贴一份最近写的代码－无引用dll的exe

最新推荐文章于 2024-08-29 15:41:33 发布

sunwang123456

最新推荐文章于 2024-08-29 15:41:33 发布

阅读量3.4k

点赞数

文章标签： exe dll user header windows image

本文链接：https://blog.csdn.net/sunwang123456/article/details/508706

版权

;qexit.asm
; #########################################################################
; sunwang<sunwangme@hotmail.com>
      .386
      .model flat, stdcall
      option casemap :none   ; case sensitive

mainentry PROTO C

; #########################################################################

.code

start:

call mainentry

; #########################################################################

end start

//cquit.cpp
//beauty,where are you?
//sunwang<sunwangme@hotmail.com>

unsigned int __cdecl GetFunctionByName(unsigned int ImageBase,const char*FuncName,int flen)
{
unsigned int FunNameArray,PE,Count=0,*IED;

__asm
{
mov eax,ImageBase
add eax,0x3c  //指向PE头部偏移值e_lfanew
mov eax,[eax]  //取得e_lfanew值
add eax,ImageBase //指向PE header
cmp [eax],0x00004550
jne NotFound  //如果ImageBase句柄有错
mov PE,eax
mov eax,[eax+0x78]
add eax,ImageBase
mov [IED],eax  //指向IMAGE_EXPORT_DIRECTORY
mov eax,[eax+0x20]
add eax,ImageBase
mov FunNameArray,eax//保存函数名称指针数组的指针值
mov ecx,[IED]
mov ecx,[ecx+0x14] //根据引出函数个数NumberOfFunctions设置最大查找次数

FindLoop:
push ecx   //使用一个小技巧,使用程序循环更简单
mov eax,[eax]
add eax,ImageBase
mov esi,FuncName
mov edi,eax
mov ecx,flen  //逐个字符比较,如果相同则为找到函数,注意这里的ecx值
cld
rep cmpsb
jne FindNext  //如果当前函数不是指定的函数则查找下一个
add esp,4   //如果查找成功,则清除用于控制外层循环而压入的Ecx,准备返回
mov eax,[IED]
mov eax,[eax+0x1c]
add eax,ImageBase //获得函数地址表
shl Count,2   //根据函数索引计算函数地址指针=函数地址表基址+(函数索引*4)
add eax,Count
mov eax,[eax]  //获得函数地址相对偏移量
add eax,ImageBase //计算函数真实地址,并通过Eax返回给调用者
jmp Found

FindNext:
inc Count   //记录函数索引
add [FunNameArray],4//下一个函数名指针
mov eax,FunNameArray
pop ecx    //恢复压入的ecx(NumberOfFunctions),进行计数循环
loop FindLoop  //如果ecx不为0则递减并回到FindLoop,往后查找

NotFound:
  xor eax,eax  //如果没有找到,则返回0

Found:
}

}

int __cdecl mainentry(void)
{
unsigned int loadlibaryfunc,freelibaryfunc,mssageboxfunc,exitprocessfunc;
unsigned int kernel32imagebase,user32imagebase;
char title[]="&&*U( sunwang need beauty %^%&*";
char caption[]="hack";
char user32[]="user32";

__asm
{
push eax
mov eax,fs:[30h] ;peb
mov eax,[eax+0ch] ;ldr
mov eax,[eax+0ch] ;InLoadOrderModuleList,*.exe entry
mov eax,[eax] ;ntdll.dll entry
mov eax,[eax] ;kernel32.dll entry
mov eax,[eax+18h]
mov kernel32imagebase,eax ;kernel32.dll baseaddress
pop eax
}

loadlibaryfunc=GetFunctionByName(kernel32imagebase,"LoadLibraryA",12);
freelibaryfunc=GetFunctionByName(kernel32imagebase,"FreeLibraryA",12);
exitprocessfunc=GetFunctionByName(kernel32imagebase,"ExitProcess",11);

__asm
{
lea eax,user32
push eax
call dword ptr loadlibaryfunc
mov user32imagebase,eax
}

mssageboxfunc=GetFunctionByName(user32imagebase,"MessageBoxA",11);

__asm
{
push 0
lea eax,title
lea ebx,caption
push ebx
push eax
push 0
call dword ptr mssageboxfunc
}

__asm
{
push user32imagebase
call dword ptr freelibaryfunc
}

__asm
{
push 0x0
call dword ptr exitprocessfunc
}

return 1;
}
#makefile.bat
@echo off

if exist qexit.obj del qexit.obj
if exist qexit.exe del qexit.exe

/masm32/bin/ml /c /coff /nologo qexit.asm
cl /c /nologo cquit.c

/masm32/bin/Link /SUBSYSTEM:WINDOWS /MERGE:.rdata=.text qexit.obj cquit.obj

pause

sunwang123456

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
1
评论
贴一份最近写的代码－无引用dll的exe

;qexit.asm; #########################################################################; sunwangsunwangme@hotmail.com> .386 .model flat, stdcall option casemap :none ; case sensitive
复制链接

扫一扫