1 .386
2 .model flat,stdcall
3 option casemap:none
4
5 include Windows.inc
6 include User32.inc
7 include Kernel32.inc
8 includelib User32.lib
9 includelib Kernel32.lib
10
11 .data
12 hMainHandle dd ?
13 hFile dd ?
14 nSize dd ?
15 hMap dd ?
16 hMapBase dd ?
17 hReturnAddress dd ?
18 szBuf db 'd:\Asm\FindDataDirectory.exe',0
19 .code
20 _RVAToOffset proc _lpFileHead,_dwRVA
21 local @dwReturn
22 pushad
23
24 mov esi,_lpFileHead
25 assume esi:ptr IMAGE_DOS_HEADER ;获取DOS头
26
27 add esi,[esi].e_lfanew
28 assume esi:ptr IMAGE_NT_HEADERS ;获取NT头
29
30 mov edi,_dwRVA
31 mov edx,esi
32 add edx,sizeof IMAGE_NT_HEADERS ;获取到节表
33 assume edx:ptr IMAGE_SECTION_HEADER
34
35 movzx ecx,[esi].FileHeader.NumberOfSections ;获取到节个数
36 .repeat
37
38 mov eax,[edx].VirtualAddress
39 add eax,[edx].SizeOfRawData
40 .if ( edi >=[edx].VirtualAddress ) && (edi < eax)
41 mov eax,[edx].VirtualAddress
42 sub edi,eax
43 mov eax,[edx].PointerToRawData
44 add eax,edi
45 jmp @F
46 .endif
47 add edx,sizeof IMAGE_SECTION_HEADER
48 .untilcxz
49 assume esi: nothing
50 assume edx: nothing
51 mov eax ,-1
52 @@:
53 mov @dwReturn ,eax
54 popad
55 mov eax,@dwReturn
56 ret
57 _RVAToOffset endp
58
59 _FindRvaSectionName proc _dwBase,_dwRva
60 local @nIndex
61 local @Ret
62 local @szBuf
63 pushad
64 mov esi,_dwBase
65 mov edi,_dwRva
66 assume esi : ptr IMAGE_DOS_HEADER
67 add esi, [esi].e_lfanew
68 assume esi: ptr IMAGE_NT_HEADERS
69 ;mov eax,[esi].OptionalHeader.ImageBase
70 ;mov @ImageBase,eax
71 movzx ecx,[esi].FileHeader.NumberOfSections
72 add esi,sizeof IMAGE_NT_HEADERS
73 assume esi : ptr IMAGE_SECTION_HEADER
74 .repeat
75 mov eax,[esi].VirtualAddress
76 add eax,[esi].SizeOfRawData
77 .if (edi >= [esi].VirtualAddress) && (edi < eax)
78 mov eax,esi
79 jmp @F
80 .endif
81 add esi,sizeof IMAGE_SECTION_HEADER
82 .untilcxz
83 assume esi:nothing
84 mov eax,0
85 @@:
86 mov @Ret,eax
87 popad
88 mov eax,@Ret
89 ret
90 _FindRvaSectionName endp
91
92
93 _GetImportInfo proc _dwBase,_nSize
94 pushad
95 mov esi,_dwBase
96 assume esi : ptr IMAGE_DOS_HEADER
97 add esi,[esi].e_lfanew
98 assume esi : ptr IMAGE_NT_HEADERS
99 mov eax,[esi].OptionalHeader.DataDirectory[8].VirtualAddress
100 .if !eax
101 jmp @Ret
102 .endif
103 invoke _RVAToOffset,_dwBase,eax
104 add eax,_dwBase ; 得到ImporteVA
105 mov edi,eax
106 assume edi : ptr IMAGE_IMPORT_DESCRIPTOR
107 invoke _FindRvaSectionName,_dwBase,[edi].OriginalFirstThunk
108 .while [edi].OriginalFirstThunk || [edi].TimeDateStamp || \
109 [edi].ForwarderChain || [edi].Name1 || \
110 [edi].FirstThunk
111 ; invoke _RVAToOffset,_dwBase,[edi].Name1 //获取名字FOA
112 mov edx,[edi].FirstThunk
113 invoke _RVAToOffset,_dwBase,edx
114 add eax,_dwBase
115 mov edx,eax
116 .while dword ptr [edx]
117 ; invoke _RVAToOffset,_dwBase,ed
118 add edx,4
119 .endw
120
121 add edi,sizeof IMAGE_IMPORT_DESCRIPTOR ; 循环到下一个结构
122 .endw
123
124 @Ret :
125 popad
126 ret
127 _GetImportInfo endp
128 start :
129 invoke CreateFile,offset szBuf,GENERIC_READ,FILE_SHARE_READ,\
130 NULL,OPEN_EXISTING,\
131 FILE_ATTRIBUTE_NORMAL,NULL
132 mov hFile,eax
133 invoke GetFileSize,hFile,NULL
134 mov nSize,eax
135 invoke CreateFileMapping,hFile,NULL,PAGE_READONLY,0,0,NULL
136 mov hMap,eax
137 invoke MapViewOfFile,hMap,FILE_MAP_READ,0,0,0
138 mov hMapBase,eax
139 invoke _GetImportInfo,hMapBase,nSize
140 invoke ExitProcess,NULL