Copyright, 2004-2010 Blast Software, all rights reserved.
皖ICP备09016542号
Blast's Security Lab
6 Nov 2009
曾经是vb的LoadLibrary+GetProcAddress折腾了我半大天,后来不得不曲线救国,使用Delphi的DLL才算完事,不过今天试验了下PB,发现完全不需要动用Delphi的,PB就可以搞定这东西,比较方便的内嵌汇编(关键字!或ASM)就能完成这等破事,代码大致如下:
#COMPILE EXE
#DIM ALL
DECLARE FUNCTION LoadLibrary LIB "kernel32" ALIAS "LoadLibraryA" (BYVAL lpLibFileName AS STRING) AS LONG
DECLARE FUNCTION GetProcAddress LIB "kernel32" ALIAS "GetProcAddress" (BYVAL hModule AS LONG, BYVAL lpProcName AS STRING) AS LONG
DECLARE FUNCTION CloseHandle LIB "kernel32" ALIAS "CloseHandle" (BYVAL hObject AS LONG) AS LONG
DECLARE FUNCTION GetTickCount LIB "kernel32" ALIAS "GetTickCount" () AS LONG
DECLARE SUB ExitProcess LIB "kernel32" ALIAS "ExitProcess" (BYVAL uExitCode AS LONG)
FUNCTION PBMAIN () AS LONG
DIM HndDl AS LONG, HndFn AS LONG
'Test for function Sleep
HndDl=LoadLibrary("kernel32.dll")
HndFn=GetProcAddress(HndDl,"Sleep")
MSGBOX STR$(GetTickCount())
! push 100
! call HndFn
MSGBOX STR$(GetTickCount())
'Test for function WinExec
DIM sTest AS ASCIIZ * 256, sLoc AS LONG
sTest= ENVIRON$("windir") & "\system32\calc.exe"
sLoc=VARPTR(sTest)
HndFn=GetProcAddress(HndDl,"WinExec")
! push 5
! push sLoc
! call HndFn
CloseHandle(HndDl)
'http://www.sacour.cn
ExitProcess(0)
END FUNCTION
程序PBMAIN的代码,在代码中都是能找到的~
.text:00401158 push ebp
.text:00401159 mov ebp, esp
.text:0040115B push ebx
.text:0040115C push esi
.text:0040115D push edi
.text:0040115E push 133Fh
.text:00401163 sub esp, 70h
.text:00401166 push offset sub_401158
.text:0040116B xor esi, esi
.text:0040116D xor edi, edi
.text:0040116F mov ecx, 48h
.text:00401174
.text:00401174 loc_401174: ; CODE XREF: sub_401158+1Ej
.text:00401174 push esi
.text:00401175 dec ecx
.text:00401176 jnz short loc_401174
.text:00401178 mov edx, offset unk_403738
.text:0040117D call sub_401F31
.text:00401182 push 0 ; lpLibFileName
.text:00401184 mov ebx, esp
.text:00401186 call sub_401C7E
.text:0040118B call ds:LoadLibraryA
.text:00401191 fldcw [ebp+var_10]
.text:00401194 mov esi, eax
.text:00401196 mov edx, offset unk_40374C
.text:0040119B call sub_401F31
.text:004011A0 push 0 ; lpProcName
.text:004011A2 mov ebx, esp
.text:004011A4 call sub_401C7E
.text:004011A9 mov eax, esi
.text:004011AB push eax ; hModule
.text:004011AC call ds:GetProcAddress
.text:004011B2 fldcw [ebp+var_10]
.text:004011B5 mov edi, eax
.text:004011B7 call ds:GetTickCount
.text:004011BD fldcw [ebp+var_10]
.text:004011C0 call sub_401C49
.text:004011C5 call sub_401B1D
.text:004011CA mov eax, 12000h
.text:004011CF call sub_401F48
.text:004011D4 call sub_40198A
.text:004011D9 push 64h ; push 100
.text:004011DB call edi ; call HndFn
.text:004011DD call ds:GetTickCount
.text:004011E3 fldcw [ebp+var_10]
.text:004011E6 call sub_401C49
.text:004011EB call sub_401B1D
.text:004011F0 mov eax, 12000h
.text:004011F5 call sub_401F48
.text:004011FA call sub_40198A
.text:004011FF mov edx, offset unk_403758
.text:00401204 call sub_401F31
.text:00401209 call sub_401924
.text:0040120E mov edx, offset unk_403764
.text:00401213 call sub_401F31
.text:00401218 call sub_401D3D
.text:0040121D lea ebx, [ebp+var_1A0]
.text:00401223 mov ecx, 100h
.text:00401228 call sub_401EDB
.text:0040122D lea ebx, [ebp+var_1A0]
.text:00401233 mov eax, ebx
.text:00401235 mov [ebp+var_1A4], eax
.text:0040123B mov edx, offset unk_40377C
.text:00401240 call sub_401F31
.text:00401245 push 0 ; lpProcName
.text:00401247 mov ebx, esp
.text:00401249 call sub_401C7E
.text:0040124E mov eax, esi
.text:00401250 push eax ; hModule
.text:00401251 call ds:GetProcAddress
.text:00401257 fldcw [ebp+var_10]
.text:0040125A mov edi, eax
.text:0040125C push 5 ; push 5
.text:0040125E push [ebp+var_1A4] ; push sLoc
.text:00401264 call edi ; call HndFn
.text:00401266 mov eax, esi
.text:00401268 push eax ; hObject
.text:00401269 call ds:CloseHandle
.text:0040126F fldcw [ebp+var_10]
.text:00401272 push 0 ; uExitCode
.text:00401274 call ds:ExitProcess
.text:00401274 sub_401158 endp ; sp-analysis failed
完结了
◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。