打印出ntdll.dll中所有函数名字和地址

0x01 打印出ntdll.dll中所有函数名字和地址

0x02 在任何进程中都可以找到ntdll.dll和kernel32.dll这个动态链接库的基地址，另外每一个动态链接库基地址实际上都存放在一个双向链表的节点上，只要找到这个双向链表，就可以找到所需要的动态链接库基地址，然后就可以调用乱七八糟的函数，将shellcode放在一个精妙的地方。

0x03 代码如下：

//  GetKernel32FuncAddr.cpp : 
#include 
#include 

unsigned long GetKernel32FuncAddr()
{
    unsigned long pBaseOfKernel32, pNameOfModule;
    unsigned long pAddressOfFunctions, pAddress0fNames;
    unsigned long aryFunAddr,aryNameAddr,num;

    __asm{
        mov edx, fs:30h         ; PEB base
        mov edx, [edx+0ch]      ; PEB_LER_DATA
        // base of ntdll.dll=====================
        mov edx, [edx+1ch]      ; The first element of InInitOrderModuleList
        // base of kernel32.dll=====================
        //mov edx,[edx]           ; Next element
        mov eax, [edx+8]        ; Base address of second module
        mov pBaseOfKernel32,eax ; Save it to local variable
        mov ebx, eax            ; Base address of kernel32.dll, save it to ebx
        // get the addrs of first function =========
        mov edx,[ebx+3ch]       ; e_lfanew
        mov edx,[edx+ebx+78h]   ; DataDirectory[0]
        add edx,ebx             ; RVA + base
        mov esi,edx             ; Save first DataDirectory to esi
        // get fields of IMAGE_EXPORT_DIRECTORY pNameOfModule
        mov edx,[esi+0ch]           ; Name
        add edx,ebx                 ; RVA + base
        mov pNameOfModule,edx       ; Save it to local variable
        mov edx,[esi+1ch]           ; AddressOfFunctions RVA
        add edx,ebx                 ; RVA + base
        mov pAddressOfFunctions,edx ; Save it to local variable


        mov ecx,[esi+14h];numoffunctions
        mov num,ecx;

        //分配存储函数地址的空间
        mov     edx,[esi+14h]           ; NumberOfFunctions
        mov     ecx,4                   ; alloc 4 x NumberOfFunctions bytes
    stack_zero:
        sub     esp,edx                 ;
    loop    stack_zero                  ;
        mov     edx,esp                 ; edx store the start addr of Functions[]
        mov     aryFunAddr,edx
        mov     ecx,[esi+14h]           ; NumberOfFunctions
        //将函数地址存储到数组里
    store_functions:
        mov     eax, [esi+1Ch]          ; AddressOfFunctions RVA
        add     eax, ebx                ; rva2va//第一个函数偏移的地址
        mov     eax, [eax+ecx*4-4]      ; FunctionAddress RVA
        add     eax, ebx                ; rva2va
        mov     [edx+ecx*4-4],eax       ; save to aryFunAddr[ecx]
    loop store_functions;

        //分配存储函数名字的空间
        mov     edx,[esi+18h]           ; NumberOfNames
        mov     ecx,4                   ; alloc 4 x NumberOfNames bytes
    stack_zero1:
        sub     esp,[esi+18h]            ;
    loop    stack_zero1                 ;
        mov     edx,esp                 ; edx store the start addr of Names[]
        mov     aryNameAddr,edx         ;
        mov     ecx,[esi+18h]           ; NumberOfFunctions
        //存储函数名
    store_names:
        mov     eax, [esi+20h]          ; AddressOfNames RVA
        add     eax, ebx                ; rva2va
        mov     eax, [eax+ecx*4-4]      ; FunctionAddress RVA
        add     eax, ebx                ; rva2va
        mov     [edx+ecx*4-4],eax       ; save to aryNameAddr[ecx]
        
    loop store_names;

    }
    


    
   FILE *fp;
   fp=fopen("bbb.txt","w+");

    for(int i=0; i

0x04 运行结果：

0000: 	Addr=0x7C99416B	name=CsrAllocateCaptureBuffer
0001: 	Addr=0x7C9940D3	name=CsrAllocateMessagePointer
0002: 	Addr=0x7C994031	name=CsrCaptureMessageBuffer
0003: 	Addr=0x7C958B9C	name=CsrCaptureMessageMultiUnicodeStringsInPlace
0004: 	Addr=0x7C958C08	name=CsrCaptureMessageString
0005: 	Addr=0x7C94BD36	name=CsrCaptureTimeout
0006: 	Addr=0x7C94BDB6	name=CsrClientCallServer
0007: 	Addr=0x7C94BDC6	name=CsrClientConnectToServer
0008: 	Addr=0x7C94BDA6	name=CsrFreeCaptureBuffer
0009: 	Addr=0x7C94BD04	name=CsrGetProcessId
0010: 	Addr=0x7C94BD02	name=CsrIdentifyAlertableThread
0011: 	Addr=0x7C94BCF5	name=CsrNewThread
0012: 	Addr=0x7C9651B1	name=CsrProbeForRead
0013: 	Addr=0x7C965242	name=CsrProbeForWrite
0014: 	Addr=0x7C9658B7	name=CsrSetPriorityClass
0015: 	Addr=0x7C945257	name=DbgBreakPoint
0016: 	Addr=0x7C945044	name=DbgPrint
0017: 	Addr=0x7C98CF91	name=DbgPrintEx
0018: 	Addr=0x7C95EBD3	name=DbgPrintReturnControlC
0019: 	Addr=0x7C9653CD	name=DbgPrompt
0020: 	Addr=0x7C965288	name=DbgQueryDebugFilterState
0021: 	Addr=0x7C98CF86	name=DbgSetDebugFilterState
0022: 	Addr=0x7C96FC9A	name=DbgUiConnectToDbg
0023: 	Addr=0x7C95FB19	name=DbgUiContinue
0024: 	Addr=0x7C98CFFD	name=DbgUiConvertStateChangeStructure
0025: 	Addr=0x7C98CFC4	name=DbgUiDebugActiveProcess
0026: 	Addr=0x7C98CF79	name=DbgUiGetThreadDebugObject
0027: 	Addr=0x7C94A3E1	name=DbgUiIssueRemoteBreakin
0028: 	Addr=0x7C938061	name=DbgUiRemoteBreakin
0029: 	Addr=0x7C943152	name=DbgUiSetThreadDebugObject
0030: 	Addr=0x7C99434B	name=DbgUiStopDebugging
0031: 	Addr=0x7C9942E5	name=DbgUiWaitStateChange
0032: 	Addr=0x7C99432B	name=DbgUserBreakPoint
0033: 	Addr=0x7C99433B	name=EtwControlTraceA
0034: 	Addr=0x7C98D032	name=EtwControlTraceW
0035: 	Addr=0x7C98D0DA	name=EtwCreateTraceInstanceId
0036: 	Addr=0x7C96FE3E	name=EtwEnableTrace
0037: 	Addr=0x7C98D121	name=EtwEnumerateTraceGuids
0038: 	Addr=0x7C98D084	name=EtwFlushTraceA
0039: 	Addr=0x7C96FD6F	name=EtwFlushTraceW
0040: 	Addr=0x7C96FDB4	name=EtwGetTraceEnableFlags
0041: 	Addr=0x7C98D096	name=EtwGetTraceEnableLevel
0042: 	Addr=0x7C98D0FF	name=EtwGetTraceLoggerHandle
0043: 	Addr=0x7C98D0B3	name=EtwNotificationRegistrationA
0044: 	Addr=0x7C94A3E6	name=EtwNotificationRegistrationW
0045: 	Addr=0x7C9AFC39	name=EtwQueryAllTracesA
0046: 	Addr=0x7C932C02	name=EtwQueryAllTracesW
0047: 	Addr=0x7C9B06E4	name=EtwQueryTraceA
0048: 	Addr=0x7C932F13	name=EtwQueryTraceW
0049: 	Addr=0x7C9B07A1	name=EtwReceiveNotificationsA
0050: 	Addr=0x7C9B0970	name=EtwReceiveNotificationsW
0051: 	Addr=0x7C9B114F	name=EtwRegisterTraceGuidsA
0052: 	Addr=0x7C9325DB	name=EtwRegisterTraceGuidsW
0053: 	Addr=0x7C9325A1	name=EtwStartTraceA
0054: 	Addr=0x7C93252A	name=EtwStartTraceW
0055: 	Addr=0x7C9B1170	name=EtwStopTraceA
0056: 	Addr=0x7C9374E2	name=EtwStopTraceW
0057: 	Addr=0x7C9B10EF	name=EtwTraceEvent
0058: 	Addr=0x7C9B10D1	name=EtwTraceEventInstance
0059: 	Addr=0x7C9B090D	name=EtwTraceMessage
0060: 	Addr=0x7C932BE1	name=EtwTraceMessageVa
0061: 	Addr=0x7C9B1198	name=EtwUnregisterTraceGuids
0062: 	Addr=0x7C936253	name=EtwUpdateTraceA
0063: 	Addr=0x7C93BFB6	name=EtwUpdateTraceW
0064: 	Addr=0x7C93CF5D	name=EtwpGetTraceBuffer
0065: 	Addr=0x7C9B09E0	name=EtwpSetHWConfigFunction
0066: 	Addr=0x7C933011	name=ExpInterlockedPopEntrySListEnd
0067: 	Addr=0x7C9B092E	name=ExpInterlockedPopEntrySListFault
0068: 	Addr=0x7C9B110D	name=ExpInterlockedPopEntrySListResume
0069: 	Addr=0x7C936DAC	name=KiFastSystemCall
0070: 	Addr=0x7C9B02D1	name=KiFastSystemCallRet
0071: 	Addr=0x7C96EE51	name=KiIntSystemCall
0072: 	Addr=0x7C96EDF0	name=KiRaiseUserExceptionDispatcher
0073: 	Addr=0x7C93A9C7	name=KiUserApcDispatcher
0074: 	Addr=0x7C9B094F	name=KiUserCallbackDispatcher
0075: 	Addr=0x7C9B112E	name=KiUserExceptionDispatcher
0076: 	Addr=0x7C93377C	name=LdrAccessOutOfProcessResource
0077: 	Addr=0x7C960C81	name=LdrAccessResource
0078: 	Addr=0x7C9585E8	name=LdrAddRefDll
0079: 	Addr=0x7C9585EC	name=LdrAlternateResourcesEnabled
0080: 	Addr=0x7C9585F8	name=LdrCreateOutOfProcessImage
0081: 	Addr=0x7C95859C	name=LdrDestroyOutOfProcessImage
0082: 	Addr=0x7C9584A0	name=LdrDisableThreadCalloutsForDll
0083: 	Addr=0x7C958508	name=LdrEnumResources
0084: 	Addr=0x7C958550	name=LdrEnumerateLoadedModules
0085: 	Addr=0x7C9451C5	name=LdrFindCreateProcessManifest
0086: 	Addr=0x7C968BFC	name=LdrFindEntryForAddress
0087: 	Addr=0x7C93D525	name=LdrFindResourceDirectory_U
0088: 	Addr=0x7C964B11	name=LdrFindResourceEx_U
0089: 	Addr=0x7C96A155	name=LdrFindResource_U
0090: 	Addr=0x7C96A0A0	name=LdrFlushAlternateResourceModules
0091: 	Addr=0x7C9674AA	name=LdrGetDllHandle
0092: 	Addr=0x7C99442E	name=LdrGetDllHandleEx
0093: 	Addr=0x7C967807	name=LdrGetProcedureAddress
0094: 	Addr=0x7C96A27D	name=LdrHotPatchRoutine
0095: 	Addr=0x7C994399	name=LdrInitShimEngineDynamic
0096: 	Addr=0x7C9689AE	name=LdrInitializeThunk
0097: 	Addr=0x7C9956FA	name=LdrLoadAlternateResourceModule
0098: 	Addr=0x7C968BDB	name=LdrLoadDll
0099: 	Addr=0x7C934F23	name=LdrLockLoaderLock
0100: 	Addr=0x7C95F28B	name=LdrOpenImageFileOptionsKey
0101: 	Addr=0x7C95F2AC	name=LdrProcessRelocationBlock
0102: 	Addr=0x7C95DA99	name=LdrQueryImageFileExecutionOptions
0103: 	Addr=0x7C98D286	name=LdrQueryImageFileExecutionOptionsEx
0104: 	Addr=0x7C98DDEB	name=LdrQueryImageFileKeyOption
0105: 	Addr=0x7C94A32E	name=LdrQueryProcessModuleInformation
0106: 	Addr=0x7C964A8A	name=LdrSetAppCompatDllRedirectionCallback
0107: 	Addr=0x7C963F63	name=LdrSetDllManifestProber
0108: 	Addr=0x7C95D1D8	name=LdrShutdownProcess
0109: 	Addr=0x7C9652D8	name=LdrShutdownThread
0110: 	Addr=0x7C99571C	name=LdrUnloadAlternateResourceModule
0111: 	Addr=0x7C931978	name=LdrUnloadDll
0112: 	Addr=0x7C93199F	name=LdrUnlockLoaderLock
0113: 	Addr=0x7C96971B	name=LdrVerifyImageMatchesChecksum
0114: 	Addr=0x7C98D571	name=NlsAnsiCodePage
0115: 	Addr=0x7C98D591	name=NlsMbCodePageTag
0116: 	Addr=0x7C965AAD	name=NlsMbOemCodePageTag
0117: 	Addr=0x7C960EC1	name=NtAcceptConnectPort
0118: 	Addr=0x7C949069	name=NtAccessCheck
0119: 	Addr=0x7C969C03	name=NtAccessCheckAndAuditAlarm
0120: 	Addr=0x7C96980F	name=NtAccessCheckByType
0121: 	Addr=0x7C95D291	name=NtAccessCheckByTypeAndAuditAlarm
0122: 	Addr=0x7C931253	name=NtAccessCheckByTypeResultList
0123: 	Addr=0x7C9B7714	name=NtAccessCheckByTypeResultListAndAuditAlarm
0124: 	Addr=0x7C9B7720	name=NtAccessCheckByTypeResultListAndAuditAlarmByHandle
0125: 	Addr=0x7C9B7728	name=NtAddAtom
0126: 	Addr=0x7C956B6F	name=NtAddBootEntry
0127: 	Addr=0x7C956B7F	name=NtAddDriverEntry
0128: 	Addr=0x7C956B8F	name=NtAdjustGroupsToken
0129: 	Addr=0x7C956B9F	name=NtAdjustPrivilegesToken
0130: 	Addr=0x7C956BAF	name=NtAlertResumeThread
0131: 	Addr=0x7C956BBF	name=NtAlertThread
0132: 	Addr=0x7C956BCF	name=NtAllocateLocallyUniqueId
0133: 	Addr=0x7C956BDF	name=NtAllocateUserPhysicalPages
0134: 	Addr=0x7C956BEF	name=NtAllocateUuids
0135: 	Addr=0x7C956BFF	name=NtAllocateVirtualMemory
0136: 	Addr=0x7C956C0F	name=NtApphelpCacheControl
0137: 	Addr=0x7C956C1F	name=NtAreMappedFilesTheSame
0138: 	Addr=0x7C956C2F	name=NtAssignProcessToJobObject
0139: 	Addr=0x7C956C3F	name=NtCallbackReturn
0140: 	Addr=0x7C956C4F	name=NtCancelDeviceWakeupRequest
0141: 	Addr=0x7C956C5F	name=NtCancelIoFile
0142: 	Addr=0x7C956C6F	name=NtCancelTimer
0143: 	Addr=0x7C956C7F	name=NtClearEvent
0144: 	Addr=0x7C956C8F	name=NtClose
0145: 	Addr=0x7C956C9F	name=NtCloseObjectAuditAlarm
0146: 	Addr=0x7C956CAF	name=NtCompactKeys
0147: 	Addr=0x7C956CBF	name=NtCompareTokens
0148: 	Addr=0x7C956CCF	name=NtCompleteConnectPort
0149: 	Addr=0x7C956CDF	name=NtCompressKey
0150: 	Addr=0x7C956CEF	name=NtConnectPort
0151: 	Addr=0x7C956CFF	name=NtContinue
0152: 	Addr=0x7C956D0F	name=NtCreateDebugObject
0153: 	Addr=0x7C956D1F	name=NtCreateDirectoryObject
0154: 	Addr=0x7C956D2F	name=NtCreateEvent
0155: 	Addr=0x7C956D3F	name=NtCreateEventPair
0156: 	Addr=0x7C956D4F	name=NtCreateFile
0157: 	Addr=0x7C956D5F	name=NtCreateIoCompletion
0158: 	Addr=0x7C956D6F	name=NtCreateJobObject
0159: 	Addr=0x7C956D7F	name=NtCreateJobSet
0160: 	Addr=0x7C956D8F	name=NtCreateKey
0161: 	Addr=0x7C956D9F	name=NtCreateKeyedEvent
0162: 	Addr=0x7C956DAF	name=NtCreateMailslotFile
0163: 	Addr=0x7C956DBF	name=NtCreateMutant
0164: 	Addr=0x7C956DCF	name=NtCreateNamedPipeFile
0165: 	Addr=0x7C956DDF	name=NtCreatePagingFile
0166: 	Addr=0x7C956DEF	name=NtCreatePort
0167: 	Addr=0x7C956DFF	name=NtCreateProcess
0168: 	Addr=0x7C956E0F	name=NtCreateProcessEx
0169: 	Addr=0x7C956E1F	name=NtCreateProfile
0170: 	Addr=0x7C957D7F	name=NtCreateSection
0171: 	Addr=0x7C956E2F	name=NtCreateSemaphore
0172: 	Addr=0x7C956E3F	name=NtCreateSymbolicLinkObject
0173: 	Addr=0x7C956E4F	name=NtCreateThread
0174: 	Addr=0x7C956E5F	name=NtCreateTimer
0175: 	Addr=0x7C956E6F	name=NtCreateToken
0176: 	Addr=0x7C956E7F	name=NtCreateWaitablePort
0177: 	Addr=0x7C956E8F	name=NtCurrentTeb
0178: 	Addr=0x7C956E9F	name=NtDebugActiveProcess
0179: 	Addr=0x7C956EAF	name=NtDebugContinue
0180: 	Addr=0x7C956EBF	name=NtDelayExecution
0181: 	Addr=0x7C956ECF	name=NtDeleteAtom
0182: 	Addr=0x7C956EDF	name=NtDeleteBootEntry
0183: 	Addr=0x7C956EEF	name=NtDeleteDriverEntry
0184: 	Addr=0x7C956EFF	name=NtDeleteFile
0185: 	Addr=0x7C956F0F	name=NtDeleteKey
0186: 	Addr=0x7C94A3F2	name=NtDeleteObjectAuditAlarm
0187: 	Addr=0x7C956F1F	name=NtDeleteValueKey
0188: 	Addr=0x7C956F2F	name=NtDeviceIoControlFile
0189: 	Addr=0x7C956F3F	name=NtDisplayString
0190: 	Addr=0x7C956F4F	name=NtDuplicateObject
0191: 	Addr=0x7C956F5F	name=NtDuplicateToken
0192: 	Addr=0x7C956F6F	name=NtEnumerateBootEntries
0193: 	Addr=0x7C956F7F	name=NtEnumerateDriverEntries
0194: 	Addr=0x7C956F8F	name=NtEnumerateKey
0195: 	Addr=0x7C956F9F	name=NtEnumerateSystemEnvironmentValuesEx
0196: 	Addr=0x7C956FAF	name=NtEnumerateValueKey
0197: 	Addr=0x7C956FBF	name=NtExtendSection
0198: 	Addr=0x7C956FCF	name=NtFilterToken
0199: 	Addr=0x7C956FDF	name=NtFindAtom
0200: 	Addr=0x7C956FEF	name=NtFlushBuffersFile
0201: 	Addr=0x7C956FFF	name=NtFlushInstructionCache
0202: 	Addr=0x7C95700F	name=NtFlushKey
0203: 	Addr=0x7C95701F	name=NtFlushVirtualMemory
0204: 	Addr=0x7C95702F	name=NtFlushWriteBuffer
0205: 	Addr=0x7C95703F	name=NtFreeUserPhysicalPages
0206: 	Addr=0x7C95704F	name=NtFreeVirtualMemory
0207: 	Addr=0x7C95705F	name=NtFsControlFile
0208: 	Addr=0x7C95706F	name=NtGetContextThread
0209: 	Addr=0x7C95707F	name=NtGetCurrentProcessorNumber
0210: 	Addr=0x7C95708F	name=NtGetDevicePowerState
0211: 	Addr=0x7C95709F	name=NtGetPlugPlayEvent
0212: 	Addr=0x7C9570AF	name=NtGetTickCount
0213: 	Addr=0x7C9570BF	name=NtGetWriteWatch
0214: 	Addr=0x7C9570CF	name=NtImpersonateAnonymousToken
0215: 	Addr=0x7C9570DF	name=NtImpersonateClientOfPort
0216: 	Addr=0x7C9570EF	name=NtImpersonateThread
0217: 	Addr=0x7C9570FF	name=NtInitializeRegistry
0218: 	Addr=0x7C957DCF	na