A Full Hello World Example

Example 19-6 shows a full implementation of the findSymbolByHash function that can be used to find exported symbols in loaded DLLs.

Example 19-6. findSymbolByHash implementation

; __stdcall DWORD findSymbolByHash(DWORD dllBase, DWORD symHash);
findSymbolByHash:
    pushad
    mov     ebp, [esp + 0x24]       ; load 1st arg: dllBase
    mov     eax, [ebp + 0x3c] ❶     ; get offset to PE signature
    ; load edx w/ DataDirectories array: assumes PE32
    mov     edx, [ebp + eax + 4+20+96] ❷
    add     edx, ebp                ; edx:= addr IMAGE_EXPORT_DIRECTORY
    mov     ecx, [edx + 0x18] ❸ ; ecx:= NumberOfNames mov ebx, [edx + 0x20] ; ebx:= RVA of AddressOfNames add ebx, ebp ; rva->va .search_loop: jecxz .error_done ; if at end of array, jmp to done dec ecx ; dec loop counter ; esi:= next name, ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Practical Malware Analysis by Michael Sikorski, Andrew Honig

A Full Hello World Example

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly