查找kernel32.dll 基地址 stack

78 阅读 0 评论 52 点赞

我是靠谱客的博主秀丽路人，这篇文章主要介绍查找kernel32.dll 基地址 stack，现在分享给大家，希望可以做个参考。

从[esp]获取kernel32中call 指令push的返回地址, 即应用程序返回后的地址

rtlexituserthread , 有些是exitthread.

拿到这个地址就拿到了kernel32空间的某个值, 模块地址64k对齐,去掉低2个字节来对齐.

然后依次减64k寻找

复制代码

.386
.model flat, stdcall
option casemap:none

include		windows.inc
include		user32.inc
includelib	user32.lib
include		kernel32.inc
includelib	kernel32.lib
include msvcrt.inc
includelib msvcrt.lib

.data
buffer db 256 dup(0)
kernerl32_module dd 0

.const
szText db 'addr : %08x',0dh,0ah,0

.code

seh_handler proc C pExceptionRecord, pSehStack, pContext, DispatcherContext
	pushad
	assume esi:ptr CONTEXT

mov esi,pContext
	mov edx,pSehStack
	push [edx+8]
	pop [esi].regEip
	push [edx+0ch]
	pop [esi].regEbp
	push edx
	pop [esi].regEsp
	assume esi:nothing
	
	popad
	mov eax,ExceptionContinueExecution
	ret
seh_handler endp

isPe proc mem:dword
	local ok:dword
	pushad

mov ok,0
	mov esi,mem
	.if esi == 0
		jmp done
	.endif

assume esi:ptr IMAGE_DOS_HEADER
	.if [esi].e_magic != IMAGE_DOS_SIGNATURE
		jmp done
	.endif

add esi,[esi].e_lfanew
	assume esi:ptr IMAGE_NT_HEADERS
	.if	[esi].Signature != IMAGE_NT_SIGNATURE
		jmp done
	.endif

mov ok,1

done:
	popad
	mov eax,ok
	ret
isPe endp

searchKernel32_byStack proc stack_esp_value:dword
	local kernel_addr : dword
	pushad
	mov kernel_addr,  0

call  @F
	@@:
	pop ebx
	sub ebx,offset @B

assume fs:nothing
	push ebp
	lea eax,[ebx + offset page_error]
	push eax
	lea eax,[ebx+offset seh_handler]
	push eax
	push fs:[0]
	mov fs:[0],esp

mov edi, stack_esp_value
	and edi,0ffff0000h
	.while 1
		invoke isPe,edi
		.if eax
			jmp found
		.endif
		page_error:
		sub edi,10000h
		.break .if edi < 07000000h ;此值随意调整
	.endw
	jmp done

found:
	mov kernel_addr,edi

done:
	pop fs:[0]
	add esp,0ch
	popad
	mov eax,kernel_addr
	ret
searchKernel32_byStack endp

main proc
	
	
	invoke searchKernel32_byStack,[esp]
	mov kernerl32_module, eax
	invoke wsprintf , addr buffer , addr szText,eax
	invoke crt_printf,addr buffer

done:
invoke MessageBoxA,0,0,0,MB_OK
	INVOKE ExitProcess,0
	ret
main endp
end main

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
.386
.model flat, stdcall
option casemap:none

include		windows.inc
include		user32.inc
includelib	user32.lib
include		kernel32.inc
includelib	kernel32.lib
include msvcrt.inc
includelib msvcrt.lib


.data
buffer db 256 dup(0)
kernerl32_module dd 0

.const
szText db 'addr : %08x',0dh,0ah,0

.code

seh_handler proc C pExceptionRecord, pSehStack, pContext, DispatcherContext
	pushad
	assume esi:ptr CONTEXT

	mov esi,pContext
	mov edx,pSehStack
	push [edx+8]
	pop [esi].regEip
	push [edx+0ch]
	pop [esi].regEbp
	push edx
	pop [esi].regEsp
	assume esi:nothing
	
	popad
	mov eax,ExceptionContinueExecution
	ret
seh_handler endp

isPe proc mem:dword
	local ok:dword
	pushad

	mov ok,0
	mov esi,mem
	.if esi == 0
		jmp done
	.endif

	assume esi:ptr IMAGE_DOS_HEADER
	.if [esi].e_magic != IMAGE_DOS_SIGNATURE
		jmp done
	.endif

	add esi,[esi].e_lfanew
	assume esi:ptr IMAGE_NT_HEADERS
	.if	[esi].Signature != IMAGE_NT_SIGNATURE
		jmp done
	.endif

	mov ok,1

done:
	popad
	mov eax,ok
	ret
isPe endp

searchKernel32_byStack proc stack_esp_value:dword
	local kernel_addr : dword
	pushad
	mov kernel_addr,  0

	call  @F
	@@:
	pop ebx
	sub ebx,offset @B

	assume fs:nothing
	push ebp
	lea eax,[ebx + offset page_error]
	push eax
	lea eax,[ebx+offset seh_handler]
	push eax
	push fs:[0]
	mov fs:[0],esp

	mov edi, stack_esp_value
	and edi,0ffff0000h
	.while 1
		invoke isPe,edi
		.if eax
			jmp found
		.endif
		page_error:
		sub edi,10000h
		.break .if edi < 07000000h ;此值随意调整
	.endw
	jmp done

found:
	mov kernel_addr,edi
	

done:
	pop fs:[0]
	add esp,0ch
	popad
	mov eax,kernel_addr
	ret
searchKernel32_byStack endp

main proc
	
	
	invoke searchKernel32_byStack,[esp]
	mov kernerl32_module, eax
	invoke wsprintf , addr buffer , addr szText,eax
	invoke crt_printf,addr buffer

done:
invoke MessageBoxA,0,0,0,MB_OK
	INVOKE ExitProcess,0
	ret
main endp
end main