获取网卡mac地址一般需要用到IPHLPAPI模块,下面该模块用来获取mac地址的代码(内部名为: IPHLPAPI.GetAdaptersInfo),如果要查找该地址,可以搜索其前24byte的特征码:8B FF 55 8B EC 51 57 8B 7D 0C 85 FF 0F 84 E2 27 00 00 56 8D 45 FC 50 E8(测试无效,特征码会变)。可以用OD附加目标进程,然后按CTRL N,查看IPHLPAPI的导出函数表,查找GetAdapterInfo地址。
727A9263 > 8BFF mov edi,edi 727A9265 55 push ebp 727A9266 8BEC mov ebp,esp 727A9268 51 push ecx 727A9269 57 push edi 727A926A 8B7D 0C mov edi,dword ptr ss:[ebp 0xC] 727A926D 85FF test edi,edi 727A926F 0F84 E2270000 je IPHLPAPI.727ABA57 727A9275 56 push esi 727A9276 8D45 FC lea eax,dword ptr ss:[ebp-0x4] 727A9279 50 push eax 727A927A E8 D1FDFFFF call IPHLPAPI.727A9050 727A927F 8BF0 mov esi,eax 727A9281 85F6 test esi,esi 727A9283 0F85 C0000000 jnz IPHLPAPI.727A9349 727A9289 3945 FC cmp dword ptr ss:[ebp-0x4],eax 727A928C 0F84 CD270000 je IPHLPAPI.727ABA5F 727A9292 FF75 FC push dword ptr ss:[ebp-0x4] 727A9295 E8 3FFBFFFF call IPHLPAPI.727A8DD9 727A929A 83F8 FF cmp eax,-0x1 727A929D 0F87 C6270000 ja IPHLPAPI.727ABA69 727A92A3 8B75 08 mov esi,dword ptr ss:[ebp 0x8] 727A92A6 85F6 test esi,esi 727A92A8 0F84 8F000000 je IPHLPAPI.727A933D 727A92AE 8B0F mov ecx,dword ptr ds:[edi] 727A92B0 3BC8 cmp ecx,eax 727A92B2 0F82 85000000 jb IPHLPAPI.727A933D 727A92B8 53 push ebx 727A92B9 51 push ecx 727A92BA 6A 00 push 0x0 727A92BC 56 push esi 727A92BD E8 33A2FFFF call <jmp.&msvcrt.memset> 727A92C2 83C4 0C add esp,0xC 727A92C5 8D45 FC lea eax,dword ptr ss:[ebp-0x4] 727A92C8 50 push eax 727A92C9 8975 0C mov dword ptr ss:[ebp 0xC],esi 727A92CC E8 D3000000 call IPHLPAPI.727A93A4 727A92D1 8B5D FC mov ebx,dword ptr ss:[ebp-0x4] 727A92D4 85DB test ebx,ebx 727A92D6 74 6C je XIPHLPAPI.727A9344 727A92D8 8B7D 0C mov edi,dword ptr ss:[ebp 0xC] 727A92DB 8145 0C 8002000>add dword ptr ss:[ebp 0xC],0x280 727A92E2 8BC7 mov eax,edi 727A92E4 B9 A0000000 mov ecx,0xA0 727A92E9 8BF3 mov esi,ebx 727A92EB F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi] 727A92ED 8D4D 0C lea ecx,dword ptr ss:[ebp 0xC] 727A92F0 8945 08 mov dword ptr ss:[ebp 0x8],eax 727A92F3 51 push ecx 727A92F4 05 AC010000 add eax,0x1AC 727A92F9 50 push eax 727A92FA FFB3 AC010000 push dword ptr ds:[ebx 0x1AC] 727A9300 E8 80E8FFFF call IPHLPAPI.727A7B85 727A9305 8B75 08 mov esi,dword ptr ss:[ebp 0x8] 727A9308 8D45 0C lea eax,dword ptr ss:[ebp 0xC] 727A930B 50 push eax 727A930C 8D86 D4010000 lea eax,dword ptr ds:[esi 0x1D4] 727A9312 50 push eax 727A9313 FFB3 D4010000 push dword ptr ds:[ebx 0x1D4] 727A9319 E8 67E8FFFF call IPHLPAPI.727A7B85 727A931E 8D45 0C lea eax,dword ptr ss:[ebp 0xC] 727A9321 50 push eax 727A9322 8D86 50020000 lea eax,dword ptr ds:[esi 0x250] 727A9328 50 push eax 727A9329 FFB3 50020000 push dword ptr ds:[ebx 0x250] 727A932F E8 51E8FFFF call IPHLPAPI.727A7B85 727A9334 8B45 0C mov eax,dword ptr ss:[ebp 0xC] 727A9337 8906 mov dword ptr ds:[esi],eax 727A9339 8B1B mov ebx,dword ptr ds:[ebx] 727A933B ^ EB 97 jmp XIPHLPAPI.727A92D4 727A933D 8907 mov dword ptr ds:[edi],eax 727A933F 6A 6F push 0x6F 727A9341 5E pop esi 727A9342 EB 05 jmp XIPHLPAPI.727A9349 727A9344 211E and dword ptr ds:[esi],ebx 727A9346 33F6 xor esi,esi 727A9348 5B pop ebx 727A9349 FF75 FC push dword ptr ss:[ebp-0x4] 727A934C E8 0D000000 call IPHLPAPI.727A935E 727A9351 8BC6 mov eax,esi 727A9353 5E pop esi 727A9354 5F pop edi 727A9355 C9 leave 727A9356 C2 0800 retn 0x8
