Testirao sam ga WinXp SP2 i radi savrseno.
Ovim kodom dinamicki loadiram API-je a nasao sam ga u nekom vx-zinu.
Hvala
Code:
.386p
.model flat, stdcall
.DATA
szTitle db 'Dynamic API Resolving',0
szText db 'I Succeeded',0
; DLL name we are going to import
__DLL_User32 db 'User32', 0
; API's we are going to use
__API_LoadLibraryA db 'LoadLibraryA', 0
__API_MessageBoxA db 'MessageBoxA', 0
__API_ExitProcess db 'ExitProcess', 0
__ADDR_MessageBoxA dd 0 ; Address of MessageBoxA
__ADDR_ExitProcess dd 0 ; Address of ExitProcess
_User32 dd 0 ; Handle to user32
_Kernel32 dd 0 ; Handle to kernel32
.CODE
Main:
call GetDelta
GetDelta:
pop ebp
sub ebp, offset GetDelta
mov eax, [esp] ; at the very beginning the first dword on the stack
; contains a pointer inside kernel32
or eax, 00000FFFh ; the image base has to be a multiple of the memory alignment
xor eax,00000FFFh
compare:
cmp word ptr [eax], 'ZM'
je kernel32_found
sub eax, 1000h
jmp compare
kernel32_found:
mov dword ptr [ebp + _Kernel32], eax
lea esi, [ebp + __API_LoadLibraryA]
call GetFunctionAddress
lea ebx, [ebp + offset __DLL_User32]
push ebx
call eax ; Load user32.dll
; in return, eax = image base of user32
lea esi, [ebp + __API_MessageBoxA]
call GetFunctionAddress
mov [ebp + __ADDR_MessageBoxA], eax
push 0
push offset szTitle
push offset szText
push 0
call [ebp + __ADDR_MessageBoxA] ; call MessageBoxA
mov eax, [ebp + _Kernel32]
lea esi, [ebp + __API_ExitProcess]
call GetFunctionAddress
mov [ebp + __ADDR_ExitProcess], eax
push 0
call [ebp + __ADDR_ExitProcess] ; call ExitProcess
;---------------------------------------------------------------------------
; GetFunctionAddress
;---------------------------------------------------------------------------
; Input parameters:
; esi = offset of a zeroe terminated string with the name of the Api.
; eax = image base of the dll where the API resides
; Returns:
; eax = address of desired API
;---------------------------------------------------------------------------
GetFunctionAddress PROC
mov ebx, [eax + 3Ch] ; pointer to pe header
add ebx, eax
add ebx, 120
mov ebx, [ebx]
add ebx, eax ; EBX = Export Address
xor edx, edx
mov ecx, [ebx + 32]
add ecx, eax
push esi
push edx
CompareNext:
pop edx
pop esi
inc edx
mov edi, [ecx]
add edi, eax
add ecx, 4
push esi
push edx
CompareName:
mov dl, [edi]
mov dh, [esi]
cmp dl, dh
jne CompareNext
inc edi
inc esi
cmp byte ptr [esi], 0
je GetAddress
jmp CompareName
GetAddress:
pop edx
pop esi
dec edx
shl edx, 1
mov ecx, [ebx + 36]
add ecx, eax
add ecx, edx
xor edx, edx
mov dx, [ecx]
shl edx, 2
mov ecx, [ebx + 28]
add ecx, eax
add ecx, edx
add eax, [ecx]
ret
GetFunctionAddress ENDP
End Main
.386p
.model flat, stdcall
.DATA
szTitle db 'Dynamic API Resolving',0
szText db 'I Succeeded',0
; DLL name we are going to import
__DLL_User32 db 'User32', 0
; API's we are going to use
__API_LoadLibraryA db 'LoadLibraryA', 0
__API_MessageBoxA db 'MessageBoxA', 0
__API_ExitProcess db 'ExitProcess', 0
__ADDR_MessageBoxA dd 0 ; Address of MessageBoxA
__ADDR_ExitProcess dd 0 ; Address of ExitProcess
_User32 dd 0 ; Handle to user32
_Kernel32 dd 0 ; Handle to kernel32
.CODE
Main:
call GetDelta
GetDelta:
pop ebp
sub ebp, offset GetDelta
mov eax, [esp] ; at the very beginning the first dword on the stack
; contains a pointer inside kernel32
or eax, 00000FFFh ; the image base has to be a multiple of the memory alignment
xor eax,00000FFFh
compare:
cmp word ptr [eax], 'ZM'
je kernel32_found
sub eax, 1000h
jmp compare
kernel32_found:
mov dword ptr [ebp + _Kernel32], eax
lea esi, [ebp + __API_LoadLibraryA]
call GetFunctionAddress
lea ebx, [ebp + offset __DLL_User32]
push ebx
call eax ; Load user32.dll
; in return, eax = image base of user32
lea esi, [ebp + __API_MessageBoxA]
call GetFunctionAddress
mov [ebp + __ADDR_MessageBoxA], eax
push 0
push offset szTitle
push offset szText
push 0
call [ebp + __ADDR_MessageBoxA] ; call MessageBoxA
mov eax, [ebp + _Kernel32]
lea esi, [ebp + __API_ExitProcess]
call GetFunctionAddress
mov [ebp + __ADDR_ExitProcess], eax
push 0
call [ebp + __ADDR_ExitProcess] ; call ExitProcess
;---------------------------------------------------------------------------
; GetFunctionAddress
;---------------------------------------------------------------------------
; Input parameters:
; esi = offset of a zeroe terminated string with the name of the Api.
; eax = image base of the dll where the API resides
; Returns:
; eax = address of desired API
;---------------------------------------------------------------------------
GetFunctionAddress PROC
mov ebx, [eax + 3Ch] ; pointer to pe header
add ebx, eax
add ebx, 120
mov ebx, [ebx]
add ebx, eax ; EBX = Export Address
xor edx, edx
mov ecx, [ebx + 32]
add ecx, eax
push esi
push edx
CompareNext:
pop edx
pop esi
inc edx
mov edi, [ecx]
add edi, eax
add ecx, 4
push esi
push edx
CompareName:
mov dl, [edi]
mov dh, [esi]
cmp dl, dh
jne CompareNext
inc edi
inc esi
cmp byte ptr [esi], 0
je GetAddress
jmp CompareName
GetAddress:
pop edx
pop esi
dec edx
shl edx, 1
mov ecx, [ebx + 36]
add ecx, eax
add ecx, edx
xor edx, edx
mov dx, [ecx]
shl edx, 2
mov ecx, [ebx + 28]
add ecx, eax
add ecx, edx
add eax, [ecx]
ret
GetFunctionAddress ENDP
End Main