int mystrcmp (
const char * src,
const char * dst
)
{
int ret = 0 ;
while( ! (ret = *(unsigned char *)src - *(unsigned char *)dst) && *dst)
++src, ++dst;
if ( ret < 0 )
ret = -1 ;
else if ( ret > 0 )
ret = 1 ;
return( ret );
}
DWORD MyGetProcAddress(
HMODULE hModule, // handle to DLL module
LPCSTR lpProcName // function name
)
{
int i=0;
PIMAGE_DOS_HEADER pImageDosHeader = NULL;
PIMAGE_NT_HEADERS pImageNtHeader = NULL;
PIMAGE_EXPORT_DIRECTORY pImageExportDirectory = NULL;
pImageDosHeader=(PIMAGE_DOS_HEADER)hModule;
pImageNtHeader=(PIMAGE_NT_HEADERS)((DWORD)hModule+pImageDosHeader->e_lfanew);
pImageExportDirectory=(PIMAGE_EXPORT_DIRECTORY)((DWORD)hModule+pImageNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
DWORD *pAddressOfFunction = (DWORD*)(pImageExportDirectory->AddressOfFunctions + (DWORD)hModule);
DWORD *pAddressOfNames = (DWORD*)(pImageExportDirectory->AddressOfNames + (DWORD)hModule);
DWORD dwNumberOfNames = (DWORD)(pImageExportDirectory->NumberOfNames);
DWORD dwBase = (DWORD)(pImageExportDirectory->Base);
WORD *pAddressOfNameOrdinals = (WORD*)(pImageExportDirectory->AddressOfNameOrdinals + (DWORD)hModule);
//这个是查一下是按照什么方式(函数名称or函数序号)来查函数地址的
DWORD dwName = (DWORD)lpProcName;
if ((dwName & 0xFFFF0000) == 0)
{
goto xuhao;
}
for (i=0; i<(int)dwNumberOfNames; i++)
{
char *strFunction = (char *)(pAddressOfNames[i] + (DWORD)hModule);
if (mystrcmp(lpProcName, strFunction) == 0)
{
return (pAddressOfFunction[pAddressOfNameOrdinals[i]] + (DWORD)hModule);
}
}
return 0;
//这个是通过以序号的方式来查函数地址的
xuhao:
if (dwName < dwBase || dwName > dwBase + pImageExportDirectory->NumberOfFunctions - 1)
{
return 0;
}
return (pAddressOfFunction[dwName - dwBase] + (DWORD)hModule);
}
//定位Kernel32
__declspec(naked) int GetKernel32Base()
{
__asm
{
XOR ECX, ECX ; ECX = 0
MOV ESI, FS:[ECX + 0x30] ; ESI = &(PEB) ([FS:0x30])
MOV ESI, [ESI + 0x0C] ; ESI = PEB->Ldr
MOV ESI, [ESI + 0x1C] ; ESI = PEB->Ldr.InInitOrder
next_module:
MOV EAX, [ESI + 0x08] ; EBP = InInitOrder[X].base_address
MOV EDI, [ESI + 0x20] ; EBP = InInitOrder[X].module_name (unicode)
MOV ESI, [ESI] ; ESI = InInitOrder[X].flink (next module)
CMP [EDI + 12*2], CL ; modulename[12] == 0 ?
JNE next_module ; No: try next module.
ret
}
}
typedef int (WINAPI *MESSAGEBOXA)(HWND hWnd,
LPCTSTR lpText,
LPCTSTR lpCaption,
UINT uType
);
MESSAGEBOXA MyMessageBoxA;
typedef HMODULE (WINAPI *LOADLIBRARYA)(
LPCTSTR lpFileName
);
LOADLIBRARYA MyLoadLibrary;
int main()
{
ULONG hKernelBase = GetKernel32Base();
MyLoadLibrary = (LOADLIBRARYA) MyGetProcAddress((HINSTANCE__ *)hKernelBase, "LoadLibraryA");
HMODULE hMode = MyLoadLibrary("user32.dll");
MyMessageBoxA = (MESSAGEBOXA)MyGetProcAddress(hMode, "MessageBoxA");
MyMessageBoxA(NULL, "搜索内存API函数!", "测试", 0);
return 0;
}
[课程]Android-CTF解题方法汇总!
