上联合翻宝贝,一个不小心,翻到一个给力的函数 = = 虽然不知道作者是谁,深深膜拜作者一下先
const
MAX_API_STRING_LENGTH = 150; type
PSEHStruct = ^TSEHStruct;
TSEHStruct = record
saveEsp: Cardinal;
saveEbp: Cardinal;
gotoEip: Cardinal;
end; function MyGetProcAddress(DllBase: LongWord; ApiName: PChar): Pointer; pascal;
asm
PUSH ESI
PUSH EDI
PUSH ECX
PUSH EBX
PUSH EDX
XOR EDX, EDX
PUSH OFFSET SEHHandler
PUSH DWORD PTR FS:[EDX]
MOV SEH.saveEsp, ESP
MOV SEH.saveEbp, EBP
MOV SEH.gotoEip, OFFSET @@NotFound
MOV FS:[EDX], ESP
MOV EDI, ApiName
MOV ECX, MAX_API_STRING_LENGTH
REPNZ SCASB
MOV ECX, EDI
SUB ECX, ApiName
MOV EDX, DllBase
CMP [EDX].TImageDosHeader.e_magic, IMAGE_DOS_SIGNATURE
JNZ @@NotFound
ADD EDX, [EDX].TImageDosHeader._lfanew
CMP [EDX].TImageNtHeaders.Signature, IMAGE_NT_SIGNATURE
JNZ @@NotFound
MOV EDX, [EDX].TImageNtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].TImageDataDirectory.VirtualAddress
OR EDX, EDX
JZ @@NotFound
ADD EDX, DllBase
MOV EBX, [EDX].TImageExportDirectory.AddressOfNames
ADD EBX, DllBase
XOR EAX, EAX
@@Loop:
MOV EDI, [EBX]
ADD EDI, DllBase
MOV ESI, ApiName
PUSH ECX
REPZ CMPSB
POP ECX
JE @@Found
ADD EBX, 4
INC EAX
CMP EAX, [EDX].TImageExportDirectory.NumberOfNames
JB @@Loop
JMP @@NotFound
@@Found:
SHL EAX, 1
ADD EAX, [EDX].TImageExportDirectory.AddressOfNameOrdinals
ADD EAX, DllBase
MOV AX, [EAX]
AND EAX, $0000FFFF
{ ordinal -> function }
SHL EAX, 2
ADD EAX, [EDX].TImageExportDirectory.AddressOfFunctions
ADD EAX, DllBase
MOV EAX, [EAX]
ADD EAX, DllBase
JMP @@Exit
@@NotFound:
{ return 0 on error }
XOR EAX, EAX
@@Exit:
XOR EDX, EDX
POP DWORD PTR FS:[EDX]
ADD ESP, 4
POP EDX
POP EBX
POP ECX
POP EDI
POP ESI
end; 使用的时候
zhu:Pointer;
zhu:=MyGetProcAddress(LoadLibrary('Kernel32.dll'),'OpenProcess'); |
