码迷,mamicode.com
首页 > 其他好文 > 详细

X86下,FF 25+ 导入表函数地址小测试

时间:2017-02-25 12:17:17      阅读:183      评论:0      收藏:0      [点我收藏+]

标签:agent   color   char   print   sizeof   direct   push   return   dll   

在X86下,JMP反汇编出来的FF 25加的是导入表的地址

测试代码如下:

void  JmpFunctionAddressOfImportTableInWinXP_X86()
{
DWORD dwOld = 0;
ULONG_PTR v2 = 0;



void* v1 = NULL;
GetFunctionByImport_X86(GetModuleHandle(NULL), "MessageBoxA");
v1 = lpAddress;
printf("%p\r\n", v1);
printf("%p\r\n", v2 = Sub_1());



VirtualProtect((PVOID)v2,0x100,PAGE_EXECUTE_READWRITE,&dwOld);
memcpy((PVOID)((ULONG_PTR)v2+16),(PVOID)&v1,sizeof(ULONG_PTR));
VirtualProtect((PVOID)v2,0x100,dwOld,NULL);

Sub_1InX86();
}
里面的Sub_1和Sub_1InX86是写的汇编测试代码
Sub_1 PROC

lea eax,Sub_1InX86;
inc eax
mov ebx,[eax]
lea eax,Sub_1InX86
add eax,ebx
add eax,5
ret
Sub_1 ENDP


Sub_1InX86 PROC
push 0
push 0
push 0
push 0
call Flag1
ret
Flag0:
db 0FFH
db 25H
db 00H
db 00H
db 00H
db 00H
;0118158E FF 25 78 83 18 01    jmp         dword ptr [__imp__MessageBoxW@16 (1188378h)]
Flag1:
jmp Flag0
Sub_1InX86 ENDP
附带一个获得导入表函数地址的小函数
DWORD GetFunctionByImport_X86(
    HMODULE hModule,    // handle to DLL module  
    LPCSTR lpProcName   // function name 

)
{
    int i = 0;
    char *pRet = NULL;
    PIMAGE_DOS_HEADER pImageDosHeader = NULL;
    PIMAGE_NT_HEADERS pImageNtHeader = NULL;
    PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor = NULL;

    pImageDosHeader = (PIMAGE_DOS_HEADER)hModule;
    pImageNtHeader = (PIMAGE_NT_HEADERS)((ULONG32)hModule + pImageDosHeader->e_lfanew);
    pImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG32)hModule + pImageNtHeader->OptionalHeader.DataDirectory
        [IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
    while (pImageImportDescriptor->FirstThunk)
    {
        IMAGE_THUNK_DATA *pThunk = (IMAGE_THUNK_DATA*)(pImageImportDescriptor->OriginalFirstThunk + (ULONG32)hModule);
        int a = 0;
        int n = 0;
        char *pszFunName = NULL;
        while (pThunk->u1.Function)
        {
            pszFunName = (char *)((BYTE *)hModule + (DWORD)pThunk->u1.AddressOfData + 2);
            PDWORD lpAddr = (DWORD *)((BYTE *)hModule + pImageImportDescriptor->FirstThunk) + n;

            if (strcmp(pszFunName, (char*)lpProcName) == 0)
            {
                lpAddress = lpAddr;
                printf("%p\r\n", lpAddress);
            }

            n++;
            pThunk++;


        }
        pImageImportDescriptor++;
    }

    return 0;
}

注:在这之前要先调用下MessageBoxA函数。

 

 

 

 

X86下,FF 25+ 导入表函数地址小测试

标签:agent   color   char   print   sizeof   direct   push   return   dll   

原文地址:http://www.cnblogs.com/a997002636/p/6441309.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!