标签:agent color char print sizeof direct push return dll
在X86下,JMP反汇编出来的FF 25加的是导入表的地址
测试代码如下:
void JmpFunctionAddressOfImportTableInWinXP_X86() { DWORD dwOld = 0; ULONG_PTR v2 = 0; void* v1 = NULL; GetFunctionByImport_X86(GetModuleHandle(NULL), "MessageBoxA"); v1 = lpAddress; printf("%p\r\n", v1); printf("%p\r\n", v2 = Sub_1()); VirtualProtect((PVOID)v2,0x100,PAGE_EXECUTE_READWRITE,&dwOld); memcpy((PVOID)((ULONG_PTR)v2+16),(PVOID)&v1,sizeof(ULONG_PTR)); VirtualProtect((PVOID)v2,0x100,dwOld,NULL); Sub_1InX86(); }
里面的Sub_1和Sub_1InX86是写的汇编测试代码
Sub_1 PROC lea eax,Sub_1InX86; inc eax mov ebx,[eax] lea eax,Sub_1InX86 add eax,ebx add eax,5 ret Sub_1 ENDP Sub_1InX86 PROC push 0 push 0 push 0 push 0 call Flag1 ret Flag0: db 0FFH db 25H db 00H db 00H db 00H db 00H ;0118158E FF 25 78 83 18 01 jmp dword ptr [__imp__MessageBoxW@16 (1188378h)] Flag1: jmp Flag0 Sub_1InX86 ENDP
附带一个获得导入表函数地址的小函数
DWORD GetFunctionByImport_X86( HMODULE hModule, // handle to DLL module LPCSTR lpProcName // function name ) { int i = 0; char *pRet = NULL; PIMAGE_DOS_HEADER pImageDosHeader = NULL; PIMAGE_NT_HEADERS pImageNtHeader = NULL; PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor = NULL; pImageDosHeader = (PIMAGE_DOS_HEADER)hModule; pImageNtHeader = (PIMAGE_NT_HEADERS)((ULONG32)hModule + pImageDosHeader->e_lfanew); pImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG32)hModule + pImageNtHeader->OptionalHeader.DataDirectory [IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); while (pImageImportDescriptor->FirstThunk) { IMAGE_THUNK_DATA *pThunk = (IMAGE_THUNK_DATA*)(pImageImportDescriptor->OriginalFirstThunk + (ULONG32)hModule); int a = 0; int n = 0; char *pszFunName = NULL; while (pThunk->u1.Function) { pszFunName = (char *)((BYTE *)hModule + (DWORD)pThunk->u1.AddressOfData + 2); PDWORD lpAddr = (DWORD *)((BYTE *)hModule + pImageImportDescriptor->FirstThunk) + n; if (strcmp(pszFunName, (char*)lpProcName) == 0) { lpAddress = lpAddr; printf("%p\r\n", lpAddress); } n++; pThunk++; } pImageImportDescriptor++; } return 0; }
注:在这之前要先调用下MessageBoxA函数。
标签:agent color char print sizeof direct push return dll
原文地址:http://www.cnblogs.com/a997002636/p/6441309.html