标题:[分享][开源]pe文件学习笔记2-----动态获取api
只看楼主
无理取闹
Rank: 9Rank: 9Rank: 9
等 级:贵宾
威 望:53
帖 子:4264
专家分:0
注 册:2006-7-26
 问题点数:0 回复次数:1 
[分享][开源]pe文件学习笔记2-----动态获取api


pe文件学习笔记1-----为PE文件添加节


在kernel中搜索api地址,并不使用引入表

.386
.model flat,stdcall
option casemap:none
include windows.inc
GetApiA proto :DWORD,:DWORD
;;--------------

.code
k32Base dd ?
;#############################################
sGetModuleHandle db "GetModuleHandleA",0
sGetProcAddress db "GetProcAddress",0
sExitProcess db "ExitProcess",0
sLoadLibrary db "LoadLibraryA",0
sMessageBoxA db "MessageBoxA",0

aGetModuleHandle dd 0
aGetProcAddress dd 0
aExitProcess dd 0
aLoadLibrary dd 0
aMessageBoxA dd 0

u32 db "User32.dll",0
k32 db "Kernel32.dll",0

sztit db "by 无理取闹",0
szMsg db "没有导入表哦!",0

lpApiAddrs label near
dd offset sGetModuleHandle
dd offset sGetProcAddress
dd offset sExitProcess
dd offset sLoadLibrary
dd offset sMessageBoxA
dd 0
;#############################################
start:
call @F
@@:
pop ebp
sub ebp,offset @B ;重定位
mov ecx,[esp]
xor edx,edx
and ecx,0FFFF0000h
getK32: ;动态获取kernel.dll的地址
sub ecx,010000h
cmp word ptr [ecx],IMAGE_DOS_SIGNATURE
jnz getK32
mov esi,ecx
add esi,[esi+3ch]
cmp dword ptr [esi],IMAGE_NT_SIGNATURE
jnz getK32
mov k32Base,ecx
;#######################################
lea edi,[ebp+offset aGetModuleHandle]
lea esi,[ebp+offset lpApiAddrs]
loop_get:
lodsd
cmp eax,0
jz End_Get
push eax
push dword ptr [ebp+offset k32Base]
call GetApiA ;获取API地址
stosd
jmp loop_get
End_Get:
push offset u32
call [ebp+aLoadLibrary] ;在程序空间加载User32.dll
push offset sMessageBoxA
push eax
mov eax,dword ptr [ebp+aGetProcAddress] ;用GetProcAddress获得MessageBoxA的地址
call eax ;调用GetProcAddress
push 40h+1000h ;style
push offset sztit ;标题
push offset szMsg ;消息内容
push 0
call eax
push 0
call [ebp+aExitProcess]
;-----------------------------------------
GetApiA proc Base:DWORD,sApi:DWORD
local @dwStringLength
local @return
pushad
;#############计算api的长度#########################
mov edi,sApi
mov ecx,-1
xor al,al
cld
repnz scasb
mov ecx,edi
sub ecx,sApi
mov @dwStringLength,ecx
;####################################
mov esi,Base
add esi,[esi+3ch]
mov esi,[esi+78h];[edi+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory.VirtualAddress]
add esi,Base;得到edi=IMAGE_EXPORT_DIRECTORY入口
mov ebx,[esi+20h];AddressOfNames
add ebx,Base
xor edx,edx
next: ;得到匹配函数的AddressOfNames数组中的RVA
push esi
mov esi,sApi
mov edi,[ebx]
add edi,Base
mov ecx,@dwStringLength
repz cmpsb
jnz goon
pop esi
jmp found
goon: pop esi
add ebx,4
inc edx
cmp edx,[esi+18h]
jb next
found:
sub ebx,[esi+20h];AddressOfNames
sub ebx,Base
shr ebx,1 ;AddressOfNameOrdinals是word数组,所以RVA应该除以2来求出AddressOfNameOrdinals的RVA
add ebx,[esi+24h];AddressOfNameOrdinals
add ebx,Base
movzx eax,word ptr [ebx];AddressOfNameOrdinals是word数组
;mov eax,edx
shl eax,2 ;AddressOfName是dword数组,所以序号应该乘以4个字节
add eax,[esi+1ch];AddressOfFunctions
add eax,Base
mov eax,[eax]
add eax,Base
mov @return,eax
popad
mov eax,@return
ret
GetApiA endp
;##############################

end start


[此贴子已经被作者于2007-8-22 20:20:12编辑过]

搜索更多相关主题的帖子: api 笔记 动态 开源 文件 
2007-08-22 20:17
hwbnet
Rank: 1
等 级:新手上路
威 望:2
帖 子:355
专家分:0
注 册:2004-12-9
得分:0 
请问楼主:动态获取API是否能被破解软件识别出来?

胡文斌 本人论坛:http://hwbnet.bbs./
2007-09-01 10:37



参与讨论请移步原网站贴子:https://bbs.bccn.net/thread-164678-1-1.html




关于我们 | 广告合作 | 编程中国 | 清除Cookies | TOP | 手机版

编程中国 版权所有,并保留所有权利。
Powered by Discuz, Processed in 0.407537 second(s), 8 queries.
Copyright©2004-2024, BCCN.NET, All Rights Reserved