flat assembler
Message board for the users of flat assembler.

Index > Windows > get base with handle.

Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
I know that GetModuleHandle gets handle of loaded modules in executable, but how can I find it's base ? I know, it's really noobish question.
Regards.
Post 26 Jul 2011, 21:32
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17250
Location: In your JS exploiting you and your system
revolution
IIRC GetModuleHandle() == base address.
Post 26 Jul 2011, 21:56
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Code:
http://msdn.microsoft.com/en-us/library/ms683199(v=vs.85).aspx    

it says:
Retrieves a module handle for the specified module. The module must have been loaded by the calling process.
Handle and base is the same ?? or, is that possible to obtain handle with base address ?
Post 26 Jul 2011, 22:00
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
What do you need process base for?
Post 26 Jul 2011, 22:46
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Hi, I'm trying to hook some API calls for remote processes to filter "bad actions". I've written DLL to inject in process that will call GetModuleHandle+GetProcAddress and then hook it but GetProcAddress fails. using user32.dll and MessageBoxA API. and using detour hooking method from examples section.
EDIT:
Sorry, I was using bad arguments in GetProcAddress API.. Smile Never mind, I solved it. Thanks!
Post 26 Jul 2011, 23:02
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Interesting, usually things which do "bad actions" such as hooking don't use GetModuleHandle+GetProcAddress. They usually try to determine module base address themselves, and then search export table manually. What process is that, if I may know?

PS: On unrelated matter, if you are by any chance interested in how to search export table manually, try IczLion's old tutorial.
Post 26 Jul 2011, 23:51
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
vid
Hi, I'm trying easy way with detour example. Here's algorithm:
Code:
After injecting DLL, it modifies first 5 bytes of API call with JMP XXXXX instruction that points to hook procedure which will filter arguments and if everything is okay, then it will execute normally, else, it will modify arguments.
    

That's all. Smile I've done it now. Thanks anyway Smile
If someone want source I can post it but, many people can use it only for harm..
Regards.
Post 27 Jul 2011, 00:13
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.