flat assembler
Message board for the users of flat assembler.
 Home   FAQ   Search   Register 
 Profile   Log in to check your private messages   Log in 
flat assembler > Windows > Printing FullDllName from PEB

Author
Thread Post new topic Reply to topic
watdapho



Joined: 17 Jan 2014
Posts: 5
Printing FullDllName from PEB
Hey guys, I'm trying to print out the FullDllName from the Process environment block (PEB). What am I doing wrong in the code below? I'm using windows 7 x64bit.

-----------------------------------------------------

Code:
format PE console
entry main

include 'macro/import32.inc'
include 'win32ax.inc'

section '.data' data readable writeable
p db 'pause',0
s db 'L"%s"',0

section '.code' code readable executable
main:
        push ebp
        mov ebp,esp

        mov eax,[fs:0x30;store PEB 
        mov eax,[eax+0x0c;store PPEB_LDR_DATA
        mov esi,[eax+0x1c; store InInitializationOrderModuleList
        lodsd ; load flink into EAX
        lea edx,[eax+0x28];load fullDllName address

        ;print fullDllname
        push edx 
        push s
        call [wprintf]
        add esp,8

        push p
        call [system]
        add esp,4

        mov esp,ebp
        pop ebp

        push 0
        call [exit]

section '.idata' import data readable writeable
library msvcrt,'msvcrt'

import msvcrt,\
wprintf,'wprintf',\
system,'system',\
exit,'exit'

Edit by revolution: Added code tags
Post 30 Apr 2017, 07:44
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15158
Location: GW170817
Re: Printing FullDllName from PEB

watdapho wrote:
What am I doing wrong in the code below?

You are using undocumented offsets into undocumented data structures. The reason they are not documented is so that MS can change them when required without having to inform the public of the change. Different OSes will use different versions of the structures, or even completely different structures.

BTW: Which DLL name are you trying to print? There will be more than one DLL loaded into the process.

You can use LoadLibrary to access any DLL you want to query. I think that would be a better option than using those magic numbers pointing blindly into undocumented structures.
Post 30 Apr 2017, 08:03
View user's profile Send private message Visit poster's website Reply with quote
watdapho



Joined: 17 Jan 2014
Posts: 5
Re: Printing FullDllName from PEB

Quote:

BTW: Which DLL name are you trying to print? There will be more than one DLL loaded into the process.



I'm trying to print any random DLL name.


Quote:

You can use LoadLibrary to access any DLL you want to query. I think that would be a better option than using those magic numbers pointing blindly into undocumented structures.



Thanks for the suggestion, I will keep this in mind for future use. However I'm experimenting with the PEB.

If anyone can post working FASM code using a similar method to mine (accessing PEB->PPEB_LDR_DATA->Ininit.flink and using wprintf to output fulldllname) it would be much appreciated! I've attempted it many times myself but have failed so I'm resorting for your help guys! thank you.
Post 30 Apr 2017, 16:40
View user's profile Send private message Reply with quote
samlaren



Joined: 19 Dec 2016
Posts: 5
You cannot print a PUNICODE_STRING with wprintf. In LDR_DATA_TABLE_ENTRY, the FullDllName is a UNICODE_STRING. You should use printf with "%wZ" to print out PUNICODE_STRING's.
Example to getting Kernel32.dll base and print out its name:

Code:
mov     ebx, [FS:0x30]        ; Get PEB of program
        mov     ebx, [ebx + 0x0C]     ; Get PPEB_LDR_DATA
        mov     ebx, [ebx + 0x14]     ; PEB->Ldr.InMemoryOrderModuleList.Flink (1st entry)
        mov     ebx, [ebx]            ; 2nd entry
        mov     ebx, [ebx]            ; 3rd entry    (kernel32.dll)
        pushad
        lea     ebx, [ebx + 0x24]
        cinvoke printfuniebx
        popad
        mov     ebx, [ebx + 0x10]     ; Get DllBase
        mov     [KernelBase], ebx          


If you want to check for other modules, just walk the InMemoryOrderModuleList.
Post 23 May 2017, 16:00
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >

Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2005 phpBB Group.

Main index   Download   Documentation   Examples   Message board
Copyright © 2004-2016, Tomasz Grysztar.