Created
September 21, 2014 21:45
-
-
Save ocean1/9120fb4c9015a3b8b933 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 00413CAB 5D POP EBP | |
| 00413CAC 81ED 38324000 SUB EBP,video.00403238 | |
| 00413CB2 64:8B1D 30000000 MOV EBX,DWORD PTR FS:[30] ;PEB | |
| 00413CB9 8B5B 0C MOV EBX,DWORD PTR DS:[EBX+C] ;PPEB_LDR_DATA, LoaderData | |
| 00413CBC 8B5B 1C MOV EBX,DWORD PTR DS:[EBX+1C] ;InInitializationOrderModuleList | |
| 00413CBF 8B1B MOV EBX,DWORD PTR DS:[EBX] ;get first loaded dll | |
| 00413CC1 8B5B 08 MOV EBX,DWORD PTR DS:[EBX+8] ;module base | |
| 00413CC4 89DA MOV EDX,EBX | |
| 00413CC6 8995 EB324000 MOV DWORD PTR SS:[EBP+4032EB],EDX | |
| 00413CCC 89D3 MOV EBX,EDX | |
| 00413CCE 8B7B 3C MOV EDI,DWORD PTR DS:[EBX+3C] ;e_lfanew (PE header file address) | |
| 00413CD1 01D7 ADD EDI,EDX ;get PE header RVA | |
| 00413CD3 035F 78 ADD EBX,DWORD PTR DS:[EDI+78] ;image_export_directory | |
| 00413CD6 8B4B 18 MOV ECX,DWORD PTR DS:[EBX+18] ;Number Of Names | |
| 00413CD9 8B73 20 MOV ESI,DWORD PTR DS:[EBX+20] ;Address Of Names | |
| 00413CDC 8B7B 24 MOV EDI,DWORD PTR DS:[EBX+24] ;Address Of Name Ordinals | |
| 00413CDF 01D6 ADD ESI,EDX ;get RVA of Address Of Names | |
| 00413CE1 01D7 ADD EDI,EDX ;get RVA of Address Of Name Ordinals | |
| 00413CE3 FC CLD | |
| 00413CE4 AD LODS DWORD PTR DS:[ESI] ;get the dword in eax | |
| 00413CE5 01D0 ADD EAX,EDX ;get function RVA | |
| 00413CE7 51 PUSH ECX | |
| 00413CE8 57 PUSH EDI | |
| 00413CE9 96 XCHG EAX,ESI | |
| 00413CEA 8DBD DC324000 LEA EDI,DWORD PTR SS:[EBP+4032DC] ;[ebp+4032DC] points to null terminated string "GetProcAddress" | |
| 00413CF0 B9 0F000000 MOV ECX,0F | |
| 00413CF5 F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:> | |
| 00413CF7 96 XCHG EAX,ESI | |
| 00413CF8 5F POP EDI | |
| 00413CF9 59 POP ECX | |
| 00413CFA 74 1A JE SHORT video.00413D16 ;get out of the loop if we have found GetProcAddress | |
| 00413CFC 47 INC EDI | |
| 00413CFD 47 INC EDI ;Get next ordinal | |
| 00413CFE ^E2 E4 LOOPD SHORT video.00413CE4 ;loop until finished functions | |
| 00413D00 64:8B1D 30000000 MOV EBX,DWORD PTR FS:[30] | |
| 00413D07 8B5B 0C MOV EBX,DWORD PTR DS:[EBX+C] | |
| 00413D0A 8B5B 1C MOV EBX,DWORD PTR DS:[EBX+1C] | |
| 00413D0D 8B1B MOV EBX,DWORD PTR DS:[EBX] | |
| 00413D0F 8B5B 08 MOV EBX,DWORD PTR DS:[EBX+8] | |
| 00413D12 89DA MOV EDX,EBX ;First loaded dll should be kernel32.dll otherwise | |
| 00413D14 ^EB AE JMP SHORT video.00413CC4 ;will get into an infinite loop | |
| 00413D16 31C0 XOR EAX,EAX | |
| 00413D18 66:8B07 MOV AX,WORD PTR DS:[EDI] ;get ordinal | |
| 00413D1B C1E0 02 SHL EAX,2 ; << 2 (*2^2), get corrispondent dword | |
| 00413D1E 8B73 1C MOV ESI,DWORD PTR DS:[EBX+1C] ;get Address of Functions from export directory | |
| 00413D21 01D6 ADD ESI,EDX ;get RVA of Address of Functions | |
| 00413D23 01C6 ADD ESI,EAX ;get VA of GetProcAddress | |
| 00413D25 AD LODS DWORD PTR DS:[ESI] ;load in EAX | |
| 00413D26 01D0 ADD EAX,EDX ;get RVA of GetProcAddress | |
| 00413D28 8985 EF324000 MOV DWORD PTR SS:[EBP+4032EF],EAX ;store GetProcAddress address | |
| 00413D2E 61 POPAD ;restore stack | |
| 00413D2F C3 RETN |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment