1. kernel32.ExpandEnvironmentStringsA可以把"%USERPROFILE%\a.exe"扩展成用户的目录如 "C:\Documents and Settings\Administrator\a.exe",这个有可能会在一些shellcode当中见到。
2.获取当前地址:
00122528 E8 00000000 call 0012252D
0012252D 58 pop eax
3. 一段精彩的修改IAT地址表的代码:
int __cdecl sub_402369()
{
int result; // eax@1
int pIID; // ebx@1
HMODULE hmodule2; // esi@1
HMODULE hModule; // eax@1
int OrigianlFirstThunk; // edi@3
void *FirstThunk; // esi@3
HMODULE i; // [sp+8h] [bp-8h]@1
DWORD flOldProtect; // [sp+Ch] [bp-4h]@5
hModule = GetModuleHandleW(0);
hmodule2 = hModule;
pIID = (int)((char *)hModule + *(_DWORD *)((char *)hModule + *((_DWORD *)hModule + 15) + 128));// 输入表 IID数组指针
result = *(_DWORD *)(pIID + 0xC);
for ( i = hmodule2; result; pIID += 0x14u )
{
if ( !stricmp((const char *)hmodule2 + result, "user32.dll") )
{
OrigianlFirstThunk = (int)((char *)hmodule2 + *(_DWORD *)pIID);
FirstThunk = (char *)i + *(_DWORD *)(pIID + 16);
while ( *(_DWORD *)OrigianlFirstThunk )
{
if ( !stricmp((const char *)i + *(_DWORD *)OrigianlFirstThunk + 2, "RegisterClassExW") )
{
VirtualProtect(FirstThunk, 4u, 0x40u, &flOldProtect);// 修改内存属性
*(_DWORD *)FirstThunk = sub_4019EF; // 修改IAT
VirtualProtect(FirstThunk, 4u, flOldProtect, &flOldProtect);// 恢复原内存属性
}
if ( !stricmp((const char *)i + *(_DWORD *)OrigianlFirstThunk + 2, "CreateWindowExW") )
{
VirtualProtect(FirstThunk, 4u, 0x40u, &flOldProtect);
*(_DWORD *)FirstThunk = sub_402228;
VirtualProtect(FirstThunk, 4u, flOldProtect, &flOldProtect);
}
OrigianlFirstThunk += 4;
FirstThunk = (char *)FirstThunk + 4;
}
hmodule2 = i;
}
result = *(_DWORD *)(pIID + 0x20);
}
return result;
}