编写自定义 GetModuleHandle 函数的原因是什么?
What is the reason to write custom GetModuleHandle function?
我正在研究 ZeuS 恶意软件,我遇到了 source code:
HMODULE _getKernel32Handle(void)
{
#if defined _WIN64
return NULL; //FIXME
#else
__asm
{
cld //clear the direction flag for the loop
mov edx, fs:[0x30] //get a pointer to the PEB
mov edx, [edx + 0x0C] //get PEB-> Ldr
mov edx, [edx + 0x14] //get the first module from the InMemoryOrder module list
next_mod:
mov esi, [edx + 0x28] //get pointer to modules name (unicode string)
mov ecx, 24 //the length we want to check
xor edi, edi //clear edi which will store the hash of the module name
loop_modname:
xor eax, eax //clear eax
lodsb //read in the next byte of the name
cmp al, 'a' //some versions of Windows use lower case module names
jl not_lowercase
sub al, 0x20 //if so normalise to uppercase
not_lowercase:
ror edi, 13 //rotate right our hash value
add edi, eax //add the next byte of the name to the hash
loop loop_modname //loop until we have read enough
cmp edi, 0x6A4ABC5B //compare the hash with that of KERNEL32.DLL
mov eax, [edx + 0x10] //get this modules base address
mov edx, [edx] //get the next module
jne next_mod //if it doesn't match, process the next module
};
#endif
}
逻辑如下:
- 读取
fs段寄存器(32位Windows在那里存储TEB)
- 获取指向
PEB 的指针
- 获取指向
PEB_LDR_DATA 的指针(包含有关进程已加载模块的信息)
- 遍历
InMemoryOrder 列表
- 使用自定义自制哈希函数
将模块名称与 "kernel32.dll" 进行比较
为什么 GetModuleHandle 在那里不合适?
代码片段正在尝试获取 kernel32.dll 的模块句柄(即基地址),大概是因为它还没有此模块的句柄. GetModuleHandle 从 kernel32.dll 导出。不知道函数地址就不能调用函数。
我正在研究 ZeuS 恶意软件,我遇到了 source code:
HMODULE _getKernel32Handle(void)
{
#if defined _WIN64
return NULL; //FIXME
#else
__asm
{
cld //clear the direction flag for the loop
mov edx, fs:[0x30] //get a pointer to the PEB
mov edx, [edx + 0x0C] //get PEB-> Ldr
mov edx, [edx + 0x14] //get the first module from the InMemoryOrder module list
next_mod:
mov esi, [edx + 0x28] //get pointer to modules name (unicode string)
mov ecx, 24 //the length we want to check
xor edi, edi //clear edi which will store the hash of the module name
loop_modname:
xor eax, eax //clear eax
lodsb //read in the next byte of the name
cmp al, 'a' //some versions of Windows use lower case module names
jl not_lowercase
sub al, 0x20 //if so normalise to uppercase
not_lowercase:
ror edi, 13 //rotate right our hash value
add edi, eax //add the next byte of the name to the hash
loop loop_modname //loop until we have read enough
cmp edi, 0x6A4ABC5B //compare the hash with that of KERNEL32.DLL
mov eax, [edx + 0x10] //get this modules base address
mov edx, [edx] //get the next module
jne next_mod //if it doesn't match, process the next module
};
#endif
}
逻辑如下:
- 读取
fs段寄存器(32位Windows在那里存储TEB) - 获取指向
PEB 的指针
- 获取指向
PEB_LDR_DATA的指针(包含有关进程已加载模块的信息) - 遍历
InMemoryOrder列表 - 使用自定义自制哈希函数 将模块名称与
"kernel32.dll" 进行比较
为什么 GetModuleHandle 在那里不合适?
代码片段正在尝试获取 kernel32.dll 的模块句柄(即基地址),大概是因为它还没有此模块的句柄. GetModuleHandle 从 kernel32.dll 导出。不知道函数地址就不能调用函数。