A Full Hello World Example

Example 19-6 shows a full implementation of the findSymbolByHash function that can be used to find exported symbols in loaded DLLs.

Example 19-6. findSymbolByHash implementation

; __stdcall DWORD findSymbolByHash(DWORD dllBase, DWORD symHash);
    mov     ebp, [esp + 0x24]       ; load 1st arg: dllBase
    mov     eax, [ebp + 0x3c]      ; get offset to PE signature
    ; load edx w/ DataDirectories array: assumes PE32
    mov     edx, [ebp + eax + 4+20+96] 
    add     edx, ebp                ; edx:= addr IMAGE_EXPORT_DIRECTORY
    mov     ecx, [edx + 0x18]  ; ecx:= NumberOfNames mov ebx, [edx + 0x20] ; ebx:= RVA of AddressOfNames add ebx, ebp ; rva->va .search_loop: jecxz .error_done ; if at end of array, jmp to done dec ecx ; dec loop counter ; esi:= next name, ...

Get Practical Malware Analysis now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.