Index
> Windows > Getting Kernel Base and GetProcAddressGoto page 1, 2 Next |
| Author |
|
|
Nameless 15 Sep 2010, 23:09
i found this code, im trying to study it. but the thing is it works on xp sp2 only ! no vista or 7, i cant see y?? any help?
|
|||||||||||
15 Sep 2010, 23:09 |
|
|
revolution 16 Sep 2010, 00:20
Your code relies on undocumented behaviour. So you should expect it to break whenever MS release a new patch or version.
|
|||
|
16 Sep 2010, 00:20 |
|
|
Alphonso 16 Sep 2010, 03:08
Does this help. http://board.flatassembler.net/topic.php?p=103427#103427
|
|||
|
16 Sep 2010, 03:08 |
|
|
f0dder 22 Sep 2010, 20:59
Where does it fail? I assume you have traced the code with a debugger? (OK, actually no, I don't - I expect that you expect us to do it for you
 ). |
|||
|
22 Sep 2010, 20:59 |
|
|
bitRAKE 23 Sep 2010, 02:29
Nameless wrote: still reading about coding, next stage is debugging, then hex-editors, then taking over the world, wanna join? ill offer you total health insurance and a chair next to the window in my castle??? |
|||
|
23 Sep 2010, 02:29 |
|
|
ziral2088 24 Sep 2010, 06:10
Code: ;Get base of ntdll into register. macro GetBaseOfNtdllInto.x64 reg { mov reg , [gs:dword 30h] ;TEB mov reg , [reg + 60h] ;PEB mov reg , [reg + 24] ;PEB->Ldr mov reg , [reg + 32] ;first module(InMemoryOrder module list) mov reg , [reg] ;assume that ntdll will be second in module list. mov reg , [reg + 32] ;LDR_MODULE64.BaseAddress } macro GetBaseOfNtdllInto.x86 reg { mov reg , [fs:dword 18h] ;TEB mov reg , [reg + 30h] ;PEB mov reg , [reg + 0Ch] ;PEB->Ldr mov reg , [reg + 20] ;first module(InMemoryOrder module list) mov reg , [reg] ;assume that ntdll will be second in module list. mov reg , [reg + 16] ;LDR_MODULE.BaseAddress } After that u need to use LdrGetDllHandle\LdrLoadDll to get base of kernel32.dll. Thats the only document method i know. Works fine on XP-Win7 x86-x64. |
|||
|
24 Sep 2010, 06:10 |
|
|
revolution 24 Sep 2010, 06:50
Windows has the fully documented LoadLibrary and GetProcAddress functions. Works on ALL versions of Windows. Problem solved.
No need for all this undocumented, pray it works, hope MS don't change anything, stuff  |
|||
|
24 Sep 2010, 06:50 |
|
|
Nameless 24 Sep 2010, 11:54
where is the fun in LoadLibrary and GetProcAddress???
normal APIs that can be used in any high level language, so y bother and go low level asm if im gonna do the same thing ???!!!!!!!! |
|||
|
24 Sep 2010, 11:54 |
|
|
f0dder 24 Sep 2010, 12:55
Nameless wrote: where is the fun in LoadLibrary and GetProcAddress??? It's fun poking around in the system for sure, just don't rely on undocumented stuff in released software. _________________  - carpe noctem |
|||
|
24 Sep 2010, 12:55 |
|
|
ziral2088 24 Sep 2010, 18:10
LdrLoadDll and LdrGetDllHandle are not an undocumented stuff. Microsoft uses them.
If u want to write native application u will use only native API. |
|||
|
24 Sep 2010, 18:10 |
|
|
f0dder 25 Sep 2010, 13:14
ziral2088 wrote: LdrLoadDll and LdrGetDllHandle are not an undocumented stuff. Microsoft uses them. Besides, I was referring to the "reading from magic memory locations" part of your code. _________________ - carpe noctem |
|||
|
25 Sep 2010, 13:14 |
|
|
Nameless 25 Sep 2010, 13:15
@f0dder: im just having fun, im not coding anything for real yet, trying to learn as much as possible first
@ziral2088: i like that example, im going nerd-shit on it right now to understand it 
can u just tell me what this line mean? Code: mov reg , [gs:dword 30h] ; or even mov reg , [fs:dword 18h] ; any of them will be fine, just to know whats going on here i dunno what gs is, neither what operation is this supposed to be no super duper n00b style commenting ??? |
|||
|
25 Sep 2010, 13:15 |
|
|
revolution 25 Sep 2010, 13:22
Nameless: fs is the fifth segment register, and gs the sixth. The AMD or Intel manuals will show you this. In some versions of Windows the fs segment is set to point to some process specific buffers. And the reason you have no idea what is happening is because these are not officially documented anywhere.
|
|||
|
25 Sep 2010, 13:22 |
|
|
baldr 25 Sep 2010, 13:50
revolution,
Exactly those are well-documented, they're .Self fields of NT_TIB32/NT_TIB64. Yes, I'm nit-picking — I'm against this undocumented stuff too (it's useful in hacking, not in production codebase). And there was an error already: NT_TIB64.Self is 64-bit, as one may expect. |
|||
|
25 Sep 2010, 13:50 |
|
|
f0dder 25 Sep 2010, 15:26
baldr: take heed of the word officially in revolution's post
 . Yes, there's plenty of well-documented info, but it's not official from Microsoft, so we have no Code Contract, nu guarantee it won't suddenly change on some new OS or even a service pack. Unlikely to happen? Yes. Guarantees it won't? No.
(I know you know this, so the comment is really directed at other people who're following the thread, not you ). |
|||
|
25 Sep 2010, 15:26 |
|
|
Nameless 25 Sep 2010, 16:38
revolution, i searched the 5 manuals for this and i couldn't find it, can u tell me which one exactly should i look in or a keyword i should look for? none says what gs holds (maybe i was searching wrong) ty, |
|||
|
25 Sep 2010, 16:38 |
|
|
baldr 25 Sep 2010, 17:53
f0dder,
Does WinNT.H from MS VS 2008 qualify as "officially documented"? Windows Research Kernel probably don't.
----8<---- Nameless, Intel manuals won't tell you this, it's Microsoft-specific. x86-64 Windows uses gs to hold selector for segment containing TEB for current thread (in user-mode; for kernel-mode it contains KPCR). |
|||
|
25 Sep 2010, 17:53 |
|
|
Nameless 25 Sep 2010, 18:22
ok, and how did u find that out? what document do i need to know this things?
|
|||
|
25 Sep 2010, 18:22 |
|
|
baldr 25 Sep 2010, 18:36
Nameless,
Can't remember that. Probably some weird mix of Google, IDA disassembly of various Windows x86-64 .DLLs and "* Internals" books. Are you really need to know this kind of things right now? |
|||
|
25 Sep 2010, 18:36 |
|
| Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|