摘要
利用应用程序或远程线程函数被加载后,其进程堆栈中存有位于Kernel32.DLL中的返回地址,利用这个返回地址,可在远程进程中获取Kernel32.DLL的基地址,从而可以得到关键的2个API函数GetProcAddress和LoadLibrary的入口地址。利用这二个函数就可以在远程进程中动态装入DLL,动态搜索并取得所需要的API函数入口地址。
When an application program or remote thread function is loaded, there is the return address located in Kerne132.DLL in the stack of the process . We can obtain Kerne132.DLL's base address with using the return address in the remote process and so get the entrance addresses of two key API functions of the GetProcAddress and LoadLibrary . Using these two functions in the remote process, we can dynamically load DLL , dynamically search and obtain the entrance ad- dresses the needed API function.
出处
《电脑编程技巧与维护》
2013年第18期96-98,共3页
Computer Programming Skills & Maintenance
