前面发的那个函数的改版。。。。
HANDLE __declspec(naked) __stdcall GetLoadedDllHandle(DWORD hash)
{
__asm
{
push ebp
mov ebp,esp
push edi
push esi
push ebx
cld //clear the direction flag for the loop
mov edx, fs:[0x30] //get a pointer to the PEB
mov edx, [edx + 0x0C] //get PEB->Ldr
mov edx, [edx + 0x14] //get the first module from the InMemoryOrder module list
next_mod:
mov esi, [edx + 0x28] //get pointer to modules name (unicode string)
xor eax,eax
test esi,esi // 如果是最后一个 模块了 那么 此时 esi 是 空
jz _out
xor edi, edi //clear edi which will store the hash of the module name
loop_modname:
xor eax, eax //clear eax
lodsw //read in the next byte of the name
cmp ax, 0x0061 //some versions of Windows use lower case module names
jl not_lowercase
sub ax, 0x20 //if so normalise to uppercase
not_lowercase:
ror edi, 13 //rotate right our hash value
add edi, eax //add the next byte of the name to the hash
test ax,ax
jnz loop_modname
/*
zzz.exe 8D93016D
ntdll.dll DF956BA6
kernel32.dll 50BB715E
KERNELBASE.dll B0CE8C74
user32.dll 1031956F
GDI32.dll CF313439
LPK.dll BA2FCA6
USP10.dll DE29A518
msvcrt.dll 21AD939E
IMM32.DLL D83144B9
MSCTF.dll DEB56383
*/
cmp edi, hash //compare the hash with that of KERNEL32.DLL
mov eax, [edx + 0x10] //get this modules base address
mov edx, [edx] //get the next module
jne next_mod //if it doesn't match, process the next module
_out:
pop ebx
pop esi
pop edi
pop ebp
retn 4
}
}
//计算字符串hash的函数
DWORD __declspec(naked) __stdcall CalcStringHash(WCHAR *str)
{
__asm
{
push ebp
mov ebp,esp
push edi
push esi
push ebx
mov esi,str
xor edi, edi //clear edi which will store the hash of the module name
loop_modname:
xor eax, eax //clear eax
lodsw //read in the next byte of the name
cmp ax, 0x0061 //some versions of Windows use lower case module names
jl not_lowercase
sub ax, 0x20 //if so normalise to uppercase
not_lowercase:
ror edi, 13 //rotate right our hash value
add edi, eax //add the next byte of the name to the hash
test ax,ax
jnz loop_modname
mov eax,edi
pop ebx
pop esi
pop edi
pop ebp
retn 4
}
}
551
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
