flat assembler
Message board for the users of flat assembler.
Index
> Windows > Process Environment Block Goto page 1, 2 Next |
Author |
|
asmhack 24 Nov 2010, 14:10
yes. google knows
(at least if you specify correct keywords to search for) wrong: peb in assembly etc etc.. correct: "process environment block" asm |
|||
24 Nov 2010, 14:10 |
|
Overflowz 24 Nov 2010, 19:17
asmhack
Hmm didn't tried that. Thanks I'll check it out and will reply if some problems. |
|||
24 Nov 2010, 19:17 |
|
Overflowz 25 Nov 2010, 23:13
Well, I've searched but everywhere is "how to get base address of kernel32.dll".. But what the point of getting its base ? How can I use that base address then ? I'm interested how to get some functions address for example MessageBox API's Address where it's located. I've wrote simple program without using user32.dll and shows messagebox but I'm interested how to do that without importing kernel32.dll too! Can anyone explain me what to do ? I've just understand those:
fs:0x30 = PEB fs:0x30+0xC = PEB_LDR_DATA fs:0x30+0xC+0x1C = InitOrderModuleList first module = ntdll.dll second module = kernel32.dll and saving it somewhere and its base of kernel32.dll. whats next ? :/ Here's small example what I've done with just GetProcAddress and LoadLibrary. I have lot of mistakes, I know but I tried. Code: format PE GUI 4.0 include 'WIN32AX.INC' entry main section '.text' code readable executable proc main push ebp mov ebp,esp sub esp,16 mov dword [ebp-16],0x72657375 mov dword [ebp-12],0x642e3233 mov word [ebp-8],0x6c6c mov byte [ebp-6],0 mov edi,esp invoke LoadLibrary,edi mov ebx,eax pop ebp push ebp mov ebp,esp sub esp,16 mov dword [ebp-16],0x7373654d mov dword [ebp-12],0x42656761 mov dword [ebp-8],0x0041786f mov byte [ebp-4],0 mov esi,esp invoke GetProcAddress,ebx,esi mov ebx,eax push 0 push edi push esi push 0 call eax invoke ExitProcess,0 endp section '.idata' import data readable library kernel32,'kernel32.dll' include 'API\KERNEL32.INC' Thanks. |
|||
25 Nov 2010, 23:13 |
|
bitRAKE 26 Nov 2010, 03:35
|
|||
26 Nov 2010, 03:35 |
|
Overflowz 26 Nov 2010, 10:14
I don't understand, Isn't PEB at fs:0x30 ?
Code: xor edx, edx ; Zero EDX mov edx, [fs:edx+48] ; Get a pointer to the PEB mov edx, [edx+12] ; Get PEB->Ldr mov edx, [edx+20] ; Get the first module from the InMemoryOrder module list can someone write simple example ? for example Get proc address of LoadLibrary for example. And tell me what or how should I do things ? Before writing those things, I should watch PEB struct things right ? Thanks. |
|||
26 Nov 2010, 10:14 |
|
revolution 26 Nov 2010, 10:24
48 == 0x30
|
|||
26 Nov 2010, 10:24 |
|
Overflowz 26 Nov 2010, 10:46
revolution
Right.. I though it were on 16-bit numbers.. and can u write what I've asked for ? ty. |
|||
26 Nov 2010, 10:46 |
|
revolution 26 Nov 2010, 10:49
Overflowz wrote: ... and can u write what I've asked for ? |
|||
26 Nov 2010, 10:49 |
|
Overflowz 26 Nov 2010, 11:58
revolution
Well, when you'll have time then please. Cause I've tried a lot of time but I fail every time. If I'll write, I'll post it here. Thanks. |
|||
26 Nov 2010, 11:58 |
|
asmhack 29 Nov 2010, 00:57
overflowz, if you are interested in studying shellcodes have a look below.
http://phrack.org/search.html?key=shellcode |
|||
29 Nov 2010, 00:57 |
|
Overflowz 29 Nov 2010, 09:12
asmhack
No, I'm not. I'll explain why I'm interested with it. First of all, I've started assembler cause its not depending on OS and has like same syntaxes. only depends on processors I guess. Second, I've stopped learning C, cause it's depending on msvcrt.dll and I hate that. I've started assembly language (Fasm) cause it's easy and can be coded on various OS'es. I'm interested about that cause I don't want to use libraries. I don't like when program is depended on something. Thank you for reply I'll see that. |
|||
29 Nov 2010, 09:12 |
|
comrade 29 Nov 2010, 16:28
Overflowz wrote: asmhack To do anything useful, you need to interface with the OS. At that point you are dependent on the OS. Quote: Second, I've stopped learning C, cause it's depending on msvcrt.dll and I hate that. A compiler doesn't force you to link with the CRT. In fact, there are some impressive works that either don't use the CRT or link with some tiny implementation of it - check matja's entry ('hashasmtro') in compo #6 here: http://www.haxor.me.uk/asmcompo/ Its a 4KB intro coded in C. Quote: I don't like when program is depended on something. You'll need to get over that fear of commitment some day... |
|||
29 Nov 2010, 16:28 |
|
Overflowz 29 Nov 2010, 18:24
comrade
Thanks for reply, I knew some things what you've wrote. But Assembly is the best anyway :p I like it! |
|||
29 Nov 2010, 18:24 |
|
Overflowz 30 Nov 2010, 19:44
Ok I have some questions now. First of all, I don't understand why Ldr is located at PEB:[0x30]+0x0c(12) ? I saw structure and everything is bytes except 1. before Ldr is PVOID and I don't understand how people are counting that. for example I want to go PEB_LDR_DATA then get FullDllName. I've tried so much and fail and fail. My brain is crashed now, I can't think nothing.. Here's code what I'm trying and can any one tell me how I should count from structures to get there and some little fix here ? Thank you.
Code: mov eax,[fs:0x30] mov eax,[eax+0x0c] mov eax,[eax+0x1c] mov eax,[eax] mov eax,[eax+0xC] ;I don't know what should I write here. |
|||
30 Nov 2010, 19:44 |
|
Overflowz 02 Dec 2010, 20:14
nobody have time ? I tried more and more till today but same result. I don't know also what to search in google. Anyone suggest me something please.
|
|||
02 Dec 2010, 20:14 |
|
baldr 03 Dec 2010, 11:08
|
|||
03 Dec 2010, 11:08 |
|
Overflowz 03 Dec 2010, 11:40
baldr
I think you don't understand me. I know everything but I don't know how people are counting where PPEB_LDR_DATA is. I'll write what I'm thinking. this is PEB struct: Code: typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID Reserved3[2]; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; BYTE Reserved4[104]; PVOID Reserved5[52]; PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; BYTE Reserved6[128]; PVOID Reserved7[1]; ULONG SessionId; } PEB, *PPEB; PPEB_LDR_DATA located at fs:0x30+0x0c.. WHY ? I'm counting like this: BYTE Reserved[2] = 2 BYTE BYTE BeingDebugged = 1 BYTE BYTE Reserved2[1] = 1 BYTE PVOID Reserved3[2] = 2 BYTE PPEB_LDR_DATA = 2+1+1+2 = fs:0x30+6. How should I count I'm asking that. and when I am at PPEB_LDR_DATA, when adding like fs:0x30+0x0c+0x1c(InitOrderModuleList) why I'm not going next from PEB structure ? and how shoild I go in ProcessParameters ? I don't know how to write I'm speaking like idiot on English.. If someone will understand what I mean then reply.. Thank you. |
|||
03 Dec 2010, 11:40 |
|
sinsi 03 Dec 2010, 11:54
PVOID would be a dword (hint: P=pointer) so Reserved3[2] is 8 bytes.
|
|||
03 Dec 2010, 11:54 |
|
Overflowz 03 Dec 2010, 12:41
sinsi
Exactly what I've asked for! Can you write more examples what type means what ? for example BYTE = 1 PVOID = DWORD ULONG = ? and PPEB_LDR_DATA = ? How can I find how much size does they has ? PPEB_LDR_DATA = sizeof.PEB structure right ? Thank you! |
|||
03 Dec 2010, 12:41 |
|
Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.