Get IAT Table

_asm

{

push ebp;

mov ebp,esp;

mov edx,fs:[030h];

mov edx,[edx+08h];

mov eax,0x11111111;//eax->import table  使用时用导入表RVA代替

add eax,edx;

IMPORT:

cmp [eax],0;

jz OVER;

mov edi,[eax+0ch];

add edi,edx;

mov ebx,[eax+10h];

add ebx,edx;//IAT

IAT:

mov esi,[ebx];

cmp esi,0;

jz IMPORT2;

add esi,02h;

add esi,edx;

pushad;

push esi;//ProcName

push edi;//DllName

push ebx;//IAT Addr

call GetProc;

add esp,0ch;

popad;

add ebx,4;

jmp IAT;

IMPORT2:

add eax,014h;

jmp IMPORT;

OVER:

mov esp,ebp;

pop ebp;

mov eax,0x2222222;

add eax,edx;

push eax;

ret;

GetProc:

push ebp;

mov ebp,esp;

sub esp,0ch;

mov dword ptr [esp],'daoL';

mov dword ptr [esp+04h],'rbiL';

mov dword ptr [esp+08h],'Ayra';

mov byte ptr [esp+0ch],0;

push esp;

push 0x0000000d;

call FindLocalAddr;

mov ebx,dword ptr [ebp+0ch];

push ebx;

call eax;//DllNameHandle

push eax;

sub esp,010h;

mov dword ptr [esp],'PteG';

mov dword ptr [esp+04h],'Acor';

mov dword ptr [esp+08h],'erdd';

mov dword ptr [esp+0ch],'ss';

mov byte ptr [esp+0eh],0;

push esp;

push 0x0000000f;

call FindLocalAddr;

mov ebx,dword ptr [ebp+010h];

push ebx;

mov ebx,dword ptr [esp+01ch];

push ebx;

call eax;

mov ebx,dword ptr[ebp+08h];

mov [ebx],eax;

mov esp,ebp;

pop ebp;

ret;

FindLocalAddr:

push ebp;

mov ebp,esp;

mov eax,fs:[30h];

mov eax,[eax+0ch];

mov eax,[eax+0ch];

mov eax,[eax];

mov eax,[eax];

mov ebx,[eax+18h];

mov eax,dword ptr [ebx+3ch];

mov eax,dword ptr [eax+ebx+78h];

push eax;

mov eax,dword ptr [eax+ebx+20h];

xor edx,edx;

L1:mov edi,[eax+ebx];  

add edi,ebx;

mov esi,dword ptr[ebp+0ch];

mov ecx,dword ptr [ebp+08h];

repe cmpsb;

jz  L2;

add eax,4h;

inc edx;

jmp L1;

L2:   pop eax;

sub esp,04h;

mov eax,[eax+ebx+24h];

mov ecx,edx;

L3:add eax,02h;

loop L3;

add eax,ebx;

mov ax,WORD PTR [eax];

pop edx;

mov edx,[edx+ebx+01ch];

imul ax,4;

and eax,0ffffh;

add edx,eax;

mov eax,[edx+ebx];

add eax,ebx;

mov esp,ebp;

pop ebp;

ret;

}