[求助]请教为什么LoadLibraryA返回为0-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]请教为什么LoadLibraryA返回为0 0.00雪花

发表于: 2007-11-4 11:34 3927

[旧帖] [求助]请教为什么LoadLibraryA返回为0 0.00雪花

anykey

2007-11-4 11:34

3927

// Test.cpp : Defines the entry point for the application.
//

#include "stdafx.h"

#pragma comment(linker, "/entry:main")
typedef void (WINAPI *APITEST)(unsigned int, unsigned int, unsigned int, unsigned int);

//get kernel base image address
unsigned int GetBaseImage()
{
__asm {
mov eax,fs:[30h]
mov eax,[eax+0ch]
mov esi,[eax+1ch]
lodsd
mov eax,[eax+08h] //return
}
}

unsigned int GetAPIFuncAdress(unsigned int nImageBase,const char *pFuncName, int iLen)
{
__asm {
mov eax,nImageBase
mov eax,[eax+0x3c]
add eax,nImageBase //PE header
mov eax,[eax+0x78]
add eax,nImageBase //Data_Directory
mov esi,eax //IMAGE_EXPORT_DIRECTORY
mov ecx,[eax+0x18] //NumberOfName
mov eax,[eax+0x20] //AddressOfName
add eax,nImageBase
mov ebx,eax
xor edx,edx
FindLoop:
push ecx
push esi
mov eax,[eax]
add eax,nImageBase
mov esi,pFuncName
mov edi,eax
mov ecx,iLen
cld
rep cmpsb //compare function
pop esi //pop esi => IMAGE_EXPORT_DIRECTORY
je Found
inc edx
add ebx,4
mov eax,ebx
pop ecx
loop FindLoop
Found:
add esp,4
mov eax,esi
mov eax,[eax+0x1c] //AddressOfFunction
add eax,nImageBase
shl edx,2
add eax,edx
mov eax,[eax]
add eax,nImageBase //eax return
}
}

int main()
{
#if 1
char *szTitle = "title";
char *szMsg = "message";

char *szUserDLL = "User32.dll";
char *szMessagebox = "MessageBoxA";

unsigned int nBaseImage = 0;
unsigned int nLoadLibraryAdress = 0;
unsigned int nGetProcAddress = 0;

nBaseImage = GetBaseImage();
nLoadLibraryAdress = GetAPIFuncAdress(nBaseImage, "LoadLibraryA", 12);
nGetProcAddress = GetAPIFuncAdress(nBaseImage, "GetProcAddress", 14);

__asm {
lea eax,szUserDLL
push eax
call dword ptr nLoadLibraryAdress//eax 0??//每次到这里执行完就为0
lea ebx,szMessagebox
push ebx
push eax
call dword ptr nGetProcAddress
push MB_OK
push szTitle
push szMsg
push NULL
call eax
}
#else//test
char *szUserDLL = "User32.dll";
char *szMessagebox = "MessageBoxA";
char *szTitle = "title";
char *szMsg = "message";
APITEST apitest;

apitest = (APITEST)GetProcAddress(LoadLibraryA(szUserDLL), szMessagebox);
apitest((unsigned int)NULL, (unsigned int)szMsg, (unsigned int)szTitle, (unsigned int)MB_OK);
#endif
ExitProcess(0);
return 0;
}

麻烦高手来看一下执行完call dword ptr nLoadLibraryAdress//eax 0??//每次到这里执行完就为0

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持

最新回复 (1)
anykey 雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 29 粉丝 0 关注私信	anykey 2 楼自已搞定了 __asm { //lea eax, [szUserDLL] //push eax push szUserDLL call dword ptr nLoadLibraryAdress//eax 0?? //lea ebx,szMessagebox //push ebx push szMessagebox push eax call dword ptr nGetProcAddress push MB_OK push szTitle push szMsg push NULL call eax } ......... 2007-11-4 13:22 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

anykey

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

专注于PC、移动、智能设备安全研究及逆向工程的开发者社区

最新回复 (1)
anykey 雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 29 粉丝 0 关注私信	anykey 2 楼自已搞定了 __asm { //lea eax, [szUserDLL] //push eax push szUserDLL call dword ptr nLoadLibraryAdress//eax 0?? //lea ebx,szMessagebox //push ebx push szMessagebox push eax call dword ptr nGetProcAddress push MB_OK push szTitle push szMsg push NULL call eax } ......... 2007-11-4 13:22 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复