[MASM32] KernelBase Address + GetProcAddress

Iniciado por The Swash, 9 Mayo 2011, 02:23 AM

0 Miembros y 1 Visitante están viendo este tema.

Imprimir
Ir Abajo Páginas1
Acciones del Usuario

The Swash

9 Mayo 2011, 02:23 AM Ultima modificación: 9 Mayo 2011, 02:28 AM por The Swash
Código (ASM) [Seleccionar]
.386
.model flat, stdcall
option casemap:none
assume fs:nothing

.data
GPA db "GetProcAddress",0
Cont dd 0

.code
start:
mov eax, fs:[030h]    ; Get pointer of the PEB
mov eax, [eax + 0ch]  ; Get pointer of PPEB_LDR_DATA
mov eax, [eax + 0ch]  ; Get pointer of InLoadOrderModuleList
mov eax, [eax]        ; Get InLoadOrderModuleList of next library "ntdll"
mov eax, [eax]        ; Get InLoadOrderModuleList of next library "kernel32"
mov eax, [eax + 018h] ; Get BaseAddress of "kernel32"

mov ecx, dword ptr[eax + 03ch]   ; Set PE Offset
add ecx, 078h                    ; Set in DirectoryTable[0]
mov edx, dword ptr [eax + ecx]   ; Get Export Table RVA
add edx, eax                     ; Add KernelBase Address
xor ebx, ebx                     ; Clean EBX
add edx, 020h                    ; Set in addressofnames RVA
mov ebx, dword ptr [edx]         ; Get RVA AddressOfNames Table
add ebx, eax                     ; Add KernelBase Address

COMP:                   ; Rutine of compare strings with "GetProcAddress", incrementing Cont
add ebx, 4
inc [Cont]
mov esi, dword ptr [ebx]
add esi, eax
lea edi, [GPA]
mov ecx, 0Eh
repe cmpsb
jnz COMP

;GetAddress
xor ebx, ebx            ; Clean EBX
add edx, 04h            ; Set on Table Ordinal RVA
mov ebx, dword ptr[edx] ; Get first RVA of Ordinal
add ebx, eax            ; Add KernelBase Address
mov edi, eax            ; Save KernelBase Address in EDI
xor eax, eax            ; Clean EAX
mov al, 02h             ; Base of WORD
mov esi, edx            ; Save Address of RVA Ordinal Table
mul word ptr[Cont]      ; Mul Cont for get WORD
mov [Cont], eax         ; Get new value in Cont
xor eax, eax            ; Clean EAX
add ebx, [Cont]         ; Add Cont to Address of Ordinal Table
mov ax,word ptr[ebx]    ; Get Ordinal of GetProcAddress
sub esi, 08h            ; Set in AddressOfFunctions
mov ecx, [esi]          ; Get First pointer to Functions RVA
add ecx, edi            ; Add KernelBase Address
xor ebx, ebx            ; Clean EBX
mov ebx, eax            ; Mov Ordinal to EBX for MUL
mov eax, 04h            ; Base of DWORD
mul ebx                 ; Calcule spaces to Get address bassed in (Address of First Function + Ordinal GetProcAddress
add ecx, eax            ; Add spaces for Set Address in RVA of GetProcAddress
mov ecx, [ecx]          ; Get RVA of GetProcAddress
add ecx, edi            ; Add KernelBase Address
end start

Agradecimientos a Shaddy, [Zero], Lelo, Thor, Psymera & todos los que me han ayudado.
Imprimir
Ir Arriba Páginas1
Acciones del Usuario