Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chapter09 - stub.asm 的一处问题 #1

Open
hawkfeather opened this issue Apr 29, 2024 · 0 comments
Open

chapter09 - stub.asm 的一处问题 #1

hawkfeather opened this issue Apr 29, 2024 · 0 comments

Comments

@hawkfeather
Copy link

https://github.com/aaaddress1/Windows-APT-Warfare/blob/main/source/chapter%2308/stub.asm

chapter09 - stub.asm 的一处问题

fix_iat:
    lea ecx, [ebx + IMAGE_DIRECTORY_ENTRY_IMPORT]
    mov ecx, dword [ecx]
    add ecx, [ebp + 20]; ecx point to the current IMAGE_IMPORT_DESCRIPTOR 

import_dll:
    mov eax, dword [ecx + _IMAGE_IMPORT_DESCRIPTOR.idName]
    test eax, eax
    jz iatfix_done
    add eax, [ebp + 20]; eax point to the imported API name (char array)
    push ecx  ; 这里应该保存一下寄存器 ecx (IMAGE_IMPORT_DESCRIPTOR),因后面的调用会影响到寄存器 ecx
    push eax
    call dword [ebp + 0x08]; LoadLibraryA
    mov ebx, eax; let ebx keep the imageBase of the imported dll
    pop ecx  ; 恢复寄存器 ecx,后续要用到
    mov edi, dword [ecx + _IMAGE_IMPORT_DESCRIPTOR.idFirstThunk]
    add edi, dword [ebp + 20] ; set destination point to IMAGE_THUNK_DATA array
    mov esi, edi
    nop
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hawkfeather