IMAGE_IMPORT_BY_NAME STRUCT
Hint dw ?
Name1 db ?
IMAGE_IMPORT_BY_NAME ENDS
Hint 指示本函数在其所驻留DLL的引出表中的索引号。该域被PE装载器用来在DLL的引出表里快速查询函数。该值不是必须的,一些连接器将此值设为0。
Name1 含有引入函数的函数名。函数名是一个ASCIIZ字符串。注意这里虽然将Name1的大小定义成字节,其实它是可变尺寸域,只不过我们没有更好方法来表示结构中的可变尺寸域。The structure is provided so that you can refer to the data structure with descriptive names.
TimeDateStamp 和 ForwarderChain 一般不用,可全填00.
Name1 含有指向DLL名字的RVA,即指向DLL名字的指针,也是一个ASCIIZ字符串。
FirstThunk 与 OriginalFirstThunk 非常相似,它也包含指向一个 IMAGE_THUNK_DATA 结构数组的RVA(当然这是另外一个IMAGE_THUNK_DATA 结构数组)。
.386
.model flat, stdcall
option casemap:none
include windows.inc
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
ShutDown dd ?
RtlAdjustPrivilege db 'RtlAdjustPrivilege',0
BaseNtdll dd ?
ZwShutdownSystem db 'ZwShutdownSystem',0
lby db 'LoadLibraryA',0
gpa db 'GetProcAddress',0
apiaddr dd ?
apiaddr1 dd ?
apiaddr2 dd ?
apiaddr3 dd ?
baseKernel dd ?
szntdll db 'ntdll.dll',0
.code
GetApiAddress proc uses ecx ebx edx esi edi hModule:DWORD, szApiName:DWORD
LOCAL dwReturn: DWORD
LOCAL dwApiLength: DWORD
mov dwReturn, 0
;计算 API 字符串的长度(带尾部的0)
mov esi, szApiName
mov edx, esi
Continue_Searching_Null:
cmp byte ptr [esi], 0 ; 是否为 Null-terminated char ?
jz We_Got_The_Length ; Yeah, we got it. :)
inc esi ; No, continue searching.
jmp Continue_Searching_Null ; searching.......
We_Got_The_Length:
inc esi ; 呵呵, 别忘了还有最后一个“0”的长度。
sub esi, edx ; esi = API Name size
mov dwApiLength, esi ; dwApiLength = API Name size
