-
-
[旧帖] [原创]win7 vs2010 汇编代码获取模块的加载地址 0.00雪花
-
发表于: 2014-7-17 20:28 1253
-
先贴源码。
// wdg_hello.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE h = GetCurrentProcess();
DWORD pid = GetProcessId(h);
HMODULE hker = GetModuleHandleA("kernel32.dll");
HMODULE hntd = GetModuleHandleA("ntdll.dll");
HMODULE hkba = GetModuleHandleA("kernelbase.dll");
HMODULE hmsv = GetModuleHandleA("msvcr100d.dll");
#if 1
__asm {
mov eax, dword ptr fs:[0x18] //fs:teb fs:[0x18]teb
mov ebx, dword ptr [eax + 0x30] //fs[0x30]:PEB
mov ecx, dword ptr [ebx + 0x0c] //ldr
mov edx, dword ptr [ecx + 0x1c] //InInitializationOrderModuleList
//InInitializationOrderModuleList
//ntdll.dll kernelbase.dll kernel32.dll msvcr100d.dll
//ntdll.dll
mov edx, dword ptr [edx] //kernelbase.dll edx = edx->next;
mov edx, dword ptr [edx] //kernel32.dll edx = edx->next;
mov edx, dword ptr [edx] //msvcr100d.dll edx = edx->next;
mov eax, dword ptr [edx + 0x8] //offset 0x8 is the base address of kernel32.dll
mov eax, eax
}
#endif
return 0;
}
0+day安全:软件漏洞分析技术这本书5.4.1会讲,InInitializationOrder这个链表,表头是ntdll.dll, 接下来是kernel32.dll, 笔者在windows 7试验发现不对,于是有上述代码,,将这个链表所有的地址都存放在eax里面,eax处断点下来,和本程序加载的模块一个一个做比较,发现这个链表在windows 7下面的顺序为 ntdll.dll kernelbase.dll kernel32.dll msvcr100d.dll, 如果你要问我怎么知道在嵌入汇编上面的列举所有的dll,,用vc6.0 tool/bin/目录下的depends工具,可以查看exe加载的所有的dll文件。over!
// wdg_hello.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE h = GetCurrentProcess();
DWORD pid = GetProcessId(h);
HMODULE hker = GetModuleHandleA("kernel32.dll");
HMODULE hntd = GetModuleHandleA("ntdll.dll");
HMODULE hkba = GetModuleHandleA("kernelbase.dll");
HMODULE hmsv = GetModuleHandleA("msvcr100d.dll");
#if 1
__asm {
mov eax, dword ptr fs:[0x18] //fs:teb fs:[0x18]teb
mov ebx, dword ptr [eax + 0x30] //fs[0x30]:PEB
mov ecx, dword ptr [ebx + 0x0c] //ldr
mov edx, dword ptr [ecx + 0x1c] //InInitializationOrderModuleList
//InInitializationOrderModuleList
//ntdll.dll kernelbase.dll kernel32.dll msvcr100d.dll
//ntdll.dll
mov edx, dword ptr [edx] //kernelbase.dll edx = edx->next;
mov edx, dword ptr [edx] //kernel32.dll edx = edx->next;
mov edx, dword ptr [edx] //msvcr100d.dll edx = edx->next;
mov eax, dword ptr [edx + 0x8] //offset 0x8 is the base address of kernel32.dll
mov eax, eax
}
#endif
return 0;
}
0+day安全:软件漏洞分析技术这本书5.4.1会讲,InInitializationOrder这个链表,表头是ntdll.dll, 接下来是kernel32.dll, 笔者在windows 7试验发现不对,于是有上述代码,,将这个链表所有的地址都存放在eax里面,eax处断点下来,和本程序加载的模块一个一个做比较,发现这个链表在windows 7下面的顺序为 ntdll.dll kernelbase.dll kernel32.dll msvcr100d.dll, 如果你要问我怎么知道在嵌入汇编上面的列举所有的dll,,用vc6.0 tool/bin/目录下的depends工具,可以查看exe加载的所有的dll文件。over!
赞赏
看原图
赞赏
雪币:
留言: