; Qexit. ASM
; ######################################## #################################
; Sunwang <sunwangme@hotmail.com>
. 386
. Model flat, stdcall
Option Casemap: none; case sensitive
Mainentry proto C
; ######################################## #################################
. Code
Start:
Call mainentry
; ######################################## #################################
End start
// Cquit. cpp
// Beauty, where are you?
// Sunwang <sunwangme@hotmail.com>
Unsigned int _ cdecl getfunctionbyname (unsigned int imagebase, const char * funcname, int FLEN)
{
Unsigned int funnamearray, PE, Count = 0, * IED;
__ ASM
{< br> mov eax, imagebase
Add eax, 0x3c // point to the PE Header offset value e_lfanew
mov eax, [eax] // get the e_lfanew value
Add eax, imagebase // point to PE Header
CMP [eax], 0x00004550
JNE notfound // If the imagebase handle is incorrect
mov PE, eax
mov eax, [eax + 0x78]
Add eax, imagebase
mov [ied], eax // point to image_export_directory
mov eax, [eax + 0x20]
Add eax, imagebase
mov funnamearray, eax // Save the pointer value of the Function Name Pointer array
mov ECx, [ied]
mov ECx, [ECx + 0x14] // sets the maximum number of lookup times based on the number of derived functions.
findloop:
push ECx // use a small trick to use the Program loop To make it easier
mov eax, [eax]
Add eax, imagebase
mov ESI, funcname
mov EDI, eax
mov ECx, FLEN // character-by-character comparison, if they are the same, find the function, note the ECX value
CLD
rep cmpsb
JNE findnext // if the current function is not the specified function, find the next one.
Add ESP, 4 // if the search is successful, clear the ECX that is pushed in to control the outer loop and prepare to return
mov eax, [ied]
mov eax, [eax + 0x1c]
Add eax, imagebase // obtain the function Address Table
SHL count, 2 // calculate the function address pointer = base address of the function Address Table + (Function Index * 4)
Add eax, count
mov eax, [eax] // obtain the relative offset of the function address
Add eax and imagebase // calculate the real address of the function and return it to the caller through eax
JMP found
Findnext:
INC count // record function indexes
Add [funnamearray], 4 // next function name pointer
MoV eax, funnamearray
Pop ECx // restores the pressed ECx (numberoffunctions) and performs a counting loop.
Loop findloop // decrease if ECx is not 0 and return to findloop.
Notfound:
XOR eax, eax // if not found, 0 is returned
Found:
}
}
Int _ cdecl mainentry (void)
{
Unsigned int loadlibaryfunc, freelibaryfunc, mssageboxfunc, exitprocessfunc;
Unsigned int kernel32imagebase, user32imagebase;
Char title [] = "& * U (sunwang need beauty % ^ % &*";
Char caption [] = "hack ";
Char USER32 [] = "USER32 ";
_ ASM
{
Push eax
MoV eax, FS: [30 h]; peb
MoV eax, [eax + 0ch]; LDR
MoV eax, [eax + 0ch]; inloadordermodulelist, *. EXE entry
MoV eax, [eax]; NTDLL. dll entry
MoV eax, [eax]; kernel32.dll entry
MoV eax, [eax + 18 h]
MoV kernel32imagebase, eax; kernel32.dll baseaddress
Pop eax
}
Loadlibaryfunc = getfunctionbyname (kernel32imagebase, "loadlibrarya", 12 );
Freelibaryfunc = getfunctionbyname (kernel32imagebase, "freelibrarya", 12 );
Exitprocessfunc = getfunctionbyname (kernel32imagebase, "exitprocess", 11 );
_ ASM
{
Lea eax, USER32
Push eax
Call dword ptr loadlibaryfunc
MoV user32imagebase, eax
}
Mssageboxfunc = getfunctionbyname (user32imagebase, "messageboxa", 11 );
_ ASM
{
Push 0
Lea eax, title
Lea EBX, caption
Push EBX
Push eax
Push 0
Call dword ptr mssageboxfunc
}
_ ASM
{
Push user32imagebase
Call dword ptr freelibaryfunc
}
_ ASM
{
Push 0x0
Call dword ptr exitprocessfunc
}
Return 1;
}
# Makefile. bat
@ Echo off
If exist qexit. OBJ del qexit. OBJ
If exist qexit.exe del qexit.exe
/Masm32/bin/ml/C/COFF/nologo qexit. ASM
CL/C/nologo cquit. c
/Masm32/bin/link/subsystem: Windows/merge:. RDATA =. Text qexit. OBJ cquit. OBJ
Pause