zoukankan html css js c++ java

Win32 遍历导入表

  1 .386
  2 .model flat,stdcall
  3 option casemap:none
  4 
  5 include Windows.inc
  6 include User32.inc
  7 include Kernel32.inc
  8 includelib User32.lib
  9 includelib Kernel32.lib
 10 
 11 .data
 12 hMainHandle  dd  ?
 13 hFile    dd  ?
 14 nSize   dd  ?
 15 hMap   dd  ?
 16 hMapBase  dd  ?
 17 hReturnAddress dd  ?
 18 szBuf   db  'd:\Asm\FindDataDirectory.exe',0
 19 .code 
 20 _RVAToOffset proc _lpFileHead,_dwRVA
 21 local @dwReturn 
 22 pushad
 23 
 24 mov esi,_lpFileHead
 25 assume esi:ptr IMAGE_DOS_HEADER  ;获取DOS头
 26 
 27 add esi,[esi].e_lfanew
 28 assume esi:ptr IMAGE_NT_HEADERS ;获取NT头
 29 
 30 mov edi,_dwRVA
 31 mov edx,esi
 32 add edx,sizeof IMAGE_NT_HEADERS ;获取到节表
 33 assume edx:ptr IMAGE_SECTION_HEADER
 34 
 35 movzx ecx,[esi].FileHeader.NumberOfSections ;获取到节个数
 36 .repeat 
 37 
 38  mov eax,[edx].VirtualAddress 
 39  add eax,[edx].SizeOfRawData
 40  .if  ( edi >=[edx].VirtualAddress ) && (edi < eax)
 41   mov eax,[edx].VirtualAddress 
 42   sub edi,eax
 43   mov eax,[edx].PointerToRawData
 44   add eax,edi
 45   jmp @F
 46  .endif
 47  add edx,sizeof IMAGE_SECTION_HEADER
 48 .untilcxz
 49 assume esi: nothing
 50 assume edx: nothing
 51 mov eax ,-1
 52  @@:
 53  mov @dwReturn ,eax
 54  popad
 55  mov eax,@dwReturn 
 56  ret  
 57 _RVAToOffset endp
 58 
 59 _FindRvaSectionName  proc  _dwBase,_dwRva
 60  local @nIndex
 61  local @Ret
 62  local @szBuf
 63  pushad
 64  mov esi,_dwBase
 65  mov edi,_dwRva
 66  assume esi : ptr IMAGE_DOS_HEADER
 67  add esi, [esi].e_lfanew
 68  assume esi: ptr IMAGE_NT_HEADERS
 69  ;mov eax,[esi].OptionalHeader.ImageBase
 70  ;mov  @ImageBase,eax
 71  movzx ecx,[esi].FileHeader.NumberOfSections
 72  add esi,sizeof IMAGE_NT_HEADERS
 73  assume esi : ptr IMAGE_SECTION_HEADER
 74  .repeat
 75   mov eax,[esi].VirtualAddress
 76   add eax,[esi].SizeOfRawData
 77   .if (edi >= [esi].VirtualAddress) && (edi < eax)
 78    mov eax,esi
 79    jmp @F
 80   .endif
 81   add esi,sizeof IMAGE_SECTION_HEADER
 82  .untilcxz
 83  assume esi:nothing
 84  mov eax,0
 85  @@:
 86  mov @Ret,eax
 87  popad
 88  mov eax,@Ret
 89  ret
 90 _FindRvaSectionName  endp
 91 
 92 
 93 _GetImportInfo  proc  _dwBase,_nSize
 94  pushad
 95  mov esi,_dwBase
 96  assume esi : ptr IMAGE_DOS_HEADER
 97  add esi,[esi].e_lfanew
 98  assume esi : ptr IMAGE_NT_HEADERS
 99  mov eax,[esi].OptionalHeader.DataDirectory[8].VirtualAddress
100  .if !eax
101   jmp @Ret
102  .endif
103  invoke _RVAToOffset,_dwBase,eax 
104  add eax,_dwBase  ; 得到ImporteVA
105  mov edi,eax
106  assume edi : ptr IMAGE_IMPORT_DESCRIPTOR
107  invoke _FindRvaSectionName,_dwBase,[edi].OriginalFirstThunk
108  .while [edi].OriginalFirstThunk || [edi].TimeDateStamp || \
109    [edi].ForwarderChain || [edi].Name1 || \
110    [edi].FirstThunk
111  ; invoke _RVAToOffset,_dwBase,[edi].Name1  //获取名字FOA
112   mov edx,[edi].FirstThunk
113   invoke _RVAToOffset,_dwBase,edx
114   add eax,_dwBase
115   mov edx,eax
116   .while dword ptr [edx]
117   ; invoke _RVAToOffset,_dwBase,ed
118    add edx,4
119   .endw
120  
121   add edi,sizeof IMAGE_IMPORT_DESCRIPTOR  ; 循环到下一个结构
122  .endw
123 
124 @Ret :
125  popad
126  ret
127 _GetImportInfo  endp
128 start :
129  invoke CreateFile,offset szBuf,GENERIC_READ,FILE_SHARE_READ,\
130      NULL,OPEN_EXISTING,\
131      FILE_ATTRIBUTE_NORMAL,NULL
132  mov hFile,eax
133  invoke GetFileSize,hFile,NULL
134  mov nSize,eax
135  invoke CreateFileMapping,hFile,NULL,PAGE_READONLY,0,0,NULL
136  mov hMap,eax
137  invoke MapViewOfFile,hMap,FILE_MAP_READ,0,0,0
138  mov hMapBase,eax
139  invoke _GetImportInfo,hMapBase,nSize
140  invoke ExitProcess,NULL

查看全文

相关阅读:
sql语句中字符串分解查询的一种解决方法。
VMware虚拟机的网络连接
 sql注入
 mvnrepository.com jar包下载
 局部刷新与json
初涉json
ios UIKit 基础控件创建与属性
 实用数学函数
 OC中的随机数函数——arc4random()
OC中关于字符串的操作

原文地址：https://www.cnblogs.com/dependence/p/2400543.html