_asm
{
push ebp;
mov ebp,esp;
mov edx,fs:[030h];
mov edx,[edx+08h];
mov eax,0x11111111;//eax->import table 使用时用导入表RVA代替
add eax,edx;
IMPORT:
cmp [eax],0;
jz OVER;
mov edi,[eax+0ch];
add edi,edx;
mov ebx,[eax+10h];
add ebx,edx;//IAT
IAT:
mov esi,[ebx];
cmp esi,0;
jz IMPORT2;
add esi,02h;
add esi,edx;
pushad;
push esi;//ProcName
push edi;//DllName
push ebx;//IAT Addr
call GetProc;
add esp,0ch;
popad;
add ebx,4;
jmp IAT;
IMPORT2:
add eax,014h;
jmp IMPORT;
OVER:
mov esp,ebp;
pop ebp;
mov eax,0x2222222;
add eax,edx;
push eax;
ret;
GetProc:
push ebp;
mov ebp,esp;
sub esp,0ch;
mov dword ptr [esp],'daoL';
mov dword ptr [esp+04h],'rbiL';
mov dword ptr [esp+08h],'Ayra';
mov byte ptr [esp+0ch],0;
push esp;
push 0x0000000d;
call FindLocalAddr;
mov ebx,dword ptr [ebp+0ch];
push ebx;
call eax;//DllNameHandle
push eax;
sub esp,010h;
mov dword ptr [esp],'PteG';
mov dword ptr [esp+04h],'Acor';
mov dword ptr [esp+08h],'erdd';
mov dword ptr [esp+0ch],'ss';
mov byte ptr [esp+0eh],0;
push esp;
push 0x0000000f;
call FindLocalAddr;
mov ebx,dword ptr [ebp+010h];
push ebx;
mov ebx,dword ptr [esp+01ch];
push ebx;
call eax;
mov ebx,dword ptr[ebp+08h];
mov [ebx],eax;
mov esp,ebp;
pop ebp;
ret;
FindLocalAddr:
push ebp;
mov ebp,esp;
mov eax,fs:[30h];
mov eax,[eax+0ch];
mov eax,[eax+0ch];
mov eax,[eax];
mov eax,[eax];
mov ebx,[eax+18h];
mov eax,dword ptr [ebx+3ch];
mov eax,dword ptr [eax+ebx+78h];
push eax;
mov eax,dword ptr [eax+ebx+20h];
xor edx,edx;
L1:mov edi,[eax+ebx];
add edi,ebx;
mov esi,dword ptr[ebp+0ch];
mov ecx,dword ptr [ebp+08h];
repe cmpsb;
jz L2;
add eax,4h;
inc edx;
jmp L1;
L2: pop eax;
sub esp,04h;
mov eax,[eax+ebx+24h];
mov ecx,edx;
L3:add eax,02h;
loop L3;
add eax,ebx;
mov ax,WORD PTR [eax];
pop edx;
mov edx,[edx+ebx+01ch];
imul ax,4;
and eax,0ffffh;
add edx,eax;
mov eax,[edx+ebx];
add eax,ebx;
mov esp,ebp;
pop ebp;
ret;
}
转载于:https://blog.51cto.com/nster/1194441
1125
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
