`
黑色杰克史密斯
  • 浏览: 16372 次
社区版块
存档分类
最新评论

云彬锅的GetKernelBase

 
阅读更多 
pragma (lib, "gdi32.lib");
pragma (lib, "d3d9.lib");
pragma (lib, "winmm.lib");
pragma (lib, "ole32.lib");
import core.runtime;
import win32.windows;
import core.stdc.stdio;
import std.string;
import std.conv;
import std.math;

extern(C)
UINT GetKernelBase(UINT UpperCallStack){ // from luo yun bing's Win32 ASM source 
    asm {
      naked               ; // use naked asm mode 
      mov EAX, [ESP+4]    ;
      nop                 ;
      and EAX, 0xFFFF0000 ;
      nop                 ; 
    main_loop:
      mov DX, [EAX]       ; // D00 - D15 is 0x5A4D MZ     
      sub EAX, 0x10000    ; //  
      xor DX,  0x5A4D     ;
      jne main_loop       ;
      add EAX, 0x10000    ;
      ret                 ;
    }
}

extern(C)
UINT NEW_GPA(UINT hModule, char* FuncName){
      asm {
        naked             ;         
        push EDI          ; // save old frame 
        push ESI          ; // save old frame 
        mov EDI, [ESP+16] ; // Load FuncName 
        push EBP          ; // 
        xor AL, AL        ; // cle bit 
        push EBX          ; 
        mov ECX, -1       ; // reset EAX 
        mov EBX, EDI      ; // save old frame 
        cld               ; // clr d bit 
        repne             ;
        scasb             ; // scan ... 
        not ECX           ; // get result (with zero)

        mov ESI, [ESP+20] ; // load module addr          ;
        mov EAX, ESI      ; // save old frame 
        add ESI, [ESI+60] ; // move to PE File's IMAGE_NT_HEADERS 
        mov ESI, [ESI+120]; // load OptionalHeader.DataDirectory.VirtualAddress
        add ESI, EAX      ;
        movd XMM1, ESI    ; 
        mov EDX, [ESI+32] ; // get AddressOfNames
        add EDX, EAX      ; 
        mov EBP, [ESI+24] ; // get cnt 
        movd XMM0, ESP    ; 
        mov ESP, ECX      ; 
      main_loop:
        mov EDI, [EDX]    ; // Func Name Array ... 
        mov ESI, EBX      ; 
        add EDI, EAX      ;
        mov ECX, ESP      ; 
        repz              ;  
        cmpsb             ; 
        je final_nake     ; 
        add EDX, 4        ; 
        dec EBP           ; 
        jne main_loop     ;
final_nake:
        movd ESI, XMM1    ; 
        movd ESP, XMM0    ;
        sub EDX, [ESI+32] ;
        pop EBX           ; 
        pop EBP           ; 
        sub EDX, EAX      ; 
        shr EDX, 1        ; 
        add EDX, [ESI+36] ;
        add EDX, EAX      ; 
        movzx EDX, word ptr [EDX];
        lea EDX, [EDX*4]  ;
        add EDX, [ESI+28] ;
        pop ESI           ; 
        add EDX, EAX      ; 
        mov ECX, [EDX]    ; 
        pop EDI           ; 
        add EAX, ECX      ; 
        ret               ; 

      }
}

extern(Windows) int function
(
   HWND hWnd, PCHAR lpText, PCHAR lpCaption, UINT uType
) _MessageBoxA;

extern(Windows) int function
(
   HMODULE hModule, LPCSTR lpProcName
) _GetProcAddress;

extern(Windows) HMODULE function
(
   PCHAR lpFileName
) _LoadLibrary;

void main(){
    uint Kernel32BaseAddr;
    asm {
      mov EAX, [EBP+0x1D4];
      mov Kernel32BaseAddr, EAX;
    }
    _LoadLibrary    = cast(typeof(_LoadLibrary))    NEW_GPA(GetKernelBase(Kernel32BaseAddr), cast(char*)"LoadLibraryA"); ;
    _GetProcAddress = cast(typeof(_GetProcAddress)) NEW_GPA(GetKernelBase(Kernel32BaseAddr), cast(char*)"GetProcAddress");
    _MessageBoxA = cast(typeof(_MessageBoxA)) _GetProcAddress(_LoadLibrary(cast(char*)"user32.dll"), cast(char*)"MessageBoxA");
    _MessageBoxA (null, cast(char*) "Hello World", cast(char*)"Test", 0);
}
分享到:
| D语言 bindings库 XAudio2 无法发音 ...
评论
发表评论

您还没有登录,请您登录后再发表评论

相关推荐

Magicbox
Global site tag (gtag.js) - Google Analytics