"""
This Script is use in get api address by GetProcAddress like:
This Script is use in get api address by GetProcAddress like:
push offset ProcName ; "CreateToolhelp32Snapshot"
mov eax, [ebx]
push eax ; hModule
call GetProcAddress
mov CreateToolhelp32Snapshot, eax
mov eax, [ebx]
push eax ; hModule
call GetProcAddress
mov CreateToolhelp32Snapshot, eax
"""
def LoadStringA(byte_ea):
name = ""
while Byte(byte_ea) != 0:
name = name+"".join(chr(Byte(byte_ea)))
byte_ea = byte_ea + 1
return name
name = ""
while Byte(byte_ea) != 0:
name = name+"".join(chr(Byte(byte_ea)))
byte_ea = byte_ea + 1
return name
ea = get_screen_ea()
StartEA = GetFunctionAttr(ea, FUNCATTR_START)
EndEA = GetFunctionAttr(ea, FUNCATTR_END)
while ea < EndEA:
if "call" in GetMnem(ea):
if 7==GetOpType(ea, 0):
func_ea = GetOperandValue(ea,0)
func_name = GetFunctionName(func_ea)
if func_name == ‘GetProcAddress’:
next_ea = NextHead(ea,EndEA)
re_func_ea = GetOpnd(next_ea,0)
FinalAddr = LocByName(re_func_ea)
prev_ea = PrevHead(PrevHead(PrevHead(ea,StartEA),StartEA),StartEA)
proc_ea = GetOperandValue(prev_ea,0)
proc_name = LoadStringA(proc_ea)
MakeName(FinalAddr,proc_name)
ea = NextHead(ea, EndEA)
StartEA = GetFunctionAttr(ea, FUNCATTR_START)
EndEA = GetFunctionAttr(ea, FUNCATTR_END)
while ea < EndEA:
if "call" in GetMnem(ea):
if 7==GetOpType(ea, 0):
func_ea = GetOperandValue(ea,0)
func_name = GetFunctionName(func_ea)
if func_name == ‘GetProcAddress’:
next_ea = NextHead(ea,EndEA)
re_func_ea = GetOpnd(next_ea,0)
FinalAddr = LocByName(re_func_ea)
prev_ea = PrevHead(PrevHead(PrevHead(ea,StartEA),StartEA),StartEA)
proc_ea = GetOperandValue(prev_ea,0)
proc_name = LoadStringA(proc_ea)
MakeName(FinalAddr,proc_name)
ea = NextHead(ea, EndEA)
print "RenameApi Done! "
天空 
貌似py?