借个地方放下代码，研究的话也欢迎 不过没有注解，前提要对PE比较了解

.386
.model flat, stdcall
option casemap :none

include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib

    .data
    szcaption      db 'xbn',0
   sztext         db '找到KERNEL32的PE标志!',0
   _lpapi         db 'GetProcAddress',0
   .code
 _getkernelbase proc _dwkernelretaddress
    local @dwret
   
    pushad
    mov @dwret,0
    mov edi,_dwkernelretaddress
    and edi,0ffff0000h
    .repeat
       .if WORD ptr [edi]==IMAGE_DOS_SIGNATURE
              MOV ESI,EDI
              ADD ESI,[ESI+003CH]
              .if WORD ptr [esi]==IMAGE_NT_SIGNATURE
              MOV @dwret,edi
              .break
              .endif
       .endif
     sub edi,10000h
    .break .if edi<70000000h
    .until FALSE
          popad
          mov eax,@dwret
    ret
 _getkernelbase endp
 _getapi proc _dwkernelbase,_lpap1
    local @ret
    pushad
    mov eax,_dwkernelbase
    add eax,[eax+3ch]
    assume eax:ptr IMAGE_NT_HEADERS
    MOV eax,[eax].OptionalHeader.DataDirectory.VirtualAddress
    add eax,_dwkernelbase
    assume eax:ptr IMAGE_EXPORT_DIRECTORY
    MOV ebx,[eax].AddressOfNames
    add ebx,_dwkernelbase
    xor edx,edx
    .repeat
      mov edi,ebx
      mov esi,_lpap1
      mov ecx,sizeof _lpap1
     repz cmpsb
     .if ZERO?
     jmp @F
     .endif
     add ebx,4
     inc edx
    .until edx>=[eax].NumberOfNames
     jmp _ret
    @@:
       shl edx,2
       add ebx,[eax].AddressOfNameOrdinals
       add ebx,_dwkernelbase
       movzx ebx,WORD ptr [ebx]
       shl ebx,2
       add ebx,[eax].AddressOfFunctions
       add ebx,_dwkernelbase
       mov eax,[ebx]
       add eax,_dwkernelbase
       mov @ret,eax
   _ret:
      assume eax:nothing
      popad
      mov eax,@ret
      ret
 _getapi endp
      

start: mov eax,[esp]
       invoke _getkernelbase,eax
       invoke _getapi,eax,addr _lpapi
       ret
end    start
              

[ 本帖最后由 朱三哥 于 2012-12-13 23:43 编辑 ]