseAddr);
return (HMODULE)BaseAddr;
}
//动态调用API函数
void _dynamicCallApi()
{
//声明函数指针 指向需要的原型 参数类型一定要与原型相同
typedef FARPROC(WINAPI *_ApiGetProcAddress)(HMODULE, PSTR);
typedef HINSTANCE(WINAPI *_ApiLoadLibrary)(PSTR);
typedef int(WINAPI *_ApiMessageBox)(HWND, PSTR, PSTR, UINT);
HMODULE hDllKernel32;
DWORD hDllUser32;
LPSTR szLoadLibrary = "LoadLibraryA";
PSTR szGetProcAddress = "GetProcAddress";
PSTR szUser32 = "user32.dll";
PSTR szMessageBox = "MessageBoxA";
_ApiGetProcAddress _GetProcAddress;
_ApiLoadLibrary _LoadLibrary;
_ApiMessageBox _MessageBox;
hDllKernel32 = getKernel32BaseAddrByPEB();
_GetProcAddress = (_ApiGetProcAddress)myGetApiAddr(hDllKernel32, szGetProcAddress);
_LoadLibrary = (_ApiLoadLibrary)(_GetProcAddress)(hDllKernel32, szLoadLibrary);
hDllUser32 = (DWORD)(_LoadLibrary)(szUser32);
_MessageBox = (_ApiMessageBox)(_GetProcAddress)((HMODULE)hDllUser32, szMessageBox);
//成功调用了MessageBoxA
(_MessageBox)(NULL, "aaaa", "bbbb", MB_OK);
//还应该FreeLibrary 这里先不写了
return;
}
int _tmain(int argc, _TCHAR* argv[])
{
_dynamicCallApi();
return 0;
}
不生成导入表调用API函数
最新推荐文章于 2021-09-10 18:56:00 发布