windows黑客技术之自己实现GetProceAddressAndGetModuleHandle
#define WIN32_LEAN_AND_MEAN
#include <Windows.h>
#include <winternl.h>
#include <malloc.h>
#ifdef _M_AMD64
#include <intrin.h>
#elif defined(_M_ARM)
#include <armintr.h>
#endif
#ifdef _M_IX86
static __inline PEB __declspec(naked) __forceinline *GetPEBx86()
{
__asm
{
mov eax, dword ptr fs : [0x30];
retn;
}
}
#endif
HMODULE WINAPI GetModuleBaseAddress(LPCWSTR moduleName)
{
PEB *pPeb = NULL;
LIST_ENTRY *pListEntry = NULL;
LDR_DATA_TABLE_ENTRY *pLdrDataTableEntry = NULL;
#ifdef _M_IX86
pPeb = GetPEBx86();
#elif defined(_M_AMD64)
pPeb = (PPEB)__readgsqword(0x60);
#elif defined(_M_ARM)
PTEB pTeb = (PTEB)_MoveFromCoprocessor(15, 0, 13, 0, 2); /* CP15_TPIDRURW */
if (pTeb)
pPeb = (PPEB)pTeb->ProcessEnvironmentBlock;
#endif
if (pPeb == NULL)
return NULL;
pLdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY)pPeb->Ldr->InMemoryOrderModuleList.Flink;
pListEntry = pPeb->Ldr->InMemoryOrderModuleList.Flink;
do
{
if (lstrcmpiW(pLdrDataTableEntry->FullDllName.Buffer, moduleName) == 0)
return (HMODULE)pLdrDataTableEntry->Reserved2[0];
pListEntry = pListEntry->Flink;
pLdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY)(pListEntry->Flink);
} while (pListEntry != pPeb->Ldr->InMemoryOrderModuleList.Flink);
return NULL;
}
FARPROC WINAPI GetExportAddress(HMODULE hMod, const char *lpProcName)
{
char *pBaseAddress = (char *)hMod;
IMAGE_DOS_HEADER *pDosHeader = (IMAGE_DOS_HEADER *)pBaseAddress;
IMAGE_NT_HEADERS *pNtHeaders = (IMAGE_NT_HEADERS *)(pBaseAddress + pDosHeader->e_lfanew);
IMAGE_OPTIONAL_HEADER *pOptionalHeader = &pNtHeaders->OptionalHeader;
IMAGE_DATA_DIRECTORY *pDataDirectory = (IMAGE_DATA_DIRECTORY *)(&pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
IMAGE_EXPORT_DIRECTORY *pExportDirectory = (IMAGE_EXPORT_DIRECTORY *)(pBaseAddress + pDataDirectory->VirtualAddress);
void **ppFunctions = (void **)(pBaseAddress + pExportDirectory->AddressOfFunctions);
WORD *pOrdinals = (WORD *)(pBaseAddress + pExportDirectory->AddressOfNameOrdinals);
ULONG *pNames = (ULONG *)(pBaseAddress + pExportDirectory->AddressOfNames);
/* char **pNames = (char **)(pBaseAddress + pExportDirectory->AddressOfNames); /* */
void *pAddress = NULL;
typedef HMODULE(WINAPI *LoadLibraryAF)(LPCSTR lpFileName);
LoadLibraryAF pLoadLibraryA = NULL;
DWORD i;
if (((DWORD_PTR)lpProcName >> 16) == 0)
{
WORD ordinal = LOWORD(lpProcName);
DWORD dwOrdinalBase = pExportDirectory->Base;
if (ordinal < dwOrdinalBase || ordinal >= dwOrdinalBase + pExportDirectory->NumberOfFunctions)
return NULL;
pAddress = (FARPROC)(pBaseAddress + (DWORD_PTR)ppFunctions[ordinal - dwOrdinalBase]);
}
else
{
for (i = 0; i < pExportDirectory->NumberOfNames; i++)
{
char *szName = (char*)pBaseAddress + (DWORD_PTR)pNames[i];
if (strcmp(lpProcName, szName) == 0)
{
pAddress = (FARPROC)(pBaseAddress + ((ULONG*)(pBaseAddress + pExportDirectory->AddressOfFunctions))[pOrdinals[i]]);
break;
}
}
}
if ((char *)pAddress >= (char *)pExportDirectory && (char *)pAddress < (char *)pExportDirectory + pDataDirectory->Size)
{
char *szDllName, *szFunctionName;
HMODULE hForward;
szDllName = _strdup((const char *)pAddress);
if (!szDllName)
return NULL;
pAddress = NULL;
szFunctionName = strchr(szDllName, '.');
*szFunctionName++ = 0;
pLoadLibraryA = (LoadLibraryAF)GetExportAddress(GetModuleBaseAddress(L"KERNEL32.DLL"), "LoadLibraryA");
if (pLoadLibraryA == NULL)
return NULL;
hForward = pLoadLibraryA(szDllName);
free(szDllName);
if (!hForward)
return NULL;
pAddress = GetExportAddress(hForward, szFunctionName);
}
return pAddress;
}
int main()
{
typedef HMODULE(WINAPI *LoadLibraryAF)(LPCSTR lpFileName);
typedef FARPROC(WINAPI *GetProcAddressF)(HMODULE hModule, LPCSTR lpProcName);
HMODULE hKernel32 = GetModuleBaseAddress(L"KERNEL32.DLL");
LoadLibraryAF pLoadLibraryA = (LoadLibraryAF)GetExportAddress(hKernel32, "LoadLibraryA");
GetProcAddressF pGetProcAddress = (GetProcAddressF)GetExportAddress(hKernel32, "GetProcAddress");
typedef HMODULE(WINAPI *GetModuleHandleWF)(LPCWSTR lpModuleName);
HMODULE hUser32 = pLoadLibraryA("user32.dll");
FARPROC pMessageBox = pGetProcAddress(hUser32, "MessageBoxW");
pMessageBox(NULL, L"It works!", L"Hello World!", MB_OK);
return 0;
}
作者:IBinary
坚持两字,简单,轻便,但是真正的执行起来确实需要很长很长时间.当你把坚持两字当做你要走的路,那么你总会成功. 想学习,有问题请加群.群号:725864912(收费)群名称: 逆向学习小分队 群里有大量学习资源. 以及定期直播答疑.有一个良好的学习氛围. 涉及到外挂反外挂病毒 司法取证加解密 驱动过保护 VT 等技术,期待你的进入。
详情请点击链接查看置顶博客 https://www.cnblogs.com/iBinary/p/7572603.html
本文来自博客园,作者:iBinary,未经允许禁止转载 转载前可联系本人.对于爬虫人员来说如果发现保留起诉权力.https://www.cnblogs.com/iBinary/p/14866283.html
欢迎大家关注我的微信公众号.不定期的更新文章.更新技术. 关注公众号后请大家养成 不白嫖的习惯.欢迎大家赞赏. 也希望在看完公众号文章之后 不忘 点击 收藏 转发 以及点击在看功能. QQ群: