1 .386
2 .model flat,stdcall
3 option casemap:none
4
5 include Windows.inc
6 include User32.inc
7 include Kernel32.inc
8 includelib User32.lib
9 includelib Kernel32.lib
10
11 .data
12 hBase dd ?
13 lpszFilePath db 'D:\asm\SpiShow.dll',0
14 Msg db '%08x %08x %s',0
15 .code
16 ;================================================
17 ;函数:映射文件到内存
18 ;返回:文件映射地址
19 ;================================================
20 _OpenFile proc _lpFilePath
21 local @hFile
22 local @Ret
23 local @hMap
24 pushad
25 invoke CreateFile,offset lpszFilePath,GENERIC_READ,\
26 FILE_SHARE_READ,\
27 NULL,OPEN_EXISTING,\
28 FILE_ATTRIBUTE_ARCHIVE,\
29 NULL
30 .if !eax
31 jmp _Ret
32 .endif
33 mov @hFile,eax
34 invoke CreateFileMapping,@hFile,NULL,PAGE_READONLY,\
35 0,0,NULL
36 mov @hMap,eax
37 invoke MapViewOfFile,@hMap,FILE_MAP_READ,0,0,0
38 mov @Ret,eax
39 invoke CloseHandle,@hFile
40 invoke CloseHandle,@hMap
41 _Ret:
42 popad
43 mov eax,@Ret
44 ret
45 _OpenFile endp
46 ;================================================
47 ;函数:虚拟内存地址转换为文件地址
48 ;返回:文件地址
49 ;================================================
50 _RVAToOffset proc _lpFileHead,_dwRVA
51 local @dwReturn
52 pushad
53
54 mov esi,_lpFileHead
55 assume esi:ptr IMAGE_DOS_HEADER ;获取DOS头
56
57 add esi,[esi].e_lfanew
58 assume esi:ptr IMAGE_NT_HEADERS ;获取NT头
59
60 mov edi,_dwRVA
61 mov edx,esi
62 add edx,sizeof IMAGE_NT_HEADERS ;获取到节表
63 assume edx:ptr IMAGE_SECTION_HEADER
64
65 movzx ecx,[esi].FileHeader.NumberOfSections ;获取到节个数
66 .repeat
67
68 mov eax,[edx].VirtualAddress
69 add eax,[edx].SizeOfRawData
70 .if ( edi >=[edx].VirtualAddress ) && (edi < eax)
71 mov eax,[edx].VirtualAddress
72 sub edi,eax
73 mov eax,[edx].PointerToRawData
74 add eax,edi
75 jmp @F
76 .endif
77 add edx,sizeof IMAGE_SECTION_HEADER
78 .untilcxz
79 assume esi: nothing
80 assume edx: nothing
81 mov eax ,-1
82 @@:
83 mov @dwReturn ,eax
84 popad
85 mov eax,@dwReturn
86 ret
87 _RVAToOffset endp
88 ;================================================
89 ;函数:映射文件到内存
90 ;返回:文件映射地址
91 ;================================================
92 _GetExportInfo proc _dwModule
93 local @FuncNumber
94 local @Index
95 local @lpAddressName,@lpAddressNameOrdinals
96 local @szBuf[1024]:byte
97
98 pushad
99 mov esi,_dwModule
100 add esi,[esi+3ch]
101 assume esi: ptr IMAGE_NT_HEADERS
102 mov eax,[esi].OptionalHeader.DataDirectory[0].VirtualAddress
103 invoke _RVAToOffset,_dwModule,eax ;返回Export所在文件地址
104 add eax,_dwModule
105 mov edi,eax
106 assume edi: ptr IMAGE_EXPORT_DIRECTORY
107 invoke _RVAToOffset,_dwModule,[edi].nName
108 add eax,_dwModule
109 mov ecx,eax
110 invoke _RVAToOffset,_dwModule,[edi].AddressOfNames
111 add eax,_dwModule
112 mov @lpAddressName,eax
113 invoke _RVAToOffset,_dwModule,[edi].AddressOfNameOrdinals
114 add eax,_dwModule
115 mov @lpAddressNameOrdinals,eax
116 invoke _RVAToOffset,_dwModule,[edi].AddressOfFunctions
117 add eax,_dwModule
118 mov esi,eax ;esi 导出地址表
119
120 mov ecx,[edi].NumberOfFunctions
121 mov @Index,0
122 @@:
123 pushad
124 mov eax,@Index
125 push edi
126 mov ecx,[edi].NumberOfNames
127 cld
128 mov edi,@lpAddressNameOrdinals
129 repnz scasw
130 .if ZERO?
131 sub edi,@lpAddressNameOrdinals
132 sub edi,2
133 shl edi,1
134 add edi,@lpAddressName
135 invoke _RVAToOffset,_dwModule,dword ptr [edi]
136 add eax,_dwModule
137
138 .else
139 .endif
140 pop edi
141 mov ecx,@Index
142 add ecx,[edi].nBase
143 invoke wsprintf,addr @szBuf,addr Msg,ecx,dword ptr [esi],eax
144 invoke MessageBox,NULL,addr @szBuf,NULL,MB_OK
145 popad
146 add esi,4
147 inc @Index
148 loop @B
149 _Ret:
150 popad
151 ret
152 _GetExportInfo endp
153 start:
154 invoke _OpenFile,offset lpszFilePath
155 mov hBase,eax
156 invoke _GetExportInfo,hBase
157 invoke ExitProcess,NULL
158 end start
159