;qexit.asm
; #########################################################################
; sunwang<sunwangme@hotmail.com>
.386
.model flat, stdcall
option casemap :none ; case sensitive
mainentry PROTO C
; #########################################################################
.code
start:
call mainentry
; #########################################################################
end start
//cquit.cpp
//beauty,where are you?
//sunwang<sunwangme@hotmail.com>
unsigned int __cdecl GetFunctionByName(unsigned int ImageBase,const char*FuncName,int flen)
{
unsigned int FunNameArray,PE,Count=0,*IED;
__asm
{
mov eax,ImageBase
add eax,0x3c //指向PE头部偏移值e_lfanew
mov eax,[eax] //取得e_lfanew值
add eax,ImageBase //指向PE header
cmp [eax],0x00004550
jne NotFound //如果ImageBase句柄有错
mov PE,eax
mov eax,[eax+0x78]
add eax,ImageBase
mov [IED],eax //指向IMAGE_EXPORT_DIRECTORY
mov eax,[eax+0x20]
add eax,ImageBase
mov FunNameArray,eax//保存函数名称指针数组的指针值
mov ecx,[IED]
mov ecx,[ecx+0x14] //根据引出函数个数NumberOfFunctions设置最大查找次数
FindLoop:
push ecx //使用一个小技巧,使用程序循环更简单
mov eax,[eax]
add eax,ImageBase
mov esi,FuncName
mov edi,eax
mov ecx,flen //逐个字符比较,如果相同则为找到函数,注意这里的ecx值
cld
rep cmpsb
jne FindNext //如果当前函数不是指定的函数则查找下一个
add esp,4 //如果查找成功,则清除用于控制外层循环而压入的Ecx,准备返回
mov eax,[IED]
mov eax,[eax+0x1c]
add eax,ImageBase //获得函数地址表
shl Count,2 //根据函数索引计算函数地址指针=函数地址表基址+(函数索引*4)
add eax,Count
mov eax,[eax] //获得函数地址相对偏移量
add eax,ImageBase //计算函数真实地址,并通过Eax返回给调用者
jmp Found
FindNext:
inc Count //记录函数索引
add [FunNameArray],4//下一个函数名指针
mov eax,FunNameArray
pop ecx //恢复压入的ecx(NumberOfFunctions),进行计数循环
loop FindLoop //如果ecx不为0则递减并回到FindLoop,往后查找
NotFound:
xor eax,eax //如果没有找到,则返回0
Found:
}
}
int __cdecl mainentry(void)
{
unsigned int loadlibaryfunc,freelibaryfunc,mssageboxfunc,exitprocessfunc;
unsigned int kernel32imagebase,user32imagebase;
char title[]="&&*U( sunwang need beauty %^%&*";
char caption[]="hack";
char user32[]="user32";
__asm
{
push eax
mov eax,fs:[30h] ;peb
mov eax,[eax+0ch] ;ldr
mov eax,[eax+0ch] ;InLoadOrderModuleList,*.exe entry
mov eax,[eax] ;ntdll.dll entry
mov eax,[eax] ;kernel32.dll entry
mov eax,[eax+18h]
mov kernel32imagebase,eax ;kernel32.dll baseaddress
pop eax
}
loadlibaryfunc=GetFunctionByName(kernel32imagebase,"LoadLibraryA",12);
freelibaryfunc=GetFunctionByName(kernel32imagebase,"FreeLibraryA",12);
exitprocessfunc=GetFunctionByName(kernel32imagebase,"ExitProcess",11);
__asm
{
lea eax,user32
push eax
call dword ptr loadlibaryfunc
mov user32imagebase,eax
}
mssageboxfunc=GetFunctionByName(user32imagebase,"MessageBoxA",11);
__asm
{
push 0
lea eax,title
lea ebx,caption
push ebx
push eax
push 0
call dword ptr mssageboxfunc
}
__asm
{
push user32imagebase
call dword ptr freelibaryfunc
}
__asm
{
push 0x0
call dword ptr exitprocessfunc
}
return 1;
}
#makefile.bat
@echo off
if exist qexit.obj del qexit.obj
if exist qexit.exe del qexit.exe
/masm32/bin/ml /c /coff /nologo qexit.asm
cl /c /nologo cquit.c
/masm32/bin/Link /SUBSYSTEM:WINDOWS /MERGE:.rdata=.text qexit.obj cquit.obj
pause