从[esp]获取kernel32中call 指令push的返回地址, 即应用程序返回后的地址
rtlexituserthread , 有些是exitthread.
拿到这个地址就拿到了kernel32空间的某个值, 模块地址64k对齐,去掉低2个字节来对齐.
然后依次减64k寻找
.386
.model flat, stdcall
option casemap:none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include msvcrt.inc
includelib msvcrt.lib
.data
buffer db 256 dup(0)
kernerl32_module dd 0
.const
szText db 'addr : %08x',0dh,0ah,0
.code
seh_handler proc C pExceptionRecord, pSehStack, pContext, DispatcherContext
pushad
assume esi:ptr CONTEXT
mov esi,pContext
mov edx,pSehStack
push [edx+8]
pop [esi].regEip
push [edx+0ch]
pop [esi].regEbp
push edx
pop [esi].regEsp
assume esi:nothing
popad
mov eax,ExceptionContinueExecution
ret
seh_handler endp
isPe proc mem:dword
local ok:dword
pushad
mov ok,0
mov esi,mem
.if esi == 0
jmp done
.endif
assume esi:ptr