首先,我们需要一个求CRC32的代码,我在Billy Belceb 病毒编写教程---Win32 篇看到了一个
;----------------------------------------------
; input:
; ESI = Offset where code to calculate begins........volatile
; EDI = Size of that code............................volatile
;
; output:
; EAX = CRC32 of given code
;
; used reg
; EAX,EBX,ECX,EDX,ESI,EDI
;----------------------------------------------
NoCRC:
dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi ;---------------- 1 byte less
jnz NextByteCRC
not edx
not ecx
mov eax,edx
rol eax,16
mov ax,cx
ret
CRC32 endp
我想,有了kernel32的基址,得到kernel32导出表的名字表和地址表还有序号表,不是问题吧。
;--------------------------------------
; input:
; kernel = ImageBase of kernel32.dll
;
; output:
; ESI = OrdinalTableVA----VA
; EBX = NameTableVA-------VA
; EDI = AddressTableVA----VA
;
; used reg:
; EAX,EBX,ESI,EDI
;--------------------------------------
GetAPI_Init proc
mov esi,3ch
add esi,kernel ;------------ Get PE header of KERNEL32
lodsd
add eax,kernel
mov esi,[eax+78h] ;------------ Get a RAV pointer to its Export Table
add esi,1ch ;------------ RAV pointer to address table
add esi,kernel ;------------ Turn RVA to VA
mov edi,[esi] ;------------ Pointer to the address table
add edi,kernel
mov ebx,[esi+4]
add ebx,kernel
mov eax,[esi+8]
add eax,kernel
mov esi,eax
ret
GetAPI_Init endp
;--------------------------------------
; input:
; EDX = CRC32 of the API ASCIIz name........volatile
; EBP = Length of API name
; ESI = OrdinalTableVA----VA
; EBX = NameTableVA-------VA
; EDI = AddressTableVA----VA
; kernel = ImageBase of kernel32.dll
;
; output:
; EAX = API address
;
; used reg
; EAX,EBX,ECX,EDX,ESI,EDI,EBP
;--------------------------------------
GetAPI_ET_CRC32 proc
push edi
push esi
xor ecx,ecx
p1: mov edi,[ebx+ecx*4]
add edi,kernel
mov esi,edi
xor al,al
lp: scasb
jnz lp
sub edi,esi
inc ecx
cmp ebp,edi
jnz p1
push ecx
push edx
push ebx
call CRC32
pop ebx
pop edx
pop ecx
cmp edx,eax
jnz p1
dec ecx
pop esi
pop edi
xor edx,edx
mov dx,word ptr [ecx*2+esi]
mov eax,[edx*4+edi]
add eax,kernel
ret
GetAPI_ET_CRC32 endp