【安利】纯VB自己实现GetProcAddress

唐凌

发此贴主要是因为MP那个逗比杀软在Ring3下Hook了GetProcAddress

1. Option Explicit
   
2. Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByVal dest As Long, ByVal src As Long, ByVal cch As Long)
   
3. Public Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As Long) As Long
   
4. Public Type IMAGE_DOS_HEADER
   
5.     e_magic As Integer
   
6.     e_cblp As Integer
   
7.     e_cp As Integer
   
8.     e_crlc As Integer
   
9.     e_cparhdr As Integer
   
10.     e_minalloc As Integer
    
11.     e_maxalloc As Integer
    
12.     e_ss As Integer
    
13.     e_sp As Integer
    
14.     e_csum As Integer
    
15.     e_ip As Integer
    
16.     e_cs As Integer
    
17.     e_lfarlc As Integer
    
18.     e_ovno As Integer
    
19.     e_res(0 To 3) As Integer
    
20.     e_oemid As Integer
    
21.     e_oeminfo As Integer
    
22.     e_res2(0 To 9)  As Integer
    
23.     e_lfanew As Long
    
24. End Type
    
25. Public Type IMAGE_FILE_HEADER
    
26.         Machine As Integer
    
27.         NumberOfSections As Integer
    
28.         TimeDateStamp As Long
    
29.         PointerToSymbolTable As Long
    
30.         NumberOfSymbols As Long
    
31.         SizeOfOptionalHeader As Integer
    
32.         Characteristics As Integer
    
33. End Type
    
34. Public Const IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16
    
35. Public Const IMAGE_DIRECTORY_ENTRY_EXPORT = &H1
    
36. Public Type IMAGE_DATA_DIRECTORY
    
37.         VirtualAddress As Long
    
38.         Size As Long
    
39. End Type
    
40. Public Type IMAGE_OPTIONAL_HEADER
    
41.         Magic As Integer
    
42.         MajorLinkerVersion As Byte
    
43.         MinorLinkerVersion As Byte
    
44.         SizeOfCode As Long
    
45.         SizeOfInitializedData As Long
    
46.         SizeOfUninitializedData As Long
    
47.         AddressOfEntryPoint As Long
    
48.         BaseOfCode As Long
    
49.         BaseOfData As Long
    
50.         ' NT additional fields.24
    
51.         ImageBase As Long '28
    
52.         SectionAlignment As Long '32
    
53.         FileAlignment As Long '36
    
54.         MajorOperatingSystemVersion As Integer
    
55.         MinorOperatingSystemVersion As Integer '40
    
56.         MajorImageVersion As Integer
    
57.         MinorImageVersion As Integer '44
    
58.         MajorSubsystemVersion As Integer
    
59.         MinorSubsystemVersion As Integer '48
    
60.         Reserved1 As Long '56
    
61.         SizeOfImage As Long '60
    
62.         SizeOfHeaders As Long '64
    
63.         Checksum As Long '68
    
64.         Subsystem As Integer '70
    
65.         DllCharacteristics As Integer '72
    
66.         SizeOfStackReserve As Long '76
    
67.         SizeOfStackCommit As Long '80
    
68.         SizeOfHeapReserve As Long '84
    
69.         SizeOfHeapCommit As Long '88
    
70.         LoaderFlags As Long '92
    
71.         NumberOfRvaAndSizes As Long '96
    
72.         DataDirectory(1 To IMAGE_NUMBEROF_DIRECTORY_ENTRIES) As IMAGE_DATA_DIRECTORY
    
73. End Type
    
74. Public Type IMAGE_NT_HEADER
    
75.         Signature As Long
    
76.         FileHeader As IMAGE_FILE_HEADER
    
77.         OptionalHeader As IMAGE_OPTIONAL_HEADER
    
78. End Type
    
79. Public Type IMAGE_EXPORT_DIRECTORY
    
80.     Characteristics As Long
    
81.     TimeDateStamp As Long
    
82.     MajorVersion As Integer
    
83.     MinorVersion As Integer
    
84.     name As Long
    
85.     Base As Long
    
86.     NumberOfNames As Long
    
87.     NumberOfFunctions As Long
    
88.     AddressOfFunctions As Long
    
89.     AddressOfNames As Long
    
90.     AddressOfNameOridinals As Long
    
91. End Type
    
92. Public Function AnsiStringFromPtr(ByVal pString As Long, Optional ByVal Length As Long = 0) As String
    
93. Dim pLen As Long
    
94. Dim Buff() As Byte
    
95. Dim i As Long
    
96. If Length = 0 Then
    
97.     pLen = lstrlen(pString)
    
98. Else
    
99.     pLen = Length
    
100. End If
     
101. ReDim Buff(1 To pLen)
     
102. CopyMemory VarPtr(Buff(1)), pString, pLen
     
103. For i = 1 To pLen Step 1
     
104.     AnsiStringFromPtr = AnsiStringFromPtr & Chr(Buff(i))
     
105. Next i
     
106. End Function
     
107. Public Function MyGetProcAddress(ByVal lpBase As Long, ByVal lpProcName As String) As Long
     
108. Dim DosHead As IMAGE_DOS_HEADER
     
109. Dim NtHead As IMAGE_NT_HEADER
     
110. Dim ExpDir As IMAGE_EXPORT_DIRECTORY
     
111. Dim NameRva() As Long
     
112. Dim FuncRva() As Long
     
113. Dim OridRva() As Integer
     
114. Dim fApi As Long
     
115. Dim szProc As String
     
116. Dim i As Integer
     
117. CopyMemory VarPtr(DosHead), lpBase, Len(DosHead)
     
118. CopyMemory VarPtr(NtHead), lpBase + DosHead.e_lfanew, Len(NtHead)
     
119. CopyMemory VarPtr(ExpDir), lpBase + NtHead.OptionalHeader.DataDirectory(IMAGE_DIRECTORY_ENTRY_EXPORT).VirtualAddress, Len(ExpDir)
     
120. ReDim NameRva(1 To ExpDir.NumberOfNames)
     
121. ReDim OridRva(1 To ExpDir.NumberOfNames)
     
122. ReDim FuncRva(1 To ExpDir.NumberOfFunctions)
     
123. CopyMemory VarPtr(NameRva(1)), ExpDir.AddressOfNames + lpBase, 4 * ExpDir.NumberOfNames
     
124. CopyMemory VarPtr(OridRva(1)), ExpDir.AddressOfNameOridinals + lpBase, 2 * ExpDir.NumberOfNames
     
125. CopyMemory VarPtr(FuncRva(1)), ExpDir.AddressOfFunctions + lpBase, 4 * ExpDir.NumberOfFunctions
     
126. For i = 1 To ExpDir.NumberOfNames
     
127.     szProc = AnsiStringFromPtr(NameRva(i) + lpBase)
     
128.     If szProc = lpProcName Then
     
129.         fApi = lpBase + FuncRva(OridRva(i) + 1)
     
130.         MyGetProcAddress = fApi
     
131.     End If
     
132. Next i
     
133. End Function

复制代码

0xAA55

噫！你难道不知道VB可以直接用StrConv将Byte数组直接转换为Unicode编码的字符串吗？

1. Dim CStr() As Byte
   
2. Open "1.txt" For Binary Access Read As #1
   
3. ReDim CStr(LOF(1) - 1)
   
4. Get #1, , CStr
   
5. Close #1
   
6. 
   
7. Dim BStr As String
   
8. BStr = StrConv(CStr, vbUnicode)
   
9. 
   
10. Debug.Print BStr

复制代码

唐凌

噫！你难道不知道VB可以直接用StrConv将Byte数组直接转换为Unicode编码的字符串吗？

这个我知道，但我不知道为啥，StrConv用着感觉好奇怪（什么怪毛病23333333333），因此AnsiString就Chr顺着来，UnicodeString就ChrW顺着来

0xAA55

tangptr@126.com 发表于 2016-1-23 23:48
这个我知道，但我不知道为啥，StrConv用着感觉好奇怪（什么怪毛病23333333333），因此AnsiString就Chr顺着 ...

而且Byte数组也可以拿来直接赋值给字符串，或者互相赋值的。

0xAA55

tangptr@126.com 发表于 2016-1-23 23:48
这个我知道，但我不知道为啥，StrConv用着感觉好奇怪（什么怪毛病23333333333），因此AnsiString就Chr顺着 ...

而且Byte数组也可以拿来直接赋值给字符串，或者互相赋值的。

唐凌

Integer数组可以吗

bigwind

好东西收着

cxx

好东西收着

55AA

有想法奥

大宝

一个好程序，值得学习