|
dLibraryA = (fnLoadLibraryA)pfnGetProcAddress((HMODULE)dwBase, "LoadLibraryA");
printf("pfnLoadLibraryA = %x \n", pfnLoadLibraryA);
fnGetModuleHandleA pfnGetModuleHandleA = (fnGetModuleHandleA)pfnGetProcAddress((HMODULE)dwBase, "GetModuleHandleA");
printf("pfnGetModuleHandleA = %x \n", pfnGetModuleHandleA);
fnVirtualProtect pfnVirtualProtect = (fnVirtualProtect)pfnGetProcAddress((HMODULE)dwBase, "VirtualProtect");
printf("pfnVirtualProtect = %x \n", pfnVirtualProtect);
// 有了核心API之后,即可获取到User32.dll的基地址
pfnLoadLibraryA("User32.dll");
HMODULE hUser32 = (HMODULE)pfnGetModuleHandleA("User32.dll");
fnMessageBox pfnMessageBoxA = (fnMessageBox)pfnGetProcAddress(hUser32, "MessageBoxA");
printf("User32 = > %x \t MessageBox = > %x \n", hUser32, pfnMessageBoxA);
HMODULE hKernel32 = (HMODULE)pfnGetModuleHandleA("kernel32.dll");
fnExitProcess pfnExitProcess = (fnExitProcess)pfnGetProcAddress(hKernel32, "ExitProcess");
printf("Kernel32 = > %x \t ExitProcess = > %x \n", hKernel32, pfnExitProcess);
// 弹出信息框
int nRet = pfnMessageBoxA(NULL, "hello lyshark", "MsgBox", MB_YESNO);
if (nRet == IDYES)
{
printf("你点击了YES \n");
}
system("pause");
pfnExitProcess(0);
return 0;
}
运行上述代码,通过动态调用的方式获取到MessageBox函数内存地址,并将该内存放入到pfnMessageBoxA指针内,最后直接调用该指针即可输出如下图所示的效果图;
|