如何直接从程序集 (x86) 动态调用 LoadLibraryA?目前LoadLibraryA在我的记忆中位于0x76fc57c0。我可以使用以下方式静态调用 LoadLibraryA:
mov eax, 76fc57c0h
call eax
但是重启/ASLR 到位后,这当然不稳定。有没有动态的方法来确定LoadLibraryA的内存地址?
我对 Windows 程序集编程有点陌生,但这是我查找
LoadLibraryA1 - 使用 PEB 查找 kernel32.dll 的基地址
2 - 通过查看导出表找到
GetProcAddress3 - 终于打电话了
GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"LoadLibraryA")%macro FindKernel32Base 0
mov edi, [fs:ebx+0x30] ; Load PEB into EDI
mov edi, [edi+0x0c] ; Access the loader data
mov edi, [edi+0x1c] ; First module in the module list
%%module_loop:
mov eax, [edi+0x08] ; Get the next module
mov esi, [edi+0x20] ; Module name pointer
mov edi, [edi] ; Move to next module
cmp byte [esi+12], '3' ; Check if this is the kernel32 module
jne %%module_loop ; Loop until kernel32.dll is found
%endmacro
xor ebx, ebx ; Zero out EBX
FindKernel32Base ; Execute the macro to find kernel32 base
mov edi, eax ; Store kernel32 base in EDI
add edi, [eax+0x3c] ; PE header offset
mov edx, [edi+0x78] ; Export table offset
add edx, eax ; Adjust EDX to point to the export table
mov edi, [edx+0x20] ; AddressOfNames
add edi, eax ; Adjust EDI to point to names
mov ebp, ebx ; Clear EBP for loop counter
name_loop:
mov esi, [edi+ebp*4] ; Get function name
add esi, eax ; Adjust address
inc ebp
cmp dword [esi], 0x50746547 ; "GetP"
jne name_loop
cmp dword [esi+8], 0x65726464 ; "ddre"
jne name_loop
mov edi, [edx+0x24] ; AddressOfNameOrdinals
add edi, eax
mov bp, [edi+ebp*2] ; Get the ordinal
mov edi, [edx+0x1C] ; AddressOfFunctions
add edi, eax
mov edi, [edi+(ebp-1)*4] ; Subtract ordinal base
add edi, eax
; EDI now contains GetProcAddress address, EAX is kernel32.dll base address
push 0x00000000
push 0x41797261 ; "Arya"
push 0x7262694C ; "rbiL"
push 0x64616F4C ; "daoL"
push esp ; Push pointer to "LoadLibraryA"
push eax
xchg eax, esi
call edi ; Call GetProcAddress
执行结束后,您应该在
LoadLibraryAEAX希望它对你有用!