pragma (lib, "gdi32.lib"); pragma (lib, "d3d9.lib"); pragma (lib, "winmm.lib"); pragma (lib, "ole32.lib"); import core.runtime; import win32.windows; import core.stdc.stdio; import std.string; import std.conv; import std.math; extern(C) UINT GetKernelBase(UINT UpperCallStack){ // from luo yun bing's Win32 ASM source asm { naked ; // use naked asm mode mov EAX, [ESP+4] ; nop ; and EAX, 0xFFFF0000 ; nop ; main_loop: mov DX, [EAX] ; // D00 - D15 is 0x5A4D MZ sub EAX, 0x10000 ; // xor DX, 0x5A4D ; jne main_loop ; add EAX, 0x10000 ; ret ; } } extern(C) UINT NEW_GPA(UINT hModule, char* FuncName){ asm { naked ; push EDI ; // save old frame push ESI ; // save old frame mov EDI, [ESP+16] ; // Load FuncName push EBP ; // xor AL, AL ; // cle bit push EBX ; mov ECX, -1 ; // reset EAX mov EBX, EDI ; // save old frame cld ; // clr d bit repne ; scasb ; // scan ... not ECX ; // get result (with zero) mov ESI, [ESP+20] ; // load module addr ; mov EAX, ESI ; // save old frame add ESI, [ESI+60] ; // move to PE File's IMAGE_NT_HEADERS mov ESI, [ESI+120]; // load OptionalHeader.DataDirectory.VirtualAddress add ESI, EAX ; movd XMM1, ESI ; mov EDX, [ESI+32] ; // get AddressOfNames add EDX, EAX ; mov EBP, [ESI+24] ; // get cnt movd XMM0, ESP ; mov ESP, ECX ; main_loop: mov EDI, [EDX] ; // Func Name Array ... mov ESI, EBX ; add EDI, EAX ; mov ECX, ESP ; repz ; cmpsb ; je final_nake ; add EDX, 4 ; dec EBP ; jne main_loop ; final_nake: movd ESI, XMM1 ; movd ESP, XMM0 ; sub EDX, [ESI+32] ; pop EBX ; pop EBP ; sub EDX, EAX ; shr EDX, 1 ; add EDX, [ESI+36] ; add EDX, EAX ; movzx EDX, word ptr [EDX]; lea EDX, [EDX*4] ; add EDX, [ESI+28] ; pop ESI ; add EDX, EAX ; mov ECX, [EDX] ; pop EDI ; add EAX, ECX ; ret ; } } extern(Windows) int function ( HWND hWnd, PCHAR lpText, PCHAR lpCaption, UINT uType ) _MessageBoxA; extern(Windows) int function ( HMODULE hModule, LPCSTR lpProcName ) _GetProcAddress; extern(Windows) HMODULE function ( PCHAR lpFileName ) _LoadLibrary; void main(){ uint Kernel32BaseAddr; asm { mov EAX, [EBP+0x1D4]; mov Kernel32BaseAddr, EAX; } _LoadLibrary = cast(typeof(_LoadLibrary)) NEW_GPA(GetKernelBase(Kernel32BaseAddr), cast(char*)"LoadLibraryA"); ; _GetProcAddress = cast(typeof(_GetProcAddress)) NEW_GPA(GetKernelBase(Kernel32BaseAddr), cast(char*)"GetProcAddress"); _MessageBoxA = cast(typeof(_MessageBoxA)) _GetProcAddress(_LoadLibrary(cast(char*)"user32.dll"), cast(char*)"MessageBoxA"); _MessageBoxA (null, cast(char*) "Hello World", cast(char*)"Test", 0); }
云彬锅的GetKernelBase
猜你喜欢
转载自xuling1993728.iteye.com/blog/2209528
今日推荐
周排行