flat assembler
Message board for the users of flat assembler.
Index
> Windows > Printing FullDllName from PEB |
Author |
|
revolution 30 Apr 2017, 08:03
watdapho wrote: What am I doing wrong in the code below? BTW: Which DLL name are you trying to print? There will be more than one DLL loaded into the process. You can use LoadLibrary to access any DLL you want to query. I think that would be a better option than using those magic numbers pointing blindly into undocumented structures. |
|||
30 Apr 2017, 08:03 |
|
watdapho 30 Apr 2017, 16:40
Quote:
I'm trying to print any random DLL name. Quote:
Thanks for the suggestion, I will keep this in mind for future use. However I'm experimenting with the PEB. If anyone can post working FASM code using a similar method to mine (accessing PEB->PPEB_LDR_DATA->Ininit.flink and using wprintf to output fulldllname) it would be much appreciated! I've attempted it many times myself but have failed so I'm resorting for your help guys! thank you. |
|||
30 Apr 2017, 16:40 |
|
samlaren 23 May 2017, 16:00
You cannot print a PUNICODE_STRING with wprintf. In LDR_DATA_TABLE_ENTRY, the FullDllName is a UNICODE_STRING. You should use printf with "%wZ" to print out PUNICODE_STRING's.
Example to getting Kernel32.dll base and print out its name: Code: mov ebx, [FS:0x30] ; Get PEB of program mov ebx, [ebx + 0x0C] ; Get PPEB_LDR_DATA mov ebx, [ebx + 0x14] ; PEB->Ldr.InMemoryOrderModuleList.Flink (1st entry) mov ebx, [ebx] ; 2nd entry mov ebx, [ebx] ; 3rd entry (kernel32.dll) pushad lea ebx, [ebx + 0x24] cinvoke printf, uni, ebx popad mov ebx, [ebx + 0x10] ; Get DllBase mov [KernelBase], ebx If you want to check for other modules, just walk the InMemoryOrderModuleList. |
|||
23 May 2017, 16:00 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.