hi,
you may problably know this piece of code mostly used in packers/protectors:
mov ecx,[esp] ; Return adress of call from CreateProcess
GetKrnlBaseLoop: ; Get Kernel32 module base adress
xor edx,edx
dec ecx ; Scan backward
mov dx,[ecx+03ch] ; Take beginning of PE header
test dx,0f800h ; Is it a PE header ?
jnz GetKrnlBaseLoop ; No, forget about it
cmp ecx,[ecx+edx+34h] ; Compare current adress with the address that PE should be loaded at
jnz GetKrnlBaseLoop ; Different ? Search again
mov [KernelAdress+ebp],ecx ; ecx hold KernelBase... Store it
I use this code on my program and it works ok in 32 bits OS but fails in 64 bits (Vista). While i search a little i found that the imagebase its in 30h in 64 bits and it is a qword so i tried both:
cmp ecx,[ecx+edx+30h]
&
cmp ecx,[ecx+edx+34h]
but didnt work. maybe im missing something
i woulf apreciate any ideas, suggestions, etc...
I know this code is used in viruses and other malware too... but its not my fault, i use it on a packer/protector that its under development at the moment.
P.D (excuse my poor english)
I've done some searching and found some thing that might help. GetModuleHandle("kernel32.dll") should return the base address of kernel32.dll also you can use the following code to get the base address(I apologize in advanced if the posting the following code is a no-no):
assume fs:nothing
push esi
mov eax,fs:[30h]
mov eax,[eax+0Ch]
mov esi,[eax+1Ch]
lodsd
mov eax,[eax+08h]
; eax now contains kernel base
pop esi
ok, this code works for 32 & 64 bits systems... so thank you :U
Anyways if anyone knows how to "fix" the code i posted to make it work under 64 bits OS ...