[求助]在内核如何读取3环user32.dll进程模块的导出函数的地址-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (2)
游乐娃子雪币： 7541 活跃值： (5382) 能力值： ( LV4，RANK：50 ) 在线值：发帖 36 回帖 252 粉丝 51 关注私信	游乐娃子 2 楼 PVOID GetProcAddress(PVOID pBase, PCHAR name_ord) { PIMAGE_DOS_HEADER pDosHdr = (PIMAGE_DOS_HEADER)pBase; PIMAGE_NT_HEADERS32 pNtHdr32 = NULL; PIMAGE_NT_HEADERS64 pNtHdr64 = NULL; PIMAGE_EXPORT_DIRECTORY pExport = NULL; ULONG expSize = 0; ULONG_PTR pAddress = 0; if (pBase == NULL) return NULL; /// Not a PE file if (pDosHdr->e_magic != IMAGE_DOS_SIGNATURE) return NULL; pNtHdr32 = (PIMAGE_NT_HEADERS32)((PUCHAR)pBase + pDosHdr->e_lfanew); pNtHdr64 = (PIMAGE_NT_HEADERS64)((PUCHAR)pBase + pDosHdr->e_lfanew); // Not a PE file if (pNtHdr32->Signature != IMAGE_NT_SIGNATURE) return NULL; // 64 bit image if (pNtHdr32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { pExport = (PIMAGE_EXPORT_DIRECTORY)(pNtHdr64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + (ULONG_PTR)pBase); expSize = pNtHdr64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; } // 32 bit image else { pExport = (PIMAGE_EXPORT_DIRECTORY)(pNtHdr32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + (ULONG_PTR)pBase); expSize = pNtHdr32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; } PUSHORT pAddressOfOrds = (PUSHORT)(pExport->AddressOfNameOrdinals + (ULONG_PTR)pBase); PULONG pAddressOfNames = (PULONG)(pExport->AddressOfNames + (ULONG_PTR)pBase); PULONG pAddressOfFuncs = (PULONG)(pExport->AddressOfFunctions + (ULONG_PTR)pBase); for (ULONG i = 0; i < pExport->NumberOfFunctions; ++i) { USHORT OrdIndex = 0xFFFF; PCHAR pName = NULL; // Find by index if ((ULONG_PTR)name_ord <= 0xFFFF) { OrdIndex = (USHORT)i; } // Find by name else if ((ULONG_PTR)name_ord > 0xFFFF && i < pExport->NumberOfNames) { pName = (PCHAR)(pAddressOfNames[i] + (ULONG_PTR)pBase); OrdIndex = pAddressOfOrds[i]; } // Weird params else return NULL; if (((ULONG_PTR)name_ord <= 0xFFFF && (USHORT)((ULONG_PTR)name_ord) == OrdIndex + pExport->Base) \|\| ((ULONG_PTR)name_ord > 0xFFFF && _stricmp(pName, name_ord) == 0)) { pAddress = pAddressOfFuncs[OrdIndex] + (ULONG_PTR)pBase; break; } } return (PVOID)pAddress; } 2024-5-13 00:36 0
wx_逆逆逆逆雪币： 20 能力值： ( LV1，RANK：0 ) 在线值：发帖 3 回帖 10 粉丝 0 关注私信	wx_逆逆逆逆 3 楼谢谢大佬。。 2024-5-13 20:31 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (2)

游乐娃子

雪币： 7541

活跃值： (5382)

能力值：

( LV4，RANK：50 )

在线值：

发帖

回帖

252

粉丝

关注

私信

游乐娃子: 2 楼

PVOID GetProcAddress(PVOID pBase, PCHAR name_ord)
{
	PIMAGE_DOS_HEADER pDosHdr = (PIMAGE_DOS_HEADER)pBase;
	PIMAGE_NT_HEADERS32 pNtHdr32 = NULL;
	PIMAGE_NT_HEADERS64 pNtHdr64 = NULL;
	PIMAGE_EXPORT_DIRECTORY pExport = NULL;
	ULONG expSize = 0;
	ULONG_PTR pAddress = 0;
	if (pBase == NULL) return NULL;

	/// Not a PE file
	if (pDosHdr->e_magic != IMAGE_DOS_SIGNATURE)
		return NULL;
	pNtHdr32 = (PIMAGE_NT_HEADERS32)((PUCHAR)pBase + pDosHdr->e_lfanew);
	pNtHdr64 = (PIMAGE_NT_HEADERS64)((PUCHAR)pBase + pDosHdr->e_lfanew);

	// Not a PE file
	if (pNtHdr32->Signature != IMAGE_NT_SIGNATURE)
		return NULL;

	// 64 bit image
	if (pNtHdr32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
	{
		pExport = (PIMAGE_EXPORT_DIRECTORY)(pNtHdr64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + (ULONG_PTR)pBase);
		expSize = pNtHdr64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
	}
	// 32 bit image
	else
	{
		pExport = (PIMAGE_EXPORT_DIRECTORY)(pNtHdr32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + (ULONG_PTR)pBase);
		expSize = pNtHdr32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
	}
	PUSHORT pAddressOfOrds = (PUSHORT)(pExport->AddressOfNameOrdinals + (ULONG_PTR)pBase);
	PULONG  pAddressOfNames = (PULONG)(pExport->AddressOfNames + (ULONG_PTR)pBase);
	PULONG  pAddressOfFuncs = (PULONG)(pExport->AddressOfFunctions + (ULONG_PTR)pBase);

	for (ULONG i = 0; i < pExport->NumberOfFunctions; ++i)
	{
		USHORT OrdIndex = 0xFFFF;
		PCHAR  pName = NULL;

		// Find by index
		if ((ULONG_PTR)name_ord <= 0xFFFF)
		{
			OrdIndex = (USHORT)i;
		}
		// Find by name
		else if ((ULONG_PTR)name_ord > 0xFFFF && i < pExport->NumberOfNames)
		{
			pName = (PCHAR)(pAddressOfNames[i] + (ULONG_PTR)pBase);
			OrdIndex = pAddressOfOrds[i];
		}
		// Weird params
		else
			return NULL;
		
		if (((ULONG_PTR)name_ord <= 0xFFFF && (USHORT)((ULONG_PTR)name_ord) == OrdIndex + pExport->Base) ||
			((ULONG_PTR)name_ord > 0xFFFF && _stricmp(pName, name_ord) == 0))
		{
			pAddress = pAddressOfFuncs[OrdIndex] + (ULONG_PTR)pBase;
			break;
		}

	}
	return (PVOID)pAddress;
}

2024-5-13 00:36

wx_逆逆逆逆

雪币： 20

能力值：

( LV1，RANK：0 )

在线值：

发帖

回帖

粉丝

关注

私信

wx_逆逆逆逆: 3 楼

谢谢大佬。。

2024-5-13 20:31