how can I get kernel32 address under windows vista ?
Thanks,
Dexter
assume fs:nothing
mov eax, fs:[30h] ; PEB base
mov eax, [eax+0Ch] ; PEB_LDR_DATA
mov eax, [eax+1Ch]
mov eax, [eax]
mov eax, [eax+8] ; Kernel32 Image Base
For me: eax=76BB0000h :wink
still doesn't work under vista... :(
For me works!
and eax=76BB0000h under Vista64 Ultimate + SP1 :wink
Yes, but I'm looking for a solution under vista x86, any ideas?
Thanks,
Dexter
well, the code there isn't exactly checking things, its functional sure, its working from the peb_ldr_data as mentioned
but the first entry may not be kernel32, infact in a lot of cases it'll be something else, so walk the table, (the structs
are public for it) and match the names.. basically the code is fine as skeleton code, you just need to flash it out...
however, why on earth would you want to do this when a simple GetModuleHandle("kernel32.dll") would do the job?
mov ecx,[esp] ; Return adress of call from CreateProcess
GetKrnlBaseLoop: ; Get Kernel32 module base adress
xor edx,edx
dec ecx ; Scan backward
mov dx,[ecx+03ch] ; Take beginning of PE header
test dx,0f800h ; Is it a PE header ?
jnz GetKrnlBaseLoop ; No, forget about it
cmp ecx,[ecx+edx+34h] ; Compare current adress with the address that PE should be loaded at
jnz GetKrnlBaseLoop ; Different ? Search again
mov [KernelAdress+ebp],ecx ; ecx hold KernelBase... Store it
This doesnt work in x64 because the imagebase its in 30h and it is a qword so you will need to change this for x64:
cmp ecx,[ecx+edx+34h] ; Compare current adress with the address that PE should be loaded at
dacid,
the same but faster..
mov eax, [esp] ; Return address of call to CreateProcess
and eax, 0FFFF1000h ; the last four are zeros because
LoopAgain: ; Kernel32.dll is memory 64 aligned
mov edx, [eax+3Ch-1000h] ; the pointer is 32 bits by definition
sub eax, 1000h ; rather then dec eax!!!
cmp edx, 800h
jae LoopAgain
cmp eax, [eax+edx+34h]
jnz LoopAgain
This works on Vista SP2
assume fs:nothing
mov eax, fs:[18h] ; eax hold TIB
mov eax, dword ptr[eax+30h];eax holds linear address of PEB
mov eax, dword ptr[eax+0ch];PEB_LDR_DATA
mov eax, dword ptr[eax+1ch]
mov eax, dword ptr[eax]
mov eax, dword ptr[eax+8];eax holds kernel32 address
Quote from: lingo on August 22, 2008, 12:39:16 PM
dacid,
the same but faster..
mov eax, [esp] ; Return address of call to CreateProcess
and eax, 0FFFF1000h ; the last four are zeros because
LoopAgain: ; Kernel32.dll is memory 64 aligned
mov edx, [eax+3Ch-1000h] ; the pointer is 32 bits by definition
sub eax, 1000h ; rather then dec eax!!!
cmp edx, 800h
jae LoopAgain
cmp eax, [eax+edx+34h]
jnz LoopAgain
really good snippet, but I can't understand why "cmp edx, 800h " , why 800H exactly ?
thanks
Tell me, why does anyone need the kernel address under Windows Vista ?
Apart from writing a software protection scheme or something similar I'm having a hard time
seeing a legitimate use of such a function but I'm sure I'll be corrected by someone...
Quote from: NervGaz on December 02, 2009, 10:36:16 AM
Apart from writing a software protection scheme or something similar I'm having a hard time
seeing a legitimate use of such a function but I'm sure I'll be corrected by someone...
I can imagine that it's to write the ultimate virus which is to destroy human civilization - and perhaps the human species as well. This is a probably illegal, but absolutely legitimate and noble goal - mother Earth will be relieved a lot. TIA!
still the question ... why 800H exactly ?
any one can help ?
much nicer than what my guess was - lol
:red
tia
So does a 'no imports' PE work in Vista? The only reason I can see for not using GetModuleHandle as evlncrn8 said (18 months ago) is to have no imports at all.
I mean c'mon, a win32 program is sure to need win32 api calls which means imports.
TIA? She's a good friend of my sister. Used to go to primary school together.
Quote from: sinsi on December 03, 2009, 07:39:24 AM
So does a 'no imports' PE work in Vista? The only reason I can see for not using GetModuleHandle as evlncrn8 said (18 months ago) is to have no imports at all.
I mean c'mon, a win32 program is sure to need win32 api calls which means imports.
No. Do you need a "useful", non-artificial real-world example? Then see PE jdisasm.dll in http://ww.japheth.de/Download/pe.zip
:bg
> No. Do you need a "useful", non-artificial real-world example? Then see PE jdisasm.dll in http://ww.japheth.de/Download/pe.zip
How many AV scanners can it get past ?
japheth, what was 'no' in answer to?
@hutch + sinsi: I'm not going to answer your "questions".
Instead, a question from me: In Germany, if someone has lost a bet, but tries to avoid the payment by some belated sophistry, such a behavior is regarded as dishonorable. How is this regarded Down Under?
What on Earth are you on about?
"So does a 'no imports' PE work in Vista?" NO
"The only reason I can see for not using GetModuleHandle as evlncrn8 said (18 months ago) is to have no imports at all." NO
"I mean c'mon, a win32 program is sure to need win32 api calls which means imports." NO
:bg
It is much the same here in OZ but the problem that I raised about getting it past a virus scanner when it has no import table questions the viability of it being a real world app.
If it gets trashed by some crappy AV scanner it has ZERO viability as an application and a good way to do this is make it look like a virus to the AV idiots.
QuoteIf it gets trashed by some crappy AV scanner it has ZERO viability as an application
i hope that isn't so
i would get a new scanner :P