通过PEB获得
DWORD getKernel32BaseAddrByPEB()
{
PVOID pPeb = NULL;
PVOID pLdr = NULL;
PVOID pFlink = NULL;
PVOID ptemp = NULL;
PVOID BaseAddr = NULL;
PVOID pFullName = NULL;
__asm
{
mov eax, fs:[0x30]
mov pPeb, eax
}
pLdr = (PVOID)*((PDWORD)((DWORD)pPeb + 0x0c));
pFlink = (PVOID)*((PDWORD)((DWORD)pLdr + 0x14));
ptemp = pFlink;
ptemp = (PVOID)*((PDWORD)ptemp);
ptemp = (PVOID)*((PDWORD)ptemp);
BaseAddr = (PVOID)*((PDWORD)((DWORD)ptemp + 0x10));
pFullName = (PVOID)*((PDWORD)((DWORD)ptemp + 0x20));
wprintf(L"FullDllName is %s\n", pFullName);
printf("BaseAddress is %x\n", BaseAddr);
return (DWORD)BaseAddr;
}
获得函数地址
DWORD myGetProcessAddr(DWORD hModuleBaseAddr, PCSTR lpApi)
{
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNtHeader = NULL;
PIMAGE_EXPORT_DIRECTORY pExportDir = NULL;
DWORD ret = 0;
PDWORD AddrOfName = NULL;
PDWORD AddrOfFunction = NULL;
PWORD AddrOfOrder = NULL;
DWORD count = 0;
WORD order = 0;
PSTR pName = NULL;
pDosHeader = (PIMAGE_DOS_HEADER)hModuleBaseAddr;
pNtHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew);
pExportDir = (PIMAGE_EXPORT_DIRECTORY)(hModuleBaseAddr +pNtHeader->OptionalHeader.DataDirectory[0].VirtualAddress);
AddrOfName = (PDWORD)(hModuleBaseAddr + pExportDir->AddressOfNames);
AddrOfFunction = (PDWORD)(hModuleBaseAddr + pExportDir->AddressOfFunctions);
AddrOfOrder = (PWORD)(hModuleBaseAddr + pExportDir->AddressOfNameOrdinals);
for (int i = 0; i < pExportDir->NumberOfNames;i++)
{
pName = (PSTR)(*AddrOfName+hModuleBaseAddr);
printf("%s\n", pName);
if (strcmp(pName, lpApi) == 0)
{
order = *(AddrOfOrder + count)+pExportDir->Base-1;
ret = *(AddrOfFunction + order)+hModuleBaseAddr;
return ret;
}
count++;
AddrOfName++;
}
return ret;
}