flat assembler
Message board for the users of flat assembler.

Index > Windows > Process Environment Block

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 24 Nov 2010, 13:56
Hello everyone! I have questions about PEB. I've tried to find some tutorials about how to use PEB in assembly etc etc.. But can't find any.. Does someone know where to get some tutorials about PEB ? Thanks.
Post 24 Nov 2010, 13:56
View user's profile Send private message Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack 24 Nov 2010, 14:10
yes. google knows
(at least if you specify correct keywords to search for)

wrong:
peb in assembly etc etc..

correct:
"process environment block" asm
Post 24 Nov 2010, 14:10
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 24 Nov 2010, 19:17
asmhack
Hmm didn't tried that. Thanks I'll check it out and will reply if some problems. Smile
Post 24 Nov 2010, 19:17
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 25 Nov 2010, 23:13
Well, I've searched but everywhere is "how to get base address of kernel32.dll".. But what the point of getting its base ? How can I use that base address then ? I'm interested how to get some functions address for example MessageBox API's Address where it's located. I've wrote simple program without using user32.dll and shows messagebox but I'm interested how to do that without importing kernel32.dll too! Can anyone explain me what to do ? I've just understand those:
fs:0x30 = PEB
fs:0x30+0xC = PEB_LDR_DATA
fs:0x30+0xC+0x1C = InitOrderModuleList
first module = ntdll.dll
second module = kernel32.dll and saving it somewhere and its base of kernel32.dll. whats next ? :/
Here's small example what I've done with just GetProcAddress and LoadLibrary. I have lot of mistakes, I know but I tried.
Code:
format PE GUI 4.0
include 'WIN32AX.INC'
entry main
section '.text' code readable executable
proc main
push ebp
mov ebp,esp
sub esp,16
mov dword [ebp-16],0x72657375
mov dword [ebp-12],0x642e3233
mov word [ebp-8],0x6c6c
mov byte [ebp-6],0
mov edi,esp
invoke LoadLibrary,edi
mov ebx,eax
pop ebp
push ebp
mov ebp,esp
sub esp,16
mov dword [ebp-16],0x7373654d
mov dword [ebp-12],0x42656761
mov dword [ebp-8],0x0041786f
mov byte [ebp-4],0
mov esi,esp
invoke GetProcAddress,ebx,esi
mov ebx,eax
push 0
push edi
push esi
push 0
call eax
invoke ExitProcess,0
endp
section '.idata' import data readable
library kernel32,'kernel32.dll'
include 'API\KERNEL32.INC'    

Thanks.
Post 25 Nov 2010, 23:13
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4079
Location: vpcmpistri
bitRAKE 26 Nov 2010, 03:35
Post 26 Nov 2010, 03:35
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 26 Nov 2010, 10:14
I don't understand, Isn't PEB at fs:0x30 ?
Code:
  xor edx, edx           ; Zero EDX
  mov edx, [fs:edx+48]   ; Get a pointer to the PEB
  mov edx, [edx+12]      ; Get PEB->Ldr
  mov edx, [edx+20]      ; Get the first module from the InMemoryOrder module list
    

can someone write simple example ? for example Get proc address of LoadLibrary for example. And tell me what or how should I do things ? Before writing those things, I should watch PEB struct things right ? Thanks.
Post 26 Nov 2010, 10:14
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20459
Location: In your JS exploiting you and your system
revolution 26 Nov 2010, 10:24
48 == 0x30
Post 26 Nov 2010, 10:24
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 26 Nov 2010, 10:46
revolution
Right.. I though it were on 16-bit numbers.. and can u write what I've asked for ? ty.
Post 26 Nov 2010, 10:46
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20459
Location: In your JS exploiting you and your system
revolution 26 Nov 2010, 10:49
Overflowz wrote:
... and can u write what I've asked for ?
Yes, but I don't have time. However I am sure you can do it yourself, with a little bit of patience and thought. You should have enough experience by now.
Post 26 Nov 2010, 10:49
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 26 Nov 2010, 11:58
revolution
Well, when you'll have time then please. Cause I've tried a lot of time but I fail every time. If I'll write, I'll post it here. Thanks.
Post 26 Nov 2010, 11:58
View user's profile Send private message Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack 29 Nov 2010, 00:57
overflowz, if you are interested in studying shellcodes have a look below.

http://phrack.org/search.html?key=shellcode
Post 29 Nov 2010, 00:57
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 29 Nov 2010, 09:12
asmhack
No, I'm not. I'll explain why I'm interested with it. Smile First of all, I've started assembler cause its not depending on OS and has like same syntaxes. only depends on processors I guess. Second, I've stopped learning C, cause it's depending on msvcrt.dll and I hate that. I've started assembly language (Fasm) cause it's easy and can be coded on various OS'es. I'm interested about that cause I don't want to use libraries. I don't like when program is depended on something. Thank you for reply I'll see that. Wink
Post 29 Nov 2010, 09:12
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 29 Nov 2010, 16:28
Overflowz wrote:
asmhack
No, I'm not. I'll explain why I'm interested with it. Smile First of all, I've started assembler cause its not depending on OS and has like same syntaxes. only depends on processors I guess.

To do anything useful, you need to interface with the OS. At that point you are dependent on the OS.

Quote:
Second, I've stopped learning C, cause it's depending on msvcrt.dll and I hate that.

A compiler doesn't force you to link with the CRT. In fact, there are some impressive works that either don't use the CRT or link with some tiny implementation of it - check matja's entry ('hashasmtro') in compo #6 here: http://www.haxor.me.uk/asmcompo/
Its a 4KB intro coded in C.


Quote:
I don't like when program is depended on something.

You'll need to get over that fear of commitment some day... Smile

_________________
comrade (comrade64@live.com; http://comrade.ownz.com/)
Post 29 Nov 2010, 16:28
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 29 Nov 2010, 18:24
comrade
Thanks for reply, I knew some things what you've wrote. But Assembly is the best anyway :p I like it!
Post 29 Nov 2010, 18:24
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 30 Nov 2010, 19:44
Ok I have some questions now. First of all, I don't understand why Ldr is located at PEB:[0x30]+0x0c(12) ? I saw structure and everything is bytes except 1. before Ldr is PVOID and I don't understand how people are counting that. for example I want to go PEB_LDR_DATA then get FullDllName. I've tried so much and fail and fail. My brain is crashed now, I can't think nothing.. Here's code what I'm trying and can any one tell me how I should count from structures to get there and some little fix here ? Thank you.
Code:
mov eax,[fs:0x30]
mov eax,[eax+0x0c]
mov eax,[eax+0x1c]
mov eax,[eax]
mov eax,[eax+0xC] ;I don't know what should I write here.     
Post 30 Nov 2010, 19:44
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 02 Dec 2010, 20:14
nobody have time ? Sad I tried more and more till today but same result. I don't know also what to search in google. Anyone suggest me something please.
Post 02 Dec 2010, 20:14
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 03 Dec 2010, 11:08
Overflowz,

MSDN knows about PEB. Google knows about MSDN. Those offsets can be easily revealed using offsetof() function-like macro.

Everybody have time. Most of them value it enough. Wink
Post 03 Dec 2010, 11:08
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 03 Dec 2010, 11:40
baldr
I think you don't understand me. I know everything but I don't know how people are counting where PPEB_LDR_DATA is. I'll write what I'm thinking.
this is PEB struct:
Code:
typedef struct _PEB {
  BYTE                          Reserved1[2];
  BYTE                          BeingDebugged;
  BYTE                          Reserved2[1];
  PVOID                         Reserved3[2];
  PPEB_LDR_DATA                 Ldr;
  PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;
  BYTE                          Reserved4[104];
  PVOID                         Reserved5[52];
  PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
  BYTE                          Reserved6[128];
  PVOID                         Reserved7[1];
  ULONG                         SessionId;
} PEB, *PPEB;    

PPEB_LDR_DATA located at fs:0x30+0x0c.. WHY ? I'm counting like this:
BYTE Reserved[2] = 2 BYTE
BYTE BeingDebugged = 1 BYTE
BYTE Reserved2[1] = 1 BYTE
PVOID Reserved3[2] = 2 BYTE
PPEB_LDR_DATA = 2+1+1+2 = fs:0x30+6. How should I count I'm asking that. and when I am at PPEB_LDR_DATA, when adding like fs:0x30+0x0c+0x1c(InitOrderModuleList) why I'm not going next from PEB structure ? and how shoild I go in ProcessParameters ? I don't know how to write I'm speaking like idiot on English.. If someone will understand what I mean then reply.. Thank you.
Post 03 Dec 2010, 11:40
View user's profile Send private message Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 794
Location: Adelaide
sinsi 03 Dec 2010, 11:54
PVOID would be a dword (hint: P=pointer) so Reserved3[2] is 8 bytes.
Post 03 Dec 2010, 11:54
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 03 Dec 2010, 12:41
sinsi
Exactly what I've asked for! Can you write more examples what type means what ? for example
BYTE = 1
PVOID = DWORD
ULONG = ?
and PPEB_LDR_DATA = ?
How can I find how much size does they has ? PPEB_LDR_DATA = sizeof.PEB structure right ? Thank you!
Post 03 Dec 2010, 12:41
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.