flat assembler
Message board for the users of flat assembler.

flat assembler > Windows > Printing FullDllName from PEB

Author
Thread Post new topic Reply to topic
watdapho



Joined: 17 Jan 2014
Posts: 5
Hey guys, I'm trying to print out the FullDllName from the Process environment block (PEB). What am I doing wrong in the code below? I'm using windows 7 x64bit.

-----------------------------------------------------
Code:
format PE console entry main include 'macro/import32.inc' include 'win32ax.inc' section '.data' data readable writeable p db 'pause',0 s db 'L"%s"',0 section '.code' code readable executable main: push ebp mov ebp,esp mov eax,[fs:0x30] ;store PEB mov eax,[eax+0x0c] ;store PPEB_LDR_DATA mov esi,[eax+0x1c] ; store InInitializationOrderModuleList lodsd ; load flink into EAX lea edx,[eax+0x28];load fullDllName address ;print fullDllname push edx push s call [wprintf] add esp,8 push p call [system] add esp,4 mov esp,ebp pop ebp push 0 call [exit] section '.idata' import data readable writeable library msvcrt,'msvcrt' import msvcrt,\ wprintf,'wprintf',\ system,'system',\ exit,'exit'
Edit by revolution: Added code tags
Post 30 Apr 2017, 07:44
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15860
Location: 162173 Ryugu
watdapho wrote:
What am I doing wrong in the code below?
You are using undocumented offsets into undocumented data structures. The reason they are not documented is so that MS can change them when required without having to inform the public of the change. Different OSes will use different versions of the structures, or even completely different structures.

BTW: Which DLL name are you trying to print? There will be more than one DLL loaded into the process.

You can use LoadLibrary to access any DLL you want to query. I think that would be a better option than using those magic numbers pointing blindly into undocumented structures.
Post 30 Apr 2017, 08:03
View user's profile Send private message Visit poster's website Reply with quote
watdapho



Joined: 17 Jan 2014
Posts: 5
Quote:

BTW: Which DLL name are you trying to print? There will be more than one DLL loaded into the process.


I'm trying to print any random DLL name.

Quote:

You can use LoadLibrary to access any DLL you want to query. I think that would be a better option than using those magic numbers pointing blindly into undocumented structures.


Thanks for the suggestion, I will keep this in mind for future use. However I'm experimenting with the PEB.

If anyone can post working FASM code using a similar method to mine (accessing PEB->PPEB_LDR_DATA->Ininit.flink and using wprintf to output fulldllname) it would be much appreciated! I've attempted it many times myself but have failed so I'm resorting for your help guys! thank you.
Post 30 Apr 2017, 16:40
View user's profile Send private message Reply with quote
samlaren



Joined: 19 Dec 2016
Posts: 5
You cannot print a PUNICODE_STRING with wprintf. In LDR_DATA_TABLE_ENTRY, the FullDllName is a UNICODE_STRING. You should use printf with "%wZ" to print out PUNICODE_STRING's.
Example to getting Kernel32.dll base and print out its name:
Code:
mov ebx, [FS:0x30] ; Get PEB of program mov ebx, [ebx + 0x0C] ; Get PPEB_LDR_DATA mov ebx, [ebx + 0x14] ; PEB->Ldr.InMemoryOrderModuleList.Flink (1st entry) mov ebx, [ebx] ; 2nd entry mov ebx, [ebx] ; 3rd entry (kernel32.dll) pushad lea ebx, [ebx + 0x24] cinvoke printf, uni, ebx popad mov ebx, [ebx + 0x10] ; Get DllBase mov [KernelBase], ebx

If you want to check for other modules, just walk the InMemoryOrderModuleList.
Post 23 May 2017, 16:00
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >

Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 2004-2018, Tomasz Grysztar.

Powered by rwasa.