[分享]找dll基地址的一种方法-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [分享]找dll基地址的一种方法 0.00雪花

2012-4-6 10:19 1141

[旧帖] [分享]找dll基地址的一种方法 0.00雪花

thrio

2012-4-6 10:19

1141

这是在一个壳里面看到的，通过PE结构搜dll基地址，只需要一个mov一个cmp，非常简单，准确性通用性未经验证:)

.nspack:00422000 public start
.nspack:00422000 start proc far
.nspack:00422000
.nspack:00422000 ; FUNCTION CHUNK AT .nspack:00422041 SIZE 00000005 BYTES
.nspack:00422000 ; FUNCTION CHUNK AT .nspack:004220CC SIZE 00000116 BYTES
.nspack:00422000 ; FUNCTION CHUNK AT .nspack:004221E8 SIZE 0000001E BYTES
.nspack:00422000 ; FUNCTION CHUNK AT .nspack:00422208 SIZE 00000030 BYTES
.nspack:00422000 ; FUNCTION CHUNK AT .nspack:004222CC SIZE 0000001E BYTES
.nspack:00422000 ; FUNCTION CHUNK AT .nspack:004222ED SIZE 00000003 BYTES
.nspack:00422000 ; FUNCTION CHUNK AT .nspack:004222F4 SIZE 00000023 BYTES
.nspack:00422000
.nspack:00422000 pusha
.nspack:00422001 call $+5
.nspack:00422006 pop    ebp
.nspack:00422007 sub    ebp, 401248h
.nspack:0042200D pusha
.nspack:0042200E call sub_42233E ;解密后面一段数据，出来"LoadLibraryA"什么的
.nspack:00422013 popa
.nspack:00422014 call sub_422238

.nspack:00422238 sub_422238 proc near                   ; CODE XREF: start+14p
.nspack:00422238
.nspack:00422238 arg_20= dword ptr  24h
.nspack:00422238
.nspack:00422238 mov    ecx, [esp+arg_20] ;因为前面有pusha，因此这里正好指向程序开始前的esp，即kernel32.dll:kernel32_BaseThreadInitThunk+12
.nspack:0042223C ;下面开始根据PE结构搜索kernel32.dll基地址
.nspack:0042223C loc_42223C:                            ; CODE XREF: sub_422238+Dj
.nspack:0042223C dec    ecx
.nspack:0042223D
.nspack:0042223D loc_42223D:
.nspack:0042223D movzx edx, word ptr [ecx+3Ch] ;MZ头到PE头的偏移
.nspack:00422241 cmp    ecx, [edx+ecx+34h] ;PE到ImageBase的偏移，如果ImageBase等于MZ头的地址，则证实这的确是MZ头
.nspack:00422245 jnz    short loc_42223C
.nspack:00422247 mov    ss:dword_401568[ebp], ecx
.nspack:0042224D
.nspack:0042224D loc_42224D:
.nspack:0042224D mov    ss:dword_40156C[ebp], ecx
.nspack:00422253 retn
.nspack:00422253 sub_422238 endp

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・1

免费・0

打赏