flat assembler
Message board for the users of flat assembler.

Index > Windows > Printing FullDllName from PEB

Author
Thread Post new topic Reply to topic
watdapho



Joined: 17 Jan 2014
Posts: 5
watdapho 30 Apr 2017, 07:44
Hey guys, I'm trying to print out the FullDllName from the Process environment block (PEB). What am I doing wrong in the code below? I'm using windows 7 x64bit.

-----------------------------------------------------
Code:
format PE console
entry main

include 'macro/import32.inc'
include 'win32ax.inc'

section '.data' data readable writeable
p db 'pause',0
s db 'L"%s"',0

section '.code' code readable executable
main:
        push ebp
        mov ebp,esp

        mov eax,[fs:0x30] ;store PEB 
        mov eax,[eax+0x0c] ;store PPEB_LDR_DATA
        mov esi,[eax+0x1c] ; store InInitializationOrderModuleList
        lodsd ; load flink into EAX
        lea edx,[eax+0x28];load fullDllName address

        ;print fullDllname
        push edx 
        push s
        call [wprintf]
        add esp,8

        push p
        call [system]
        add esp,4

        mov esp,ebp
        pop ebp

        push 0
        call [exit]

section '.idata' import data readable writeable
library msvcrt,'msvcrt'

import msvcrt,\
wprintf,'wprintf',\
system,'system',\
exit,'exit'    
Edit by revolution: Added code tags
Post 30 Apr 2017, 07:44
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 30 Apr 2017, 08:03
watdapho wrote:
What am I doing wrong in the code below?
You are using undocumented offsets into undocumented data structures. The reason they are not documented is so that MS can change them when required without having to inform the public of the change. Different OSes will use different versions of the structures, or even completely different structures.

BTW: Which DLL name are you trying to print? There will be more than one DLL loaded into the process.

You can use LoadLibrary to access any DLL you want to query. I think that would be a better option than using those magic numbers pointing blindly into undocumented structures.
Post 30 Apr 2017, 08:03
View user's profile Send private message Visit poster's website Reply with quote
watdapho



Joined: 17 Jan 2014
Posts: 5
watdapho 30 Apr 2017, 16:40
Quote:

BTW: Which DLL name are you trying to print? There will be more than one DLL loaded into the process.


I'm trying to print any random DLL name.

Quote:

You can use LoadLibrary to access any DLL you want to query. I think that would be a better option than using those magic numbers pointing blindly into undocumented structures.


Thanks for the suggestion, I will keep this in mind for future use. However I'm experimenting with the PEB.

If anyone can post working FASM code using a similar method to mine (accessing PEB->PPEB_LDR_DATA->Ininit.flink and using wprintf to output fulldllname) it would be much appreciated! I've attempted it many times myself but have failed so I'm resorting for your help guys! thank you.
Post 30 Apr 2017, 16:40
View user's profile Send private message Reply with quote
samlaren



Joined: 19 Dec 2016
Posts: 5
samlaren 23 May 2017, 16:00
You cannot print a PUNICODE_STRING with wprintf. In LDR_DATA_TABLE_ENTRY, the FullDllName is a UNICODE_STRING. You should use printf with "%wZ" to print out PUNICODE_STRING's.
Example to getting Kernel32.dll base and print out its name:
Code:
mov     ebx, [FS:0x30]        ; Get PEB of program
        mov     ebx, [ebx + 0x0C]     ; Get PPEB_LDR_DATA
        mov     ebx, [ebx + 0x14]     ; PEB->Ldr.InMemoryOrderModuleList.Flink (1st entry)
        mov     ebx, [ebx]            ; 2nd entry
        mov     ebx, [ebx]            ; 3rd entry    (kernel32.dll)
        pushad
        lea     ebx, [ebx + 0x24]
        cinvoke printf, uni, ebx
        popad
        mov     ebx, [ebx + 0x10]     ; Get DllBase
        mov     [KernelBase], ebx              

If you want to check for other modules, just walk the InMemoryOrderModuleList.
Post 23 May 2017, 16:00
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.