flat assembler
Message board for the users of flat assembler.

Index > High Level Languages > problem with C++ code

Author
Thread Post new topic Reply to topic
david77



Joined: 25 Jul 2010
Posts: 3
david77
I have written some C++ code to determine the unmodified address of a function in the specified dll using the Windows API functions LoadLibraryEx and GetProcAddress. Here is the code:
Code:
//get raw address of procedure in specified dll

#include "stdafx.h"

#include <iostream>
#include <windows.h>
using namespace std;

int main(int argc, char **argv)
{
     if (argc < 3)
    {
              cout <<"GetOriginalAddress dll procedure\n";
               return 1;
   }
      HMODULE hModule = LoadLibraryExA(argv[1], 0, DONT_RESOLVE_DLL_REFERENCES | LOAD_IGNORE_CODE_AUTHZ_LEVEL);
   if (hModule == NULL)
        {
              cout <<"Error: no such dll\n";
         return 1;
   }
      PROC proc = GetProcAddress(hModule, argv[2]);
       cout <<"Module handle: " <<hModule <<"\n";
       cout <<"Procedure address: " <<proc <<"\n";
      return 0;
}
    


When I run the program on kernel32.dll and such it gives good answers. But on ntoskrnl.exe the output values sometimes change. Here is an example:
Code:
C:\***\GetOriginalAddress ntoskrnl.exe ZwClose
Module handle: 00870000
Procedure address: 008C53A0
C:\***\GetOriginalAddress ntoskrnl.exe ZwClose
Module handle: 00860000
Procedure address: 008B53A0
    


I would like this to work as it is much simpler than manually analyzing the PE file and I can easily convert it to fasm, but it has this problem. What is causing this problem and how do I fix it?
Post 26 Jul 2010, 00:58
View user's profile Send private message Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1901
DOS386
david77 wrote:
ntoskrnl.exe the output values sometimes change. Here is an example:
Code:
C:\***\GetOriginalAddress ntoskrnl.exe ZwClose
Module handle: 00870000
Procedure address: 008C53A0
C:\***\GetOriginalAddress ntoskrnl.exe ZwClose
Module handle: 00860000
Procedure address: 008B53A0
    


I would like this to work as it is much simpler than manually analyzing the PE file and I can easily convert it to fasm, but it has this problem. What is causing this problem


Most likely the fact that NTOSKRNL.EXE has fixups but no fixed base address Smile

Quote:
and how do I fix it?


Find it in memory.
Post 26 Jul 2010, 01:28
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17349
Location: In your JS exploiting you and your system
revolution
david77: It would help if you told us what you want to do with the result.

The result you get now is correct for each instance of the program. You always only get the current address in memory of the DLL/EXE file. And that value changes each time you use LoadLibrary. So you can never expect to get a fixed address and use that same value in a future instance. You have to use the result value at the time that it is obtained. It won't be valid across separate instantiations.
Post 26 Jul 2010, 08:19
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
ASLR, perhaps?
Post 26 Jul 2010, 13:43
View user's profile Send private message Visit poster's website Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1901
DOS386
revolution wrote:
It would help if you told us what you want to do with the result.


Most likely write a virus, but no problem at all, the question "Do you intend do develop virii" is asked at registration to the forum of King Hutch only, not here Smile
Post 27 Jul 2010, 01:13
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.