导航菜单

PVOID MyGetProcAddress(PVOID ImageBase, LPCSTR ApiName)
{
	//得到区块表数量
	WORD NumberOfSections = PIMAGE_NT_HEADERS64((ULONG64)ImageBase + ((PIMAGE_DOS_HEADER)ImageBase)->e_lfanew)->FileHeader.NumberOfSections;
	//得到区块对齐
	DWORD SectionAlignment = PIMAGE_NT_HEADERS64((ULONG64)ImageBase + ((PIMAGE_DOS_HEADER)ImageBase)->e_lfanew)->OptionalHeader.SectionAlignment;
	//得到文件对齐
	DWORD FileAignment = PIMAGE_NT_HEADERS64((ULONG64)ImageBase + ((PIMAGE_DOS_HEADER)ImageBase)->e_lfanew)->OptionalHeader.FileAlignment;
	//得到导出表RVA
	DWORD ExceptionVirtualAddress = PIMAGE_NT_HEADERS64((ULONG64)ImageBase + ((PIMAGE_DOS_HEADER)ImageBase)->e_lfanew)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
	//得到导出表大小
	DWORD ExceptionSize = PIMAGE_NT_HEADERS64((ULONG64)ImageBase + ((PIMAGE_DOS_HEADER)ImageBase)->e_lfanew)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;

	PIMAGE_EXPORT_DIRECTORY ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((ULONG64)ImageBase + ExceptionVirtualAddress);
	//获取导出表数量
	DWORD NumberOfFunctions = ExportDirectory->NumberOfFunctions;
	//获取导出表名称数量
	DWORD NumberOfNames = ExportDirectory->NumberOfNames;
	//获取起始序号
	DWORD Base = ExportDirectory->Base;

	PVOID NameStrPrAddr = (PVOID)(ExportDirectory->AddressOfNames + (ULONG64)ImageBase);
	PVOID FunlstPrAddr = (PVOID)(ExportDirectory->AddressOfFunctions + (ULONG64)ImageBase);
	PVOID OrdinallstPrAddr = (PVOID)(ExportDirectory->AddressOfNameOrdinals + (ULONG64)ImageBase);
	
	WORD OrdinallstPrAddrtrPr = 0;
	PVOID NameStrPr = NULL;
	for (DWORD I = 0; I < NumberOfNames; I++)
	{
		//取得序号
		OrdinallstPrAddrtrPr = *(PWORD)OrdinallstPrAddr;
		//取导出的名字
		NameStrPr = (PVOID)(*(PDWORD)NameStrPrAddr + (ULONG64)ImageBase);
		if (strcmp((LPCSTR)NameStrPr, ApiName) == 0)
		{
			//这里不需要 + Base,如果输出序号则需要加
			PVOID FunAddress = (PVOID)((ULONG64)FunlstPrAddr + (sizeof(DWORD) * (OrdinallstPrAddrtrPr)));
			DWORD FindFuncRetrun = (DWORD)(*(PULONG64)(FunAddress));
			return (PVOID)((ULONG64)ImageBase + FindFuncRetrun);
		}
		//移动Name指针
		NameStrPrAddr = (PVOID)((ULONG64)NameStrPrAddr + sizeof(DWORD));
		//移动序号指针
		OrdinallstPrAddr = (PVOID)((ULONG64)OrdinallstPrAddr + sizeof(WORD));
	}
}

相关推荐

WAF Bypass之xerces解析

  JAVA的XML解析,底层用的是xerces,而xml本身的特性及xerces的一些特性,可以用来造成WAF与后台...

CVE-2020-11996:Apache Tomcat HTTP/2 拒绝服务攻击漏洞通告

  0x01 漏洞背景 2020年06月29日, 360CERT监测发现 apache 官方 发布了 Tomcat http/2 拒绝服务攻...