pragma (lib, "gdi32.lib");
pragma (lib, "d3d9.lib");
pragma (lib, "winmm.lib");
pragma (lib, "ole32.lib");
import core.runtime;
import win32.windows;
import core.stdc.stdio;
import std.string;
import std.conv;
import std.math;
extern(C)
UINT GetKernelBase(UINT UpperCallStack){ // from luo yun bing's Win32 ASM source
asm {
naked ; // use naked asm mode
mov EAX, [ESP+4] ;
nop ;
and EAX, 0xFFFF0000 ;
nop ;
main_loop:
mov DX, [EAX] ; // D00 - D15 is 0x5A4D MZ
sub EAX, 0x10000 ; //
xor DX, 0x5A4D ;
jne main_loop ;
add EAX, 0x10000 ;
ret ;
}
}
extern(C)
UINT NEW_GPA(UINT hModule, char* FuncName){
asm {
naked ;
push EDI ; // save old frame
push ESI ; // save old frame
mov EDI, [ESP+16] ; // Load FuncName
push EBP ; //
xor AL, AL ; // cle bit
push EBX ;
mov ECX, -1 ; // reset EAX
mov EBX, EDI ; // save old frame
cld ; // clr d bit
repne ;
scasb ; // scan ...
not ECX ; // get result (with zero)
mov ESI, [ESP+20] ; // load module addr ;
mov EAX, ESI ; // save old frame
add ESI, [ESI+60] ; // move to PE File's IMAGE_NT_HEADERS
mov ESI, [ESI+120]; // load OptionalHeader.DataDirectory.VirtualAddress
add ESI, EAX ;
movd XMM1, ESI ;
mov EDX, [ESI+32] ; // get AddressOfNames
add EDX, EAX ;
mov EBP, [ESI+24] ; // get cnt
movd XMM0, ESP ;
mov ESP, ECX ;
main_loop:
mov EDI, [EDX] ; // Func Name Array ...
mov ESI, EBX ;
add EDI, EAX ;
mov ECX, ESP ;
repz ;
cmpsb ;
je final_nake ;
add EDX, 4 ;
dec EBP ;
jne main_loop ;
final_nake:
movd ESI, XMM1 ;
movd ESP, XMM0 ;
sub EDX, [ESI+32] ;
pop EBX ;
pop EBP ;
sub EDX, EAX ;
shr EDX, 1 ;
add EDX, [ESI+36] ;
add EDX, EAX ;
movzx EDX, word ptr [EDX];
lea EDX, [EDX*4] ;
add EDX, [ESI+28] ;
pop ESI ;
add EDX, EAX ;
mov ECX, [EDX] ;
pop EDI ;
add EAX, ECX ;
ret ;
}
}
extern(Windows) int function
(
HWND hWnd, PCHAR lpText, PCHAR lpCaption, UINT uType
) _MessageBoxA;
extern(Windows) int function
(
HMODULE hModule, LPCSTR lpProcName
) _GetProcAddress;
extern(Windows) HMODULE function
(
PCHAR lpFileName
) _LoadLibrary;
void main(){
uint Kernel32BaseAddr;
asm {
mov EAX, [EBP+0x1D4];
mov Kernel32BaseAddr, EAX;
}
_LoadLibrary = cast(typeof(_LoadLibrary)) NEW_GPA(GetKernelBase(Kernel32BaseAddr), cast(char*)"LoadLibraryA"); ;
_GetProcAddress = cast(typeof(_GetProcAddress)) NEW_GPA(GetKernelBase(Kernel32BaseAddr), cast(char*)"GetProcAddress");
_MessageBoxA = cast(typeof(_MessageBoxA)) _GetProcAddress(_LoadLibrary(cast(char*)"user32.dll"), cast(char*)"MessageBoxA");
_MessageBoxA (null, cast(char*) "Hello World", cast(char*)"Test", 0);
}云彬锅的GetKernelBase
猜你喜欢
转载自xuling1993728.iteye.com/blog/2209528
今日推荐
周排行