简单的动态寻址

mov eax,fs:[30h]        ; PEB 必须是开头哦
mov eax,[eax+0ch]        ; LDR table
mov esi,[eax+1ch]        ; InInitOrder.flink
lodsd
mov edi,[eax+8h]        ;  Krnl32  的基址
mov eax,[edi+3ch]        ;加上偏移 到Krnl32 PE头
mov edx,[edi+eax+78h]
        add edx,edi                        ; 函数到处表地址
        mov ecx,[edx+18h]        ; count
        mov ebx,[edx+20h]
        add ebx,edi                      
search:     ;做个标记
           dec ecx
       mov esi,[ebx+ecx*4]
        add esi,edi
        cmp [esi],50746547h        ; 'PteG'
        jne search
        cmp [esi+4],41636f72h
        jne search                        ; 'Acor'
        
        mov ebx,[edx+24h]
        add ebx,edi                        ; AddressOfNameOrdinals
        mov cx,[ebx+ecx*2]
        mov ebx,[edx+1ch]
        add ebx,edi                        ; AddressOfFunction
        mov eax,[ebx+ecx*4]
        add eax,edi
        mov esi,eax                        ; addr GetProcAddress

        push 0
        push 0
        push 00797261h
        push 7262694ch
        push 65657246h                ; FreeLibrary
        push esp
        push edi
        call esi
        
        mov [esp+16],eax
        
        pop ecx
        push 64616f4ch                ; LoadLibraryA
        mov byte ptr [esp+11],41h
        push esp
        push edi
        call esi
        
        push 00003233h
        push 72657375h                ; user32
        push esp
        call eax
        mov edi,eax                        ; addr user32
        
        push 0041786fh
        push 42656761h
        push 7373654dh                ; MessageBoxA  
        push esp
        push edi
        call esi
        
        push 0h
        push ced3bbd2h
        push cbb4bdb5h
        push acb3acb3h                ;超超到此一游
        mov ecx,esp
        push 40h
        push ecx
        push ecx
        push 0
        call eax
        
        add esp,34h
        pop eax
        push edi
        call eax
        retn