查找kernel32.dll 基地址 stack

从[esp]获取kernel32中call 指令push的返回地址, 即应用程序返回后的地址

rtlexituserthread , 有些是exitthread. 

拿到这个地址就拿到了kernel32空间的某个值, 模块地址64k对齐,去掉低2个字节来对齐.

然后依次减64k寻找

.386
.model flat, stdcall
option casemap:none

include		windows.inc
include		user32.inc
includelib	user32.lib
include		kernel32.inc
includelib	kernel32.lib
include msvcrt.inc
includelib msvcrt.lib


.data
buffer db 256 dup(0)
kernerl32_module dd 0

.const
szText db 'addr : %08x',0dh,0ah,0

.code

seh_handler proc C pExceptionRecord, pSehStack, pContext, DispatcherContext
	pushad
	assume esi:ptr CONTEXT

	mov esi,pContext
	mov edx,pSehStack
	push [edx+8]
	pop [esi].regEip
	push [edx+0ch]
	pop [esi].regEbp
	push edx
	pop [esi].regEsp
	assume esi:nothing
	
	popad
	mov eax,ExceptionContinueExecution
	ret
seh_handler endp

isPe proc mem:dword
	local ok:dword
	pushad

	mov ok,0
	mov esi,mem
	.if esi == 0
		jmp done
	.endif

	assume esi:ptr IMAGE_DOS_HEADER
	.if [esi].e_magic != IMAGE_DOS_SIGNATURE
		jmp done
	.endif

	add esi,[esi].e_lfanew
	assume esi:ptr IMAGE_NT_HEADERS
	.if	[esi].Signature != IMAGE_NT_SIGNATURE
		jmp done
	.endif

	mov ok,1

done:
	popad
	mov eax,ok
	ret
isPe endp

searchKernel32_byStack proc stack_esp_value:dword
	local kernel_addr : dword
	pushad
	mov kernel_addr,  0

	call  @F
	@@:
	pop ebx
	sub ebx,offset @B

	assume fs:nothing
	push ebp
	lea eax,[ebx + offset page_error]
	push eax
	lea eax,[ebx+offset seh_handler]
	push eax
	push fs:[0]
	mov fs:[0],esp

	mov edi, stack_esp_value
	and edi,0ffff0000h
	.while 1
		invoke isPe,edi
		.if eax
			jmp found
		.endif
		page_error:
		sub edi,10000h
		.break .if edi < 07000000h ;此值随意调整
	.endw
	jmp done

found:
	mov kernel_addr,edi
	

done:
	pop fs:[0]
	add esp,0ch
	popad
	mov eax,kernel_addr
	ret
searchKernel32_byStack endp

main proc
	
	
	invoke searchKernel32_byStack,[esp]
	mov kernerl32_module, eax
	invoke wsprintf , addr buffer , addr szText,eax
	invoke crt_printf,addr buffer

done:
invoke MessageBoxA,0,0,0,MB_OK
	INVOKE ExitProcess,0
	ret
main endp
end main

最后

以上就是秀丽路人为你收集整理的查找kernel32.dll 基地址 stack的全部内容，希望文章能够帮你解决查找kernel32.dll 基地址 stack所遇到的程序开发问题。

如果觉得靠谱客网站的内容还不错，欢迎将靠谱客网站推荐给程序员好友。