📄 loaderheader.asm
字号:
; Author: Brandon LaCombe
; Date: February 3, 2006
; License: Public Domain
.386
.model flat, stdcall
option casemap:none
include windows.inc
include LoaderStructs.inc
JUMP_OPCODE equ 0E9h
.code
ExportLoaderHeader proc pdwLoaderHeaderSize:dword
mov eax, pdwLoaderHeaderSize
.if eax
mov dword ptr[eax], loader_header_end - loader_header_start
.endif
mov eax, loader_header_start
ret
ExportLoaderHeader endp
; Our goals here are to:
; - backup all registers
; - calculate a pointer to the loader struct and store in EBX
; - calculate the base of the image
; - convert all loader struct rvas to vas
; - store kernel iat pointer in EBP
; - rewrite the entry point to jump to the original entry point
loader_header_start:
; calculate loader struct pointer
pushad ; backup all registers
call ni ; push next instruction address
ni: pop ebx ; pop address of this instruction
lea ebx, [ebx - ((ni - loader_header_start) + sizeof(LOADER_STRUCT))] ; ebx = loader struct pointer
; convert loader struct rvas to vas
add (LOADER_STRUCT ptr[ebx]).dwNegatedLoaderRva, ebx ; calculate dwImageBase
mov edx, (LOADER_STRUCT ptr[ebx]).dwImageBase ; edx = image base
lea esi, (LOADER_STRUCT ptr[ebx]).pUnpack ; esi = pointer to rvas in loader struct
push 8 ; 7 rvas
pop ecx ; ecx = number of rvas
@@: add [esi], edx ; convert current rva to va
lodsd ; next rva
dec ecx ; decrease counter
jnz @B ; loop through all rvas
; rewrite entry point
mov ebp, eax ; ebp = pointer to kernel iat
mov byte ptr[esi], JUMP_OPCODE ; copy jump opcode
mov eax, (LOADER_STRUCT ptr[ebx]).dwOepDelta ; eax = oep delta
mov dword ptr[esi + 1], eax ; copy jump delta
loader_header_end:
end
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -