This article describes the C language embedded API memory search engine method, shared for everyone to reference. The implementation methods are as follows:
ApisearchEngine.cpp:Defines the entry point for the console application.
//
#include "stdafx.h"
#include <Windows.h>
DWORD __stdcall Getstrlengtha (char* szName)
{
_asm
{
Push EDI
Push EBX
mov eax, szName
mov edi, eax
mov ebx, eax
Xor Al, AL
Lstrscan:
SCAs byte ptr [edi]//Character scanning method to check string pointer length
JNZ Lstrscan
Dec EDI
Sub EDI, EBX
mov eax, EDI
Pop ebx
Pop EDI
}
}
DWORD __stdcall CALCBUFFERCRC (char* lpbuffer)
{
_asm
{
Push EBX
Push EDI
Push ECX
Push EBP
mov ebx, lpbuffer
Push EBX
Call Getstrlengtha
mov edi, eax
SHR EDI, 2
XOR ecx, ECX
Loopbegin:
Dec EDI
JL Loopover
XOR ecx, DWORD ptr [EBX]
Add ebx, 4
JMP Loopbegin
Loopover:
mov eax, ecx
Pop EBP
Pop ecx
Pop EDI
Pop ebx
}
}
DWORD __stdcall Getprocaddressa (HANDLE hmodule, DWORD DWEXPORTCRC)
{
DWORD LPPROCNAMECRC =;
DWORD Dwprocnumber;
LPVOID pprocaddress, pprocnameaddress, pprocindexaddress;
_asm
{
Push EBX
Push ESI
mov eax, hmodule
MOV EDX,DWEXPORTCRC//edx= function name CRC32
mov ebx, eax//ebx= base
mov eax, [ebx+0x3c]//eax= file header offset
mov esi, [ebx+eax+0x78]//esi= output table offset, file header + Optional header length =$78
Lea ESI, [ebx+esi+0x18]//esi= function Name quantity = function Quantity [ebx+esi+$14]
LODs DWORD ptr Ds:[esi]
mov dwprocnumber, eax//eax= function name number
LODs DWORD ptr Ds:[esi]
mov pprocaddress, eax//eax= function offset
LODs DWORD ptr Ds:[esi]
mov pprocnameaddress, eax//eax= function name offset
LODs DWORD ptr Ds:[esi]
mov pprocindexaddress, EAX//eax= serial number offset
mov edx, dwprocnumber//edx= traversal times
Loopbegin:
xor eax, eax//result = 0
Dec edx
JL LoopEnd
mov eax, pprocnameaddress
add eax, EBX//eax= Letter Base Address
mov eax, DWORD ptr ds:[eax+edx*4]
add eax, EBX//eax= traversal function name
Push EAX
Call CALCBUFFERCRC
CMP eax, DWEXPORTCRC//contrast CRC32
JNZ loopbegin
SHL edx, 1
Add edx, pprocindexaddress//function base sequence
movzx eax, Word ptr ss:[edx+ebx]
SHL EAX, 2
add eax, pprocaddress//function base Address
mov eax, [EAX+EBX]
add eax, ebx//result = function address
LoopEnd:
Pop esi
Pop ebx
}
}
DWORD __stdcall Getkernel32module ()
{
_asm
{
PUSH EBP
XOR ECX, ECX
MOV ESI, [fs:ecx + 0x30]; ESI = & (PEB) ([fs:0x30])
MOV ESI, fs:[0x30]
MOV esi, [ESI + 0x0C]; ESI = Peb->ldr
MOV esi, [ESI + 0x1c]; ESI = Peb->ldr.ininitorder
Next_module:
MOV EBP, [ESI + 0x08]; EBP = ininitorder[x].base_address
MOV EDI, [ESI + 0x20]; EBP = Ininitorder[x].module_name (Unicode)
MOV esi, [ESI]; ESI = Ininitorder[x].flink (Next module)
CMP [EDI + 12*2], CL; MODULENAME[12] = = 0?
JNE Next_module; No:try next module.
MOV EAX, EBP
POP EBP
}
}
int main (int argc, char* argv[])
{
printf ("Write by Xiaoju!\n");
printf ("*****************\n");
DWORD dwBaseKernel32 = Getkernel32module ();
printf ("Kernel32 module Address:%08x\n", dwBaseKernel32);
DWORD loadlibrarycrc32= CALCBUFFERCRC ("LoadLibraryA");
printf ("LoadLibraryA's CRC value (statically written to program):%08x\n\n", LoadLibraryCRC32);
DWORD dwaddrloadlibrary = Getprocaddressa ((HANDLE) dwBaseKernel32, 0x577a7461);
printf ("Dynamically obtained LoadLibraryA address in the program:%08x\n", dwaddrloadlibrary);
GetChar ();
return 0;
}
I hope this article will help you with the C program design.