能力值:
( LV3,RANK:20 )
|
-
-
2 楼
windows写shellcode的方法
|
能力值:
( LV7,RANK:140 )
|
-
-
3 楼
我只知道遍历导出表
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
暴力特征码搜索,或者自己实现
|
能力值:
( LV3,RANK:20 )
|
-
-
5 楼
用偏移地址
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
貌似通过PE结构寻找的
|
能力值:
( LV3,RANK:20 )
|
-
-
7 楼
FS寄存机找kernel32地址获取LoadLibrary,然后遍历对应dll的导出表
|
能力值:
( LV4,RANK:50 )
|
-
-
8 楼
http://bbs.pediy.com/showthread.php?t=204446
这个里面的代码有实现,从PEB中获取kernel32的基地址,然后解析导出表获取函数地址,相当于自己写个GetProcAddress函数
|
能力值:
( LV2,RANK:10 )
|
-
-
9 楼
感谢
|
能力值:
( LV2,RANK:10 )
|
-
-
10 楼
FARPROC WINAPI AntiHookGetProcAddress(HMODULE lib,char* pszName)
{
PIMAGE_NT_HEADERS nth = PIMAGE_NT_HEADERS(PBYTE(lib) + PIMAGE_DOS_HEADER(lib)->e_lfanew);
PIMAGE_EXPORT_DIRECTORY ides = PIMAGE_EXPORT_DIRECTORY(PBYTE(lib)+nth->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
PIMAGE_THUNK_DATA32 ThunkOfFuncs = PIMAGE_THUNK_DATA32((ULONG)lib + ides->AddressOfFunctions);
PIMAGE_THUNK_DATA32 ThunkOfNames = PIMAGE_THUNK_DATA32((ULONG)lib + ides->AddressOfNames);
PIMAGE_EXPORT_ORDINAL ThunkOfOrdinals = PIMAGE_EXPORT_ORDINAL((ULONG)lib+ ides->AddressOfNameOrdinals);
//保存结果
int ThunkOfIndex = 0;
PIMAGE_THUNK_DATA32 ThunkOfAddress = NULL;
if(sscanf(pszName,"#%d",&ThunkOfIndex)==1)
{
if(ThunkOfIndex>0) ThunkOfIndex--;
goto LAB_NEXT;
}
// 按函数名查找函数地址
for(unsigned i = 0; i < ides->NumberOfNames; i++)
{
char* Name = (char*)((ULONG)lib + (&ThunkOfNames[i])->u1.AddressOfData);
if(_strcmpi(Name,pszName)!=0) continue;
ThunkOfIndex = (&ThunkOfOrdinals[i])->Hint;
goto LAB_NEXT;
}
goto LAB_EXIT;
LAB_NEXT:
ThunkOfAddress = &ThunkOfFuncs[ThunkOfIndex];
if(!ThunkOfAddress->u1.AddressOfData) goto LAB_EXIT;
return (FARPROC)(ThunkOfAddress->u1.Function + (ULONG)lib);
LAB_EXIT:
return NULL;
}
|
|
|