我正在尝试重建windows pe的导入表,现在我已经通过所有模块成功枚举了但是只要我使用loadlibrary api应用程序崩溃,任何人都可以指出我在哪里错了吗?
DWORD OEP, IAT, ImageBase, LoadLib;
char *module;
// Fetch Placeholders
__asm {
mov[OEP], 0xCCCCCCCC // Orignal Entry Point
mov[IAT], 0xCCCCCCCC // Import Table Address
mov[ImageBase], 0xCCCCCCCC // Image Base
mov[LoadLib], 0xCCCCCCCC // kernel32.LoadLibraryA
}
// Fix IAT
__asm {
_it_fixup:
mov ebx, [IAT]
mov esi, [ImageBase]
add ebx, esi // image_import_descriptor
_it_loadlibrary_loop :
mov eax, [ebx + 0x0C] // eax = image_import_descriptor.Name
test eax, eax
jz _it_fixup_end
add eax, esi // ecx = module = image_import_descriptor.Name + dwImageBase
push eax
call [LoadLib] // Here when i check with ollydbg eax has advapi32.dll and says error_insufficient_buffer
inc ebx // image_import_descriptor++
test eax, eax
jnz _it_loadlibrary_loop
_it_fixup_end :
}
// Jump back
__asm {
jmp[OEP]
}
但是当我使用
时 push eax
mov ecx, [LoadLib]
call ecx
而不是
push eax
call[LoadLib]
调试器说ecx hold dvapi32.dll我有点困惑请告诉我这里有什么问题
并且是的,0xCCCCCCCC首先替换为kernel32.LoadLibraryA和所有
-------------------- EDIT -------------------
将代码更新为c / c ++
DWORD OEP, IAT, ImageBase, GetProc;
DWORD dwThunk, dwHintName;
typedef HMODULE(WINAPI *_LoadLibrary)(LPCSTR lpFileName);
_LoadLibrary __LoadLibrary;
// Fetch Placeholders
__asm {
mov[OEP], 0xCCCCCCCC
mov[IAT], 0xCCCCCCCC
mov[ImageBase], 0xCCCCCCCC
mov[__LoadLibrary], 0xCCCCCCCC
mov[GetProc], 0xCCCCCCCC
}
// Fix IAT
PIMAGE_DOS_HEADER pDos;
PIMAGE_IMPORT_DESCRIPTOR pDesc;
pDos = (PIMAGE_DOS_HEADER)ImageBase;
pDesc = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)ImageBase + IAT);
char *module;
while (pDesc->Name) {
module = (char *)((DWORD)ImageBase + pDesc->Name);
__LoadLibrary(module);
pDesc++;
}
// Jump back
__asm {
jmp[OEP]
}