pushad
//获取kernel32.dll的基址
mov eax, fs:0x30 //PEB的地址
mov eax, [eax + 0x0c]
mov esi, [eax + 0x1c]
lodsd
mov eax, [eax + 0x08] //eax就是kernel32.dll的基址
mov edi, eax //同时保存kernel32.dll的基址到edi
mov ebp, eax
mov eax, [ebp + 3ch] //PE首部
mov edx, [ebp + eax + 78h]
add edx, ebp //edx等于引出表地址
mov ecx, [edx + 18h] //ecx等于输出函数个数
mov ebx, [edx + 20h]
add ebx, ebp //ebx等于函数名地址
search:
dec ecx
mov esi, [ebx + ecx * 4]
add esi, ebp //依次找到每个函数名
mov eax, 0x50746547 //"PteG"
cmp [esi], eax //比较"PteG"
jne search
mov eax, 0x41636f72 //"Acor"
cmp [esi + 4], eax //比较'Acor'
jne search //只到找到GetProcAddress()
mov ebx, [edx + 24h]
add ebx, ebp
mov cx, [ebx + ecx * 2] //ecx=计算出来的序号值
mov ebx, [edx + 1ch]
add ebx, ebp //ebx=函数地址