; *******************************************
; 检查是否是有效的 PE 文件格式 *
; *******************************************
cmp word ptr [ebx], 'ZM'
jne __@@1_GetAPIAddress ;是不是有效的 PE 文件
mov eax, [ebx + 3CH]
add eax, ebx ;eax = PE Header
cmp dword ptr [eax], 00004550H ;PE\0\0
jne __@@1_GetAPIAddress
; *******************************************
; 搜索需要的 API 地址
; *******************************************
;typedef struct _IMAGE_EXPORT_DIRECTORY
;{
; DWORD Characteristics; // +0x00
; DWORD TimeDateStamp; // +0x04
; WORD MajorVersion; // +0x08
; WORD MinorVersion; // +0x0a
; DWORD Name; // +0x0c Name of the DLL
; DWORD Base; // +0x10 Starting ordinal number for exports
; DWORD NumberOfFunctions; // +0x14 Number of entries in the EAT
; DWORD NumberOfNames; // +0x18 Number of entries in the ENPT/EOT
; DWORD AddressOfFunctions; // +0x1c RVA from base of image
; DWORD AddressOfNames; // +0x20 RVA from base of image
; DWORD AddressOfNameOrdinals; // +0x24 RVA from base of image
; // +0x28
;} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
push esi ;[esp] = esi
;[esp + 4] = strlen(lpszProcName)
__@@FindNextExportFunction_GetAPIAddress:
mov edi, [eax + ecx * 4]
add edi, ebx ;edi = API NAME
push ecx
mov ecx, [esp + 4 + 4]
repz cmpsb
jnz __@@3_GetAPIAddress
test ecx, ecx
jnz __@@3_GetAPIAddress
;找到匹配的字符串
pop ecx
movzx ecx, word ptr [edx + ecx * 2]
mov eax, [ebp + ecx * 4]
add eax, ebx ;eax = API ADDRESS
mov [esp + 32 - 4 + 8], eax ;返回值
jmp __@@4_GetAPIAddress
__@@3_GetAPIAddress:
pop ecx
mov esi, [esp]
dec ecx
jns __@@FindNextExportFunction_GetAPIAddress
__@@4_GetAPIAddress:
pop ebx
pop ebx
__@@1_GetAPIAddress:
popad
ret
GetAPIAddress endp