kernel32 address under windows vista

[dexter]

how can I get kernel32 address under windows vista ?

Thanks,
Dexter

[lingo]

Code Select Expand


assume fs:nothing
mov     eax, fs:[30h]   ; PEB base
mov     eax, [eax+0Ch]  ; PEB_LDR_DATA
mov     eax, [eax+1Ch]
mov     eax, [eax]         
mov     eax, [eax+8]    ; Kernel32 Image Base
For me: eax=76BB0000h  :wink

[dexter]

still doesn't work under vista... :(

[lingo]

For me works!
and  eax=76BB0000h  under Vista64 Ultimate + SP1  :wink

[dexter]

Yes, but I'm looking for a solution under vista x86, any ideas?

Thanks,
Dexter

[evlncrn8]

well, the code there isn't exactly checking things, its functional sure, its working from the peb_ldr_data as mentioned
but the first entry may not be kernel32, infact in a lot of cases it'll be something else, so walk the table, (the structs
are public for it) and match the names.. basically the code is fine as skeleton code, you just need to flash it out...

however, why on earth would you want to do this when a simple GetModuleHandle("kernel32.dll") would do the job?

[dacid]

Code Select Expand


mov ecx,[esp]                        ; Return adress of call from CreateProcess

GetKrnlBaseLoop:                    ; Get Kernel32 module base adress

xor edx,edx
dec ecx                                 ; Scan backward
mov dx,[ecx+03ch]                 ; Take beginning of PE header
test dx,0f800h                       ; Is it a PE header ?
jnz GetKrnlBaseLoop                ; No, forget about it
cmp ecx,[ecx+edx+34h]          ; Compare current adress with the address that PE should be loaded at
jnz GetKrnlBaseLoop                ; Different ? Search again

mov [KernelAdress+ebp],ecx    ; ecx hold KernelBase... Store it



This doesnt work in x64 because the imagebase its in 30h and it is a qword so you will need to change this for x64:

cmp ecx,[ecx+edx+34h]          ; Compare current adress with the address that PE should be loaded at

[lingo]

dacid,
the same but faster..

Code Select Expand


mov eax, [esp] ; Return address of call to CreateProcess
and eax, 0FFFF1000h         ; the last four are zeros because
LoopAgain: ; Kernel32.dll is memory 64 aligned
  mov edx, [eax+3Ch-1000h]    ; the pointer is 32 bits by definition
sub eax, 1000h ; rather then dec eax!!!
cmp edx, 800h             
jae LoopAgain
  cmp eax, [eax+edx+34h]
jnz LoopAgain

[v01d]

This works on Vista SP2

Code Select Expand


assume fs:nothing
mov eax, fs:[18h] ; eax hold TIB
mov eax, dword ptr[eax+30h];eax holds linear address of PEB
mov eax, dword ptr[eax+0ch];PEB_LDR_DATA
mov eax, dword ptr[eax+1ch]
mov eax, dword ptr[eax]
mov eax, dword ptr[eax+8];eax holds kernel32 address


[pete2009]

dacid,
the same but faster..

Code Select Expand


mov eax, [esp] ; Return address of call to CreateProcess
and eax, 0FFFF1000h         ; the last four are zeros because
LoopAgain: ; Kernel32.dll is memory 64 aligned
  mov edx, [eax+3Ch-1000h]    ; the pointer is 32 bits by definition
sub eax, 1000h ; rather then dec eax!!!
cmp edx, 800h             
jae LoopAgain
  cmp eax, [eax+edx+34h]
jnz LoopAgain

really good snippet, but I can't understand why "cmp edx, 800h " , why 800H exactly ?

thanks

[hutch--]

Tell me, why does anyone need the kernel address under Windows Vista ?

[NervGaz]

Apart from writing a software protection scheme or something similar I'm having a hard time
seeing a legitimate use of such a function but I'm sure I'll be corrected by someone...

[japheth]

Apart from writing a software protection scheme or something similar I'm having a hard time
seeing a legitimate use of such a function but I'm sure I'll be corrected by someone...

I can imagine that it's to write the ultimate virus which is to destroy human civilization - and perhaps the human species as well. This is a probably illegal, but absolutely legitimate and noble goal - mother Earth will be relieved a lot. TIA!

[pete2009]

still the question ... why 800H exactly ?
any one can help ?

[dedndave]

TIA!

tia ????