一个获取已加载模块基址的函数

     前面发的那个函数的改版。。。。

HANDLE  __declspec(naked) __stdcall GetLoadedDllHandle(DWORD hash)
{
	__asm
	{
		push ebp
		mov ebp,esp

		push edi
		push esi
		push ebx

		cld                    //clear the direction flag for the loop
		mov edx, fs:[0x30]     //get a pointer to the PEB
		mov edx, [edx + 0x0C]  //get PEB->Ldr
		mov edx, [edx + 0x14]  //get the first module from the InMemoryOrder module list
			
next_mod:
		mov esi, [edx + 0x28]  //get pointer to modules name (unicode string)
		xor eax,eax
		test esi,esi  // 如果是最后一个 模块了 那么 此时 esi 是 空
		jz _out

		xor edi, edi           //clear edi which will store the hash of the module name	
loop_modname:
		xor eax, eax           //clear eax
		lodsw                  //read in the next byte of the name
		cmp ax, 0x0061            //some versions of Windows use lower case module names
		jl not_lowercase
		sub ax, 0x20           //if so normalise to uppercase
not_lowercase:
		ror edi, 13            //rotate right our hash value
		add edi, eax           //add the next byte of the name to the hash
		test ax,ax
		jnz  loop_modname
/*

  zzz.exe 8D93016D
  ntdll.dll DF956BA6
  kernel32.dll 50BB715E
  KERNELBASE.dll B0CE8C74
  user32.dll 1031956F
  GDI32.dll CF313439
  LPK.dll BA2FCA6
  USP10.dll DE29A518
  msvcrt.dll 21AD939E
  IMM32.DLL D83144B9
  MSCTF.dll DEB56383

		*/
		cmp edi, hash    //compare the hash with that of KERNEL32.DLL
		mov eax, [edx + 0x10]  //get this modules base address
		mov edx, [edx]         //get the next module
		jne next_mod           //if it doesn't match, process the next module	
_out:
		pop ebx
		pop esi
		pop edi
		pop ebp
		retn 4
	}
}

//计算字符串hash的函数
DWORD __declspec(naked) __stdcall CalcStringHash(WCHAR *str)
{
	__asm
	{
		push ebp
		mov ebp,esp
		push edi
		push esi
		push ebx

		mov esi,str
		xor edi, edi           //clear edi which will store the hash of the module name	
loop_modname:
		xor eax, eax           //clear eax
		lodsw                  //read in the next byte of the name
		cmp ax, 0x0061            //some versions of Windows use lower case module names
		jl not_lowercase
		sub ax, 0x20           //if so normalise to uppercase
not_lowercase:
		ror edi, 13            //rotate right our hash value
		add edi, eax           //add the next byte of the name to the hash
		test ax,ax
		jnz  loop_modname
		mov eax,edi

		pop ebx
		pop esi
		pop edi
		pop ebp
		retn 4
	}
}

你可能感兴趣的:(一个获取已加载模块基址的函数)