// apisearchEngine.cpp : Defines the entry point for the console application. 
// 
 
#include "stdafx.h" 
#include <Windows.h> 
 
 DWORD __stdcall GetStrLengthA(char* szName) 
{ 
    _asm 
    { 
        push edi 
        push ebx 
        mov eax,  szName 
        mov edi, eax 
        mov ebx, eax 
        xor al, al 
 
lstrscan: 
        scas byte ptr [edi]          //字符掃描法檢查字符串指針長(zhǎng)度  
        jnz lstrscan 
        dec edi 
        sub edi, ebx 
        mov eax, edi 
        pop ebx 
        pop edi 
         
    } 
} 
 
 DWORD __stdcall CalcBufferCRC(char* lpBuffer) 
{ 
    _asm 
    { 
        push ebx 
        push edi 
        push ecx 
        push ebp 
        mov ebx, lpBuffer 
        push ebx 
        call GetStrLengthA 
        mov edi, eax 
        shr edi, 2 
        xor ecx, ecx 
loopBegin: 
        dec edi 
        jl loopOver 
        xor ecx, dword ptr [ebx] 
        add ebx, 4 
        jmp loopBegin 
loopOver: 
        mov eax, ecx 
        pop ebp 
        pop ecx 
        pop edi 
        pop ebx 
    } 
} 
 
DWORD __stdcall GetProcAddressA(HANDLE hModule, DWORD dwExportCRC) 
{ 
    //DWORD lpProcNameCRC = ; 
    DWORD dwProcNumber; 
    LPVOID pProcAddress, pProcNameAddress, pProcIndexAddress; 
    _asm 
    { 
        push ebx 
        push esi 
         
        mov eax, hModule 
        mov edx,dwExportCRC      // edx=函數(shù)名CRC32 
        mov ebx, eax                // ebx=基址 
        mov eax, [ebx+0x3c]          // eax=文件頭偏移 
        mov esi, [ebx+eax+0x78]      // esi=輸出表偏移,文件頭+可選頭的長(zhǎng)度=$78 
        lea esi, [ebx+esi+0x18]      // esi=函數(shù)名數(shù)量 = 函數(shù)數(shù)量 [ebx+esi+$14] 
        lods dword ptr ds:[esi] 
        mov dwProcNumber, eax       // eax=函數(shù)名數(shù)量 
        lods dword ptr ds:[esi] 
        mov pProcAddress, eax       // eax=函數(shù)偏移量 
        lods dword ptr ds:[esi] 
        mov pProcNameAddress, eax   // eax=函數(shù)名偏移量 
        lods dword ptr ds:[esi] 
        mov pProcIndexAddress, eax  // eax=序列號(hào)偏移量 
        mov edx, dwProcNumber       // edx=遍歷次數(shù) 
LoopBegin: 
        xor eax, eax                // Result = 0 
        dec edx 
        jl LoopEnd 
        mov eax, pProcNameAddress 
        add eax, ebx                // eax=函數(shù)名基地址 
        mov eax, dword ptr ds:[eax+edx*4] 
        add eax, ebx                // eax=遍歷函數(shù)名 
        push eax 
        call CalcBufferCRC 
        cmp eax, dwExportCRC      // 對(duì)比CRC32 
        jnz LoopBegin 
        shl edx, 1 
        add edx, pProcIndexAddress  // 函數(shù)基序列 
        movzx eax, word ptr ss:[edx+ebx] 
        shl eax, 2 
        add eax, pProcAddress       // 函數(shù)基地址 
        mov eax, [eax+ebx] 
        add eax, ebx                // Result = 函數(shù)地址 
LoopEnd: 
        pop esi 
        pop ebx 
         
    } 
} 

DWORD __stdcall GetKernel32Module() 
{ 
    _asm 
    { 
        PUSH    EBP 
        XOR     ECX, ECX 
        //MOV     ESI, [FS:ECX + 0x30]        ; ESI = &(PEB) ([FS:0x30])
        MOV     ESI, FS:[0X30] 
        MOV     ESI, [ESI + 0x0C]           ; ESI = PEB->Ldr     
        MOV     ESI, [ESI + 0x1C]           ; ESI = PEB->Ldr.InInitOrder
next_module:     
        MOV     EBP, [ESI + 0x08]           ; EBP = InInitOrder[X].base_address     
        MOV     EDI, [ESI + 0x20]           ; EBP = InInitOrder[X].module_name (unicode)    
        MOV     ESI, [ESI]                  ; ESI = InInitOrder[X].flink (next module)     
        CMP     [EDI + 12*2], CL            ; modulename[12] == 0 ?     
        JNE     next_module                 ; No: try next module. 
        MOV     EAX, EBP 
        POP     EBP 
    } 
} 
int main(int argc, char* argv[]) 
{ 
    printf("write by xiaoju !\n"); 
    printf("*****************\n"); 
    DWORD dwBaseKernel32 = GetKernel32Module(); 
    printf("Kernel32的模塊地址:%08x\n",dwBaseKernel32); 
 
    DWORD LoadLibraryCRC32= CalcBufferCRC("LoadLibraryA") ; 
    printf("LoadLibraryA的CRC值(靜態(tài)寫(xiě)到程序中):%08x\n\n", LoadLibraryCRC32); 
     
    DWORD dwAddrLoadLibrary = GetProcAddressA((HANDLE)dwBaseKernel32, 0x577a7461);  
    printf("在程序中動(dòng)態(tài)得到的LoadLibraryA的地址:%08x\n", dwAddrLoadLibrary); 
    getchar(); 
    return 0; 
}