;=============================================================================== ;= ;= DWORD* __stdcall get_api_address(DWORD *lpImagebase, ;= DWORD nApiCrc32, ;= DWORD *lpCrc32 ;= ) ;= ;=============================================================================== ;= ;= in: esp+08:lpImagebase = dll imagebase ;= --- esp+0C:nApiCrc32 = api crc32 ;= esp+10:lpCrc32 = pointer to DWORD __stdcall crc32(BYTE *lpString) ;= ;= out: eax = NULL on error, api address else ;= ---- ;= ;=============================================================================== lpImagebase equ dword ptr[esp+28d+08h+8] nApiCrc32 equ dword ptr[esp+28d+0Ch+8] lpCrc32 equ dword ptr[esp+28d+10h+4+8] MZ equ 'ZM' PE equ 'EP' get_api_address: ; pusha ; mov edx, lpImagebase ; xor eax, eax ; is_valid_pe_file: ; cmp word ptr[edx], MZ ;valid mz ? jne get_api_address_exit ; mov edi, edx ; add edi, [edx+mz_peptr] ; cmp word ptr[edi], PE ;valid pe ? jne get_api_address_exit ; mov edi, [edi+pe_exportrva] ; add edi, edx ;edi = *export_table mov esi, [edi+20h] ; add esi, edx ;esi = names' table xor ecx, ecx ;ecx = index search_index: ; lodsd ; add eax, edx ;eax = *lpApiName push eax ;lpString call lpCrc32 ; inc ecx ;index++ cmp eax, nApiCrc32 ; jne search_index ; mov esi, [edi+24h] ; add esi, edx ;esi = ordinals' table dec ecx ; movzx eax, word ptr[esi+ecx*2] ;eax = api's ordinal mov esi, [edi+1Ch] ; add esi, edx ;esi = functions' table mov eax, [esi+eax*4] ; add eax, edx ;eax = api's address get_api_address_exit: ; mov [esp+1Ch], eax ; popa ; ret 0Ch