program GetKernel32;
{$APPTYPE CONSOLE}
//uses
// SysUtils, Windows;
function _GetKernel32: Cardinal;
asm
push esi
push ebx
push offset @_e_handler
push dword ptr [fs:0]
mov [fs:0],esp
//mov esi,[fs:0]
mov esi,esp
@_search_seh:
lodsd
inc eax
jz @_in_krnl
dec eax
xchg eax,esi
jmp @_search_seh
@_in_krnl:
lodsd
mov ebx,eax
@_search_krnl:
xor bx,bx
cmp word ptr [ebx],'ZM'
jnz @_not_pe
mov eax,[ebx+$3c]
test eax,$fffff000
jnz @_not_pe
cmp [ebx+eax],'PE'
jz @_found_krnl
@_not_pe:
dec ebx
cmp ebx,$70000000
//jb @_not_found
//jmp @_search_krnl
jae @_search_krnl
@_not_found:
xor ebx,ebx
@_found_krnl:
mov eax,ebx
pop dword ptr [fs:0]
pop ebx
pop ebx
pop esi
ret
@_e_handler:
mov eax,[esp+$0c]
mov [eax+$b8],offset @_not_found
xor eax,eax
end;
function _GetProcByName(szProcName: PChar): Pointer;
asm
push ebp
mov ebp,esp
sub esp,$8
push ebx
push edi
push esi
cld
mov [ebp-$8],eax
mov edi,eax
xor eax,eax
mov ecx,$ffffffff
repnz scasb
not ecx
//neg ecx
dec ecx
jz @_not_found
//dec ecx
mov [ebp-$4],ecx
call _GetKernel32
test eax,eax // EAX指向IMAGE BASE
jz @_not_found
mov ebx,[eax+$3c]
add ebx,eax // EBX指向IMAGE_NT_HEADERS
xchg ebx,eax // 交换EAX与EBX的值.现在EBX指向IMAGE BASE,EAX指向IMAGE_NT_HEADERS
mov edx,[eax+$78]
add edx,ebx
mov ecx,[edx+$18]
mov esi,[edx+$20]
add esi,ebx
@_next:
lodsd
push esi
lea esi,[ebx+eax]
push ecx
mov edi,[ebp-$8]
mov ecx,[ebp-$4]
repz cmpsb
pop ecx
pop esi
jz @_found
loop @_next
xor eax,eax
jmp @_not_found
@_found:
mov eax,[edx+$18]
sub eax,ecx
shl eax,1
mov esi,[edx+$24]
add esi,ebx
movzx eax,word ptr [esi+eax]
shl eax,2
mov ecx,[edx+$1c]
add ecx,ebx
mov eax,[ecx+eax]
add eax,ebx
@_not_found:
pop esi
pop edi
pop ebx
add esp,$8
pop ebp
end;
function __get_proc_by_name(szProcName: PChar): pointer;
asm
{ -> EAX function name }
@__get_winapi:
push ebp
mov ebp,esp
push eax
push ecx
push esi
push edi
push ebx
xchg eax,edi
xor ax,ax
mov ecx,$ffffffff
repnz scasb
//neg ecx
not ecx
dec ecx
jz @_not_found_api
//dec ecx
xchg [ebp-$8],ecx
call @__get_krnl32
test eax,eax
jz @_not_found_api
mov ebx,[eax+$3c]
add ebx,eax
mov edx,[ebx+$78]
add edx,eax
xchg ebx,eax
mov ecx,[edx+$18]
mov esi,[edx+$20]
add esi,ebx
@_next:
lodsd
push esi
lea esi,[ebx+eax]
push ecx
mov ecx,[ebp-$8]
mov edi,[ebp-$4]
repz cmpsb
pop ecx
pop esi
je @_found_api
loop @_next
xor eax,eax
jmp @_not_found_api
@_found_api:
mov eax,[edx+$18]
sub eax,ecx
shl eax,1
mov esi,[edx+$24]
add esi,ebx
movzx eax,word ptr [esi+eax]
shl eax,2
mov ecx,[edx+$1c]
add ecx,ebx
mov eax,[ecx+eax]
add eax,ebx
@_not_found_api:
pop ebx
pop edi
pop esi
add esp,$8
pop ebp
//ret
jmp @_exit
//call @__get_krnl32
@__get_krnl32:
//push esi
push offset @_e_handler
push dword ptr [fs:0]
mov [fs:0],esp
mov esi,esp
@_visit_seh:
lodsd
inc eax
jz @_in_krnl
dec eax
xchg eax,esi
jmp @_visit_seh
@_in_krnl:
lodsd
@_search_krnl:
xor ax,ax
cmp word ptr [eax],'ZM'
jne @_not_pe
mov edx,[eax+$3c]
test edx,$fffff000
jnz @_not_pe
cmp [eax+edx],'EP'
je @_found_krnl
@_not_pe:
dec eax
cmp eax,$70000000
jnb @_search_krnl
@_not_found:
xor eax,eax
@_found_krnl:
pop dword ptr [fs:0]
pop edx
//pop esi
ret
@_e_handler:
mov eax,[esp+$0c]
mov [eax+$b8],offset @_not_found
xor eax,eax
ret
@_exit:
end;
var
_LoadLibrary:function(lpFileName: PChar):Cardinal;stdcall;
_FreeLibrary:function(hModule: Cardinal):Integer;stdcall;
_GetProcAddress:function(hModule: Cardinal; lpProcName:PChar):pointer;stdcall;
_MessageBox: function(hWnd:Cardinal; const lpText, lpCaption: PChar; uType:Cardinal):integer;stdcall;
//__foo:procedure(value:integer);stdcall;
hUesr32:Cardinal;
begin
{ TODO -oUser -cConsole Main : Insert code here }
//writeln(PChar(_GetProcByName('FreeLibrary')));
//Writeln(IntToHex(_GetKernel32, 8));
//Writeln(IntToHex(__get_proc_by_name, 8));
// __get_proc_by_name;
@_LoadLibrary := __get_proc_by_name('LoadLibraryA');
//writeln(inttohex(integer(@_LoadLibrary), 8));
@_FreeLibrary := __get_proc_by_name('FreeLibrary');
//writeln(inttohex(integer(@_FreeLibrary), 8));
@_GetProcAddress := __get_proc_by_name('GetProcAddress');
//writeln(IntToHex(Integer(@_LoadLibrary),8));
hUesr32 := _LoadLibrary('user32.dll');
if hUesr32 = 0 then writeln('load library is failed!');
// if hUesr32 <> 0 then writeln(inttohex(hUesr32,8));
@_MessageBox := _GetProcAddress(hUesr32, 'MessageBoxA');
_MessageBox(0,'Hi everybody! My name is Northwind!','Say Hi~~',0);
_FreeLibrary(hUesr32);
//writeln(inttohex(integer(_GetProcByName('ActivateActCtx')),8));
{ writeln(inttohex(integer(_GetProcByName('FreeLibrary')),8));
if _GetProcByName('LoadLibrary') = nil then writeln('nil')
else writeln(PChar(_GetProcByName('LoadLibrary')));
writeln(PChar(_GetProcByName('MessageBoxA')));}
{
@_LoadLibrary := _GetProcByName('LoadLibrary');
@_FreeLibrary := _GetProcByName('FreeLibrary');
@_GetProcAddress := _GetProcByName('GetProcAddress');
//hUesr32 := LoadLibrary_('user32.dll');
//hUesr32 := _LoadLibrary('D:/fasm/Projects/First Fasm Demo/foo.dll');
hUsr32 := _LoadLibrary('user32.dll');
if hUesr32 = 0 then writeln('load library is failed!');
//if hUesr32 <> 0 then writeln(inttohex(hUsr32,8));
@_MessageBox := _GetProcAddress(hUesr32, 'MessageBoxA');
_MessageBox(0,'Hi Everybody! My name is northwind!','Say Hi~',0);
//@__foo := _GetProcAddress(hUesr32, '__foo');
//__foo(6);
_FreeLibrary(hUesr32);}
Readln;
end.
扫一扫
117
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
