charme - 2009-6-25 20:42:00
.386
.model flat,stdcall
option casemap:none
include D:\MASMPlus\Include\windows.inc
include D:\MASMPlus\Include\kernel32.inc
include D:\MASMPlus\Include\user32.inc
includelib D:\MASMPlus\Lib\kernel32.lib
includelib D:\MASMPlus\Lib\user32.lib
.data
szCaption db 'charme'
.code
GetKrnlBase proc
assume fs:nothing ;指向TEB的地址
mov eax,[fs:30h] ;指向TEB的ProcessEnvironmentBlock成员,也就是PEB的地址
mov eax,[eax+0ch] ;找到PEB里面的_PEB_LDR_DATA成员
;_PEB_LDR_DATA成员是一个结构,他里面的三个成员都是LIST_ENTRY结构,而LIST_ENTRY结构式一个双向的链表,链表都指向一个_LDR_MODULE
;结构
;typedef struct _LDR_MODULE
;{
; LIST_ENTRY InLoadOrderModuleList; // +0x00
; LIST_ENTRY InMemoryOrderModuleList; // +0x08
; LIST_ENTRY InInitializationOrderModuleList; // +0x10
; PVOID BaseAddress; // +0x18
; PVOID EntryPoint; // +0x1c
; ULONG SizeOfImage; // +0x20
; UNICODE_STRING FullDllName; // +0x24
; UNICODE_STRING BaseDllName; // +0x2c
; ULONG Flags; // +0x34
; SHORT LoadCount; // +0x38
; SHORT TlsIndex; // +0x3a
; LIST_ENTRY HashTableEntry; // +0x3c
; ULONG TimeDateStamp; // +0x44
; // +0x48
;} LDR_MODULE, *PLDR_MODULE;
;这个结构中的InInitializationOrderModuleList的后驱BaseAddress就是基址
mov eax,[eax+1ch] ;找到BaseAddress这个地方
mov eax,[eax] ;这个找到的是ntdll.dll的基址
mov eax,[eax+8h] ;第二个这个就是kernel32.dll的基址
ret
GetKrnlBase endp
main proc
call GetKrnlBase
invoke MessageBox,0,eax,addr szCaption,MB_OK
invoke ExitProcess,0
main endp
end main
用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 551; .NET CLR 2.0.50727)
charme - 2009-6-25 20:43:00
.386
.model flat,stdcall
option casemap:none
include D:\MASMPlus\Include\windows.inc
include D:\MASMPlus\Include\kernel32.inc
include D:\MASMPlus\Include\user32.inc
includelib D:\MASMPlus\Lib\kernel32.lib
includelib D:\MASMPlus\Lib\user32.lib
.data
szCaption db 'charme'
.code
GetKrnlBase proc
assume fs:nothing
mov edx,fs:[0]
_next:
inc DWORD ptr [edx]
jz _krnl
dec DWORD ptr [edx]
mov edx,[edx]
jmp _next
_krnl:
dec DWORD ptr [edx]
mov edx,[edx+4]
_loop:
mov ax,WORD ptr [edx]
xor ax,5a4dh
jz _IsPe
dec edx
xor dx,dx
jmp _loop
_IsPe:
mov eax,[edx+3ch]
mov eax,[edx+eax]
xor eax,00004550h
jnz _next
xchg eax,edx
ret
GetKrnlBase endp
main proc
call GetKrnlBase
invoke MessageBox,0,eax,addr szCaption,MB_OK
invoke ExitProcess,0
main endp
end main
用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 551; .NET CLR 2.0.50727)
charme - 2009-6-25 20:45:00
.386
.model flat,stdcall
option casemap:none
include D:\MASMPlus\Include\windows.inc
include D:\MASMPlus\Include\kernel32.inc
include D:\MASMPlus\Include\user32.inc
includelib D:\MASMPlus\Lib\kernel32.lib
includelib D:\MASMPlus\Lib\user32.lib
.data
szCaption db 'charme'
.code
FindBase proc
mov esi,[esp]
and esi,0ffff0000h ;页对齐
_zm:
mov ax,WORD ptr [esi]
xor ax,5A4Dh
jz _pe
_ct:
sub esi,1000h
loop _zm
_pe:
mov eax,[esi+3ch]
mov eax,[esi+eax]
xor eax,00004550h
jnz _ct
mov eax,esi
retn
FindBase endp
main proc
call FindBase
invoke MessageBox,0,eax,addr szCaption,MB_OK
invoke ExitProcess,0
main endp
end main
用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 551; .NET CLR 2.0.50727)
© 2000 - 2025 Rising Corp. Ltd.