flat assembler
Message board for the users of flat assembler.

Index > Windows > Getting Kernel Base and GetProcAddress

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
Nameless



Joined: 30 Apr 2010
Posts: 95
Nameless
i found this code, im trying to study it. but the thing is it works on xp sp2 only ! no vista or 7, i cant see y?? any help?


Description:
Download
Filename: kernel_base.ASM
Filesize: 2.91 KB
Downloaded: 149 Time(s)

Post 15 Sep 2010, 23:09
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17662
Location: In your JS exploiting you and your system
revolution
Your code relies on undocumented behaviour. So you should expect it to break whenever MS release a new patch or version.
Post 16 Sep 2010, 00:20
View user's profile Send private message Visit poster's website Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 294
Alphonso
Post 16 Sep 2010, 03:08
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Where does it fail? I assume you have traced the code with a debugger? (OK, actually no, I don't - I expect that you expect us to do it for you Wink).
Post 22 Sep 2010, 20:59
View user's profile Send private message Visit poster's website Reply with quote
Nameless



Joined: 30 Apr 2010
Posts: 95
Nameless
lol, im still brand new to this world
i dont even know how to use a debugger or hex-editor Razz

still reading about coding, next stage is debugging, then hex-editors, then taking over the world, wanna join? ill offer you total health insurance and a chair next to the window in my castle??? Very Happy
Post 22 Sep 2010, 21:23
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 3043
Location: vpcmipstrm
bitRAKE
Nameless wrote:
still reading about coding, next stage is debugging, then hex-editors, then taking over the world, wanna join? ill offer you total health insurance and a chair next to the window in my castle??? Very Happy
I'm in and you can keep the window seat.

_________________
¯\(°_o)/¯ unlicense.org
Post 23 Sep 2010, 02:29
View user's profile Send private message Visit poster's website Reply with quote
ziral2088



Joined: 16 Aug 2009
Posts: 15
Location: Ukraine
ziral2088
Code:
;Get base of ntdll into register.
macro GetBaseOfNtdllInto.x64 reg
{
    mov  reg , [gs:dword 30h]                                    ;TEB
    mov  reg , [reg + 60h]                                       ;PEB
    mov  reg , [reg + 24]                                        ;PEB->Ldr
    mov  reg , [reg + 32]                                        ;first module(InMemoryOrder module list)
    mov  reg , [reg]                                             ;assume that ntdll will be second in module list.
    mov  reg , [reg + 32]                                        ;LDR_MODULE64.BaseAddress
}

macro GetBaseOfNtdllInto.x86 reg
{
    mov  reg , [fs:dword 18h]                                    ;TEB
    mov  reg , [reg + 30h]                                       ;PEB
    mov  reg , [reg + 0Ch]                                       ;PEB->Ldr
    mov  reg , [reg + 20]                                        ;first module(InMemoryOrder module list)
    mov  reg , [reg]                                             ;assume that ntdll will be second in module list.
    mov  reg , [reg + 16]                                        ;LDR_MODULE.BaseAddress
}
           


After that u need to use LdrGetDllHandle\LdrLoadDll to get base of kernel32.dll.
Thats the only document method i know.
Works fine on XP-Win7 x86-x64.
Post 24 Sep 2010, 06:10
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17662
Location: In your JS exploiting you and your system
revolution
Windows has the fully documented LoadLibrary and GetProcAddress functions. Works on ALL versions of Windows. Problem solved.

No need for all this undocumented, pray it works, hope MS don't change anything, stuff Razz
Post 24 Sep 2010, 06:50
View user's profile Send private message Visit poster's website Reply with quote
Nameless



Joined: 30 Apr 2010
Posts: 95
Nameless
where is the fun in LoadLibrary and GetProcAddress???
normal APIs that can be used in any high level language, so y bother and go low level asm if im gonna do the same thing ???!!!!!!!!
Post 24 Sep 2010, 11:54
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Nameless wrote:
where is the fun in LoadLibrary and GetProcAddress???
normal APIs that can be used in any high level language, so y bother and go low level asm if im gonna do the same thing ???!!!!!!!!
Because it sucks when software suddenly starts crashing for no good reason. Unless you're writing malware (and thus deserve a hard kick in the nuts), you shouldn't use these methods.

It's fun poking around in the system for sure, just don't rely on undocumented stuff in released software.

_________________
Image - carpe noctem
Post 24 Sep 2010, 12:55
View user's profile Send private message Visit poster's website Reply with quote
ziral2088



Joined: 16 Aug 2009
Posts: 15
Location: Ukraine
ziral2088
LdrLoadDll and LdrGetDllHandle are not an undocumented stuff. Microsoft uses them.
If u want to write native application u will use only native API.
Post 24 Sep 2010, 18:10
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
ziral2088 wrote:
LdrLoadDll and LdrGetDllHandle are not an undocumented stuff. Microsoft uses them.
If u want to write native application u will use only native API.
They're not officially documented - just because you get google results for something doesn't mean it's not undocumented.

Besides, I was referring to the "reading from magic memory locations" part of your code.

_________________
Image - carpe noctem
Post 25 Sep 2010, 13:14
View user's profile Send private message Visit poster's website Reply with quote
Nameless



Joined: 30 Apr 2010
Posts: 95
Nameless
@f0dder: im just having fun, im not coding anything for real yet, trying to learn as much as possible first

@ziral2088: i like that example, im going nerd-shit on it right now to understand it Very Happy
can u just tell me what this line mean?
Code:
mov  reg , [gs:dword 30h] 
; or even
mov  reg , [fs:dword 18h] 
; any of them will be fine, just to know whats going on here
    


i dunno what gs is, neither what operation is this supposed to be
no super duper n00b style commenting ??? Very Happy
Post 25 Sep 2010, 13:15
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17662
Location: In your JS exploiting you and your system
revolution
Nameless: fs is the fifth segment register, and gs the sixth. The AMD or Intel manuals will show you this. In some versions of Windows the fs segment is set to point to some process specific buffers. And the reason you have no idea what is happening is because these are not officially documented anywhere.
Post 25 Sep 2010, 13:22
View user's profile Send private message Visit poster's website Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
revolution,

Exactly those are well-documented, they're .Self fields of NT_TIB32/NT_TIB64. Yes, I'm nit-picking — I'm against this undocumented stuff too (it's useful in hacking, not in production codebase). And there was an error already: NT_TIB64.Self is 64-bit, as one may expect.
Post 25 Sep 2010, 13:50
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
baldr: take heed of the word officially in revolution's post Smile. Yes, there's plenty of well-documented info, but it's not official from Microsoft, so we have no Code Contract, nu guarantee it won't suddenly change on some new OS or even a service pack. Unlikely to happen? Yes. Guarantees it won't? No.

(I know you know this, so the comment is really directed at other people who're following the thread, not you Smile).
Post 25 Sep 2010, 15:26
View user's profile Send private message Visit poster's website Reply with quote
Nameless



Joined: 30 Apr 2010
Posts: 95
Nameless

revolution,


i searched the 5 manuals for this and i couldn't find it, can u tell me which one exactly should i look in or a keyword i should look for?
none says what gs holds (maybe i was searching wrong)

ty,
Post 25 Sep 2010, 16:38
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
f0dder,

Does WinNT.H from MS VS 2008 qualify as "officially documented"? Windows Research Kernel probably don't. Wink

----8<----
Nameless,

Intel manuals won't tell you this, it's Microsoft-specific. x86-64 Windows uses gs to hold selector for segment containing TEB for current thread (in user-mode; for kernel-mode it contains KPCR).
Post 25 Sep 2010, 17:53
View user's profile Send private message Reply with quote
Nameless



Joined: 30 Apr 2010
Posts: 95
Nameless
ok, and how did u find that out? what document do i need to know this things?
Post 25 Sep 2010, 18:22
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
Nameless,

Can't remember that. Probably some weird mix of Google, IDA disassembly of various Windows x86-64 .DLLs and "* Internals" books.

Are you really need to know this kind of things right now?
Post 25 Sep 2010, 18:36
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.