获取内核地址的最简单方法(0分)

shaoye9604 · 2008-07-22

获取内核地址的最简单方法

获取内核地址的函数，是否很简单。获取内核地址后，该干什么，你自己去想象吧！

function GetKernel32Address: Cardinal;
var
AAA : Integer;
BBB, CCC, DDD, EEE, FFF, GGG : Pointer;
begin
asm
MOV EAX,FS:[18H]
MOV AAA,EAX
end;
BBB := Pointer(Pointer(Integer(AAA) + $30)^);
CCC := Pointer(Pointer(Integer(BBB) + $0C)^);
DDD := Pointer(Pointer(Integer(CCC) + $0C)^);
EEE := Pointer(Pointer(Integer(DDD) + $00)^);
FFF := Pointer(Pointer(Integer(EEE) + $00)^);
GGG := Pointer(Pointer(Integer(FFF) + $18)^);
Result := Integer(GGG);
end;

引自：blog.csdn.net/dbyoung

wr960204 · 2008-07-22

//获得Kernal32.DLL的地址.利用了PEB的结构
function GetK32Addr : Cardinal;
asm
mov eax,fs:$30
mov eax,[eax + $0c]
mov esi,[eax + $1c]
lodsd
mov eax,[eax+$08] //这个时候eax中保存的就是k32的基址了
end;
不是更简单?

白河愁 · 2008-07-22

获得又怎么样，还有CopyOnWrite呢。

wql · 2008-07-23

呵呵!

3cs · 2008-08-10

function GetK32Addr : Cardinal;
var
eax : dword;
begin
asm
MOV EAX,FS:[18H]
MOV AAA,EAX
end;
eax := $30+AAA;
eax := pdword(eax+$0c)^;
eax := pdword(eax+$1c)^;
eax := pdword(eax+$08)^;
result := eax;
end;
这样不行吗？

获取内核地址的最简单方法(0分)

shaoye9604

Unregistered / Unconfirmed

wr960204

Unregistered / Unconfirmed

白河愁

Unregistered / Unconfirmed

wql

Unregistered / Unconfirmed

3cs

Unregistered / Unconfirmed

Similar threads