A Full Hello World Example
Example 19-6 shows a full implementation of the findSymbolByHash
function that can be used to find exported symbols in
loaded DLLs.
Example 19-6. findSymbolByHash
implementation
; __stdcall DWORD findSymbolByHash(DWORD dllBase, DWORD symHash); findSymbolByHash: pushad mov ebp, [esp + 0x24] ; load 1st arg: dllBase mov eax, [ebp + 0x3c] ❶ ; get offset to PE signature ; load edx w/ DataDirectories array: assumes PE32 mov edx, [ebp + eax + 4+20+96] ❷ add edx, ebp ; edx:= addr IMAGE_EXPORT_DIRECTORY mov ecx, [edx + 0x18] ❸ ; ecx:= NumberOfNames mov ebx, [edx + 0x20] ; ebx:= RVA of AddressOfNames add ebx, ebp ; rva->va .search_loop: jecxz .error_done ; if at end of array, jmp to done dec ecx ; dec loop counter ; esi:= next name, ...
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.