微客导航 » 文章资讯 » C语言内嵌汇编API内存搜索引擎实例

C语言内嵌汇编API内存搜索引擎实例

2024-04-07 07:45:03 252

本文实例讲述了C语言内嵌汇编API内存搜索引擎的方法，分享给大家供大家参考。具体实现方法如下：

//apisearchEngine.cpp:Definestheentrypointfortheconsoleapplication. 

// 

 

#include"stdafx.h" 

#include<Windows.h> 

 

 DWORD__stdcallGetStrLengthA(char*szName) 

{ 

   _asm 

   { 

       pushedi 

       pushebx 

       moveax, szName 

       movedi,eax 

       movebx,eax 

       xoral,al 

 

lstrscan: 

       scasbyteptr[edi]         //字符扫描法检查字符串指针长度  

       jnzlstrscan 

       decedi 

       subedi,ebx 

       moveax,edi 

       popebx 

       popedi 

         

   } 

} 

 

 DWORD__stdcallCalcBufferCRC(char*lpBuffer) 

{ 

   _asm 

   { 

       pushebx 

       pushedi 

       pushecx 

       pushebp 

       movebx,lpBuffer 

       pushebx 

       callGetStrLengthA 

       movedi,eax 

       shredi,2 

       xorecx,ecx 

loopBegin: 

       decedi 

       jlloopOver 

       xorecx,dwordptr[ebx] 

       addebx,4 

       jmploopBegin 

loopOver: 

       moveax,ecx 

       popebp 

       popecx 

       popedi 

       popebx 

   } 

} 

 

DWORD__stdcallGetProcAddressA(HANDLEhModule,DWORDdwExportCRC) 

{ 

   //DWORDlpProcNameCRC=; 

   DWORDdwProcNumber; 

   LPVOIDpProcAddress,pProcNameAddress,pProcIndexAddress; 

   _asm 

   { 

       pushebx 

       pushesi 

         

       moveax,hModule 

       movedx,dwExportCRC     //edx=函数名CRC32 

       movebx,eax               //ebx=基址 

       moveax,[ebx+0x3c]         //eax=文件头偏移 

       movesi,[ebx+eax+0x78]     //esi=输出表偏移,文件头+可选头的长度=$78 

       leaesi,[ebx+esi+0x18]     //esi=函数名数量=函数数量[ebx+esi+$14] 

       lodsdwordptrds:[esi] 

       movdwProcNumber,eax      //eax=函数名数量 

       lodsdwordptrds:[esi] 

       movpProcAddress,eax      //eax=函数偏移量 

       lodsdwordptrds:[esi] 

       movpProcNameAddress,eax  //eax=函数名偏移量 

       lodsdwordptrds:[esi] 

       movpProcIndexAddress,eax //eax=序列号偏移量 

       movedx,dwProcNumber      //edx=遍历次数 

LoopBegin: 

       xoreax,eax               //Result=0 

       decedx 

       jlLoopEnd 

       moveax,pProcNameAddress 

       addeax,ebx               //eax=函数名基地址 

       moveax,dwordptrds:[eax+edx*4] 

       addeax,ebx               //eax=遍历函数名 

       pusheax 

       callCalcBufferCRC 

       cmpeax,dwExportCRC     //对比CRC32 

       jnzLoopBegin 

       shledx,1 

       addedx,pProcIndexAddress //函数基序列 

       movzxeax,wordptrss:[edx+ebx] 

       shleax,2 

       addeax,pProcAddress      //函数基地址 

       moveax,[eax+ebx] 

       addeax,ebx               //Result=函数地址 

LoopEnd: 

       popesi 

       popebx 

         

   } 

}

DWORD__stdcallGetKernel32Module() { _asm { PUSH EBP XOR ECX,ECX //MOV ESI,[FS:ECX+0x30] ;ESI=&(PEB)([FS:0x30]) MOV ESI,FS:[0X30] MOV ESI,[ESI+0x0C] ;ESI=PEB->Ldr MOV ESI,[ESI+0x1C] ;ESI=PEB->Ldr.InInitOrder next_module: MOV EBP,[ESI+0x08] ;EBP=InInitOrder[X].base_address MOV EDI,[ESI+0x20] ;EBP=InInitOrder[X].module_name(unicode) MOV ESI,[ESI] ;ESI=InInitOrder[X].flink(nextmodule) CMP [EDI+12*2],CL ;modulename[12]==0? JNE next_module ;No:trynextmodule. MOV EAX,EBP POP EBP } } intmain(intargc,char*argv[]) { printf("writebyxiaoju!\n"); printf("*****************\n"); DWORDdwBaseKernel32=GetKernel32Module(); printf("Kernel32的模块地址:%08x\n",dwBaseKernel32); DWORDLoadLibraryCRC32=CalcBufferCRC("LoadLibraryA"); printf("LoadLibraryA的CRC值(静态写到程序中):%08x\n\n",LoadLibraryCRC32); DWORDdwAddrLoadLibrary=GetProcAddressA((HANDLE)dwBaseKernel32,0x577a7461); printf("在程序中动态得到的LoadLibraryA的地址:%08x\n",dwAddrLoadLibrary); getchar(); return0; }

返回顶部
3162201930
czq8825@qq.com

C语言内嵌汇编API内存搜索引擎实例

热门推荐

随机推荐