搜索WinExec地址参考
来源:互联网 发布:今日美国钻井平台数据 编辑:程序博客网 时间:2024/06/06 00:57
* 在kern32.dll中搜索指定API地址
* Hash(WinExec) = 0x72dc Hash(LoadLibraryA) = 0xae14
*/
ULONG
SearchApi(WORD api_hash)
{
//搜索k32dll的API地址
PEPROCESS pSystemProcess = PsGetCurrentProcess(); //make sure you are running at IRQL PASSIVE_LEVEL
PLIST_ENTRY pCurrentList = (PLIST_ENTRY)((PUCHAR)pSystemProcess + 0xA0);
PLIST_ENTRY pTempList = pCurrentList;
PEPROCESS pEProcess = NULL;
do {
PPEB peb = NULL;
PUCHAR lpname = NULL;
pEProcess = (PEPROCESS)((PUCHAR)pTempList - 0xA0);
peb = (PPEB)(*(PULONG)((PUCHAR)pEProcess + 0x1b0));
lpname = (PUCHAR)pEProcess + 0x1fc;
KdPrint(("%s/n", lpname));
if ((peb != NULL)
&& (strncmp(lpname, "winlogon", 8) == 0))
{
ULONG api_addr = 0;
KeAttachProcess((PKPROCESS)pEProcess);
KdPrint(("ImageBaseAddress:%08x/n", peb->ImageBaseAddress));
_asm
{
mov eax, peb;
mov eax, [eax+0x0c];//ldr
mov esi, [eax+0x1c];//esi->ldr.InInitializationOrderMoudleList _LIST_ENTRY struct
lodsd; //eax = [esi];
mov ebx, [eax+0x08];//k32dll is the first! and baseaddress is follow _LIST_ENTRY
//now get pe image infos to find LoadLibrary and GetProcAddress API
//assert ebx is the pe image base!!!
mov ax, api_hash; //Hash(LoadLibraryA) = 0xae14
//Hash(WinExec) = 0x72dc
//call search_api;
//mov [ebp-4], eax; //this is LoadLibraryA API
//------------------------------------------------------------------------------
//ebx-PE Image Base,eax-hash of api name, return eax!!!
//------------------------------------------------------------------------------
//search_api:
mov edx, eax;
mov eax, [ebx+0x3c]; //File address of the new exe header
mov eax, [eax+ebx+0x78]; //pe base ->data directory[16]
add eax, ebx; //get directory[0] Address ->export table ->eax
mov esi, [eax+0x20]; //get export funs names rva
add esi, ebx; //esi->export names table address
//mov ecx, [eax+0x18]; //get export funs numbers
xor ecx, ecx;
//search funs name tables
next_api:
mov edi, [esi+ecx*4]; //
add edi, ebx;
//-----------------------------------
//计算[edi]字符串的hash值
//-----------------------------------
pushad;
xor eax, eax;
cacul_next:
shl eax, 2;
movzx ecx, byte ptr[edi];
add ax, cx;
inc edi;
inc ecx;
loop cacul_next;
//test edx!!!
cmp ax, dx;
jz search_end;
popad;
inc ecx;
jmp next_api;
search_end:
popad;
//ecx is the GetProcAdress index
mov eax, [eax+0x1c];
add eax, ebx;
mov eax, [eax+4*ecx];
add eax, ebx;
mov api_addr, eax;
//ret;
}
KdPrint(("%08x/n", api_addr));
KeDetachProcess();
return api_addr;
}
pTempList = pTempList->Flink;
} while(pCurrentList != pTempList);
return 0;
}
注意!仍然存在硬编码(主要是操作系统的EProcess数据结构各操作系统有变化)
测试操作的代码,该办法比PsGetVersion管用:-)PsGetVersion居然无法确定Windows2003 5.2.3790.0 和Windows2003 SP1 5.2.3790.1830
基于我假定EPROCESS数据结构变化,则EPROCESS中的镜像文件偏移必然变化的前提!!!希望大家帮我完善下
#define BASE_PROCESS_NAME_OFFSET_2K 0x01FC//NT5.0.2195.7133
#define BASE_PROCESS_NAME_OFFSET_XP 0x0174//NT5.1.2600.3093
#define BASE_PROCESS_NAME_OFFSET_2K3 0x0154//nt5.2.3790.0
#define BASE_PROCESS_NAME_OFFSET_2K3_SP1 0x0164//nt5.2.3790.1830
#define BASE_PROCESS_NAME_OFFSET_VISTA 0x014c
WORD GetWindowsVersion()
{
PEPROCESS pSystemProcess = PsGetCurrentProcess();
WORD offset;
for (offset=0; offset < PAGE_SIZE; offset++)
{
if(strncmp("System", (PCHAR)pSystemProcess + offset, 6) == 0)
{
g_EProcessOffset.wOffsetName = offset;
KdPrint(("%08x", offset));
switch (offset)
{
case BASE_PROCESS_NAME_OFFSET_2K:
KdPrint(("WINDOWS_VERSION_2K/n"));
return WINDOWS_VERSION_2K;
break;
case BASE_PROCESS_NAME_OFFSET_XP:
KdPrint(("WINDOWS_VERSION_XP/n"));
return WINDOWS_VERSION_XP;
break;
case BASE_PROCESS_NAME_OFFSET_2K3:
KdPrint(("WINDOWS_VERSION_2K3/n"));
return WINDOWS_VERSION_2K3;
break;
case BASE_PROCESS_NAME_OFFSET_2K3_SP1:
KdPrint(("WINDOWS_VERSION_2K3_SP1/n"));
return WINDOWS_VERSION_2K3_SP1;
break;
case BASE_PROCESS_NAME_OFFSET_VISTA:
KdPrint(("WINDOWS_VERSION_VISTA/n"));
return WINDOWS_VERSION_VISTA;
break;
default:
return WINDOWS_VERSION_NONE;
}
}
}
return WINDOWS_VERSION_NONE;
}
- 搜索WinExec地址参考
- ShellExecute Winexec参考 Delphi运行命令等待结束
- js搜索提示参考
- 搜索: 概念和参考
- ES搜索参考网站
- newsletter 参考地址
- jBPM博客参考地址
- apple 参考地址
- C++参考链接地址
- .NET 资源参考地址
- log4j学习参考地址
- 前端开发参考地址
- openwrt技术参考地址
- 前端参考地址
- mybatis 参考文档地址
- 参考教程地址
- vue学习参考地址
- 解析百度图片搜索结果json中objURL图片原始地址函数(.net版 参考php版)
- [转]PDU编解码详解
- 什么是接口?它与类有什么区别?
- 使用Wireshark (Ethereal)截包找出感染威金(viking)病毒的机器
- Remoting异常处理:在客户端获取服务器内部错误
- [转帖]ABAP实践学习--ABAP中将SAP数据按格式保存到EXCEL(OLE)
- 搜索WinExec地址参考
- SAP 常见面试题集锦
- 什么是反射?
- c#中重定向windows控制台程序的输出信息
- ghost参数
- Posix跨进程mutex的问题
- Eclipse编程Tips(3)-实现Preference
- Delphi初学者应小心的六大陷阱 中国教程在线,http://www.5istudy.cn
- 命里有时终须有