01-09-2011, 06:45 PM
Code:
typedef HINSTANCE__ * (__stdcall *LoadLibrary_)(wchar_t *);
int wmain()
{
LoadLibrary_ _LoadLibrary = NULL;
DWORD dwBaseAddress = 0;
_asm
{
xor ebx, ebx
mov ebx, fs:[ 0x30 ]
mov ebx, [ ebx + 0x0C ]
mov ebx, [ ebx + 0x14 ]
mov ebx, [ ebx ]
mov ebx, [ ebx ]
mov ebx, [ ebx + 0x10 ]
mov dwBaseAddress, ebx
}
_LoadLibrary = (LoadLibrary_)GetProcAddress((HMODULE)dwBaseAddress, "LoadLibraryW");
// _LoadLibrary = (LoadLibrary_)GetProcAddress(GetModuleHandle(L"KERNEL32.DLL"), "LoadLibraryW");
}Usefull technique used in packers / protectors, to stop reverse engineers from decompiling the code, if you notice GetModuleHandleW will not be in the import table
