C language embedded assembly API memory search engine instances
- 2020-04-02 02:54:38
- OfStack
This article illustrates the C language embedded assembly API memory search engine method, to share with you for your reference. The specific implementation method is as follows:
// apisearchEngine.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <Windows.h>
DWORD __stdcall GetStrLengthA(char* szName)
{
_asm
{
push edi
push ebx
mov eax, szName
mov edi, eax
mov ebx, eax
xor al, al
lstrscan:
scas byte ptr [edi] //Character scan checks string pointer length & PI; & have spent < br / >
jnz lstrscan
dec edi
sub edi, ebx
mov eax, edi
pop ebx
pop edi
}
}
DWORD __stdcall CalcBufferCRC(char* lpBuffer)
{
_asm
{
push ebx
push edi
push ecx
push ebp
mov ebx, lpBuffer
push ebx
call GetStrLengthA
mov edi, eax
shr edi, 2
xor ecx, ecx
loopBegin:
dec edi
jl loopOver
xor ecx, dword ptr [ebx]
add ebx, 4
jmp loopBegin
loopOver:
mov eax, ecx
pop ebp
pop ecx
pop edi
pop ebx
}
}
DWORD __stdcall GetProcAddressA(HANDLE hModule, DWORD dwExportCRC)
{
//DWORD lpProcNameCRC = ;
DWORD dwProcNumber;
LPVOID pProcAddress, pProcNameAddress, pProcIndexAddress;
_asm
{
push ebx
push esi
mov eax, hModule
mov edx,dwExportCRC //Edx = function name CRC32& PI; < br / >
mov ebx, eax //Ebx = b & have spent < br / >
mov eax, [ebx+0x3c] //Eax = file header offset & NBSP; < br / >
mov esi, [ebx+eax+0x78] //Esi = output table offset, file header + length of optional header =$78& PI; < br / >
lea esi, [ebx+esi+0x18] //Esi = number of function names = number of functions [ebx+esi+$14]& PI; < br / >
lods dword ptr ds:[esi]
mov dwProcNumber, eax //Eax = number of function names & NBSP; < br / >
lods dword ptr ds:[esi]
mov pProcAddress, eax //Eax = function offset & PI; < br / >
lods dword ptr ds:[esi]
mov pProcNameAddress, eax //Eax = function name offset & PI; < br / >
lods dword ptr ds:[esi]
mov pProcIndexAddress, eax //Eax = sequence number offset & PI; < br / >
mov edx, dwProcNumber //Edx = number of times & NBSP; < br / >
LoopBegin:
xor eax, eax // Result = 0
dec edx
jl LoopEnd
mov eax, pProcNameAddress
add eax, ebx //Eax = function name base address & PI; < br / >
mov eax, dword ptr ds:[eax+edx*4]
add eax, ebx //Eax = traversal function name & PI; < br / >
push eax
call CalcBufferCRC
cmp eax, dwExportCRC //Contrast CRC32 & have spent < br / >
jnz LoopBegin
shl edx, 1
add edx, pProcIndexAddress //Function base sequence & NBSP; < br / >
movzx eax, word ptr ss:[edx+ebx]
shl eax, 2
add eax, pProcAddress //Function base address & NBSP; < br / >
mov eax, [eax+ebx]
add eax, ebx //Result = function address & PI; < br / >
LoopEnd:
pop esi
pop ebx
}
}
DWORD __stdcall GetKernel32Module()
{
_asm
{
PUSH EBP
XOR ECX, ECX
//MOV ESI, [FS:ECX + 0x30] ; ESI = &(PEB) ([FS:0x30])
MOV ESI, FS:[0X30]
MOV ESI, [ESI + 0x0C] ; ESI = PEB->Ldr
MOV ESI, [ESI + 0x1C] ; ESI = PEB->Ldr.InInitOrder
next_module:
MOV EBP, [ESI + 0x08] ; EBP = InInitOrder[X].base_address
MOV EDI, [ESI + 0x20] ; EBP = InInitOrder[X].module_name (unicode)
MOV ESI, [ESI] ; ESI = InInitOrder[X].flink (next module)
CMP [EDI + 12*2], CL ; modulename[12] == 0 ?
JNE next_module ; No: try next module.
MOV EAX, EBP
POP EBP
}
}
int main(int argc, char* argv[])
{
printf("write by xiaoju !n");
printf("*****************n");
DWORD dwBaseKernel32 = GetKernel32Module();
printf("Kernel32 Module address :%08xn",dwBaseKernel32);
DWORD LoadLibraryCRC32= CalcBufferCRC("LoadLibraryA") ;
printf("LoadLibraryA the CRC value ( Statically write to the program ):%08xnn", LoadLibraryCRC32);
DWORD dwAddrLoadLibrary = GetProcAddressA((HANDLE)dwBaseKernel32, 0x577a7461);
printf(" Dynamically obtained in the program LoadLibraryA The address of the :%08xn", dwAddrLoadLibrary);
getchar();
return 0;
}
Hope that the article described in the C programming for you to help.