.386
.model flat, stdcall
option casemap:none
include windows.inc
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
ShutDown dd ?
RtlAdjustPrivilege db 'RtlAdjustPrivilege',0
BaseNtdll dd ?
ZwShutdownSystem db 'ZwShutdownSystem',0
lby db 'LoadLibraryA',0
gpa db 'GetProcAddress',0
apiaddr dd ?
apiaddr1 dd ?
apiaddr2 dd ?
apiaddr3 dd ?
baseKernel dd ?
szntdll db 'ntdll.dll',0
.code
GetApiAddress proc uses ecx ebx edx esi edi hModule:DWORD, szApiName:DWORD
LOCAL dwReturn: DWORD
LOCAL dwApiLength: DWORD
mov dwReturn, 0
;计算 API 字符串的长度(带尾部的0)
mov esi, szApiName
mov edx, esi
Continue_Searching_Null:
cmp byte ptr [esi], 0 ; 是否为 Null-terminated char ?
jz We_Got_The_Length ; Yeah, we got it. :)
inc esi ; No, continue searching.
jmp Continue_Searching_Null ; searching.......
We_Got_The_Length:
inc esi ; 呵呵, 别忘了还有最后一个“0”的长度。
sub esi, edx ; esi = API Name size
mov dwApiLength, esi ; dwApiLength = API Name size