flat assembler
Message board for the users of flat assembler.

Index > Windows > Kernel32 export addres table

Author
Thread Post new topic Reply to topic
HarryTuttle



Joined: 26 Sep 2003
Posts: 211
Location: Poland
HarryTuttle 09 Jan 2005, 16:29
how to retrive function address without GetProcAddress calling ?

I write the code which found the base of Kernel in PEB
(thanks to http://lsd-pl.net/) and addres of function string name
but do not know how to find it's address to call
Could anybody help ?

Code:
include '%fasminc%/win32ax.inc'


.data
hKer    dd      ?                        ;Kernel baza
hPe     dd      ?                        ;Kernel PE header
hExp    dd      ?                        ;Kernel Export addres
hEt     dd      ?                        ;Kernel Export name
hPEB    dd      ?                        ;PEB
hLDR    dd      ?                        ; ????
bufor   rb      100h                     ;bufor for Msg's
kl      db      10,13,0                  ;end of line
numberF dd      ?                        ; ?????

.code
start:

        mov eax,[fs:30h]                 ;PEB base
        mov [hPEB],eax
        mov eax   ,[eax+0ch]             ;PEB_LDR_DATA
        mov esi   ,[eax+1ch]
        mov eax   ,[esi]
        mov ebx   ,[eax+8h]              ;Base of Kernel
        mov [hKer],ebx                   ;save Base
        mov esi   ,[ebx+3ch]
        add esi   ,ebx
        mov [hPe] ,esi                   ;Kernel PE
        mov esi   ,[esi+78h]
        add esi   ,ebx
        mov [hExp],esi                   ;Export Adress of Kernel functions
        mov edi   ,[esi+20h]
        add edi   ,ebx
        mov [hEt] ,edi                   ;Export Kernel32.dll's table of functions name's strings


cinvoke wsprintf,bufor,"INFORMACJA O PEB %s%s%s%s%x%s%s%x%s%s%x%s%s%x%s%s%x",\
                       kl,\
                       "---------------------------------------",\
                       kl,\
                       "PEB Base: 0x",\
                       [hPEB],\
                       kl,\
                       "Kernel32.dll Base: 0x",\
                       [hKer],\
                       kl,\
                       "Kernel PE Header: 0x",\
                       [hPe],\
                       kl,\
                       "Export Table: 0x",\
                       [hExp],\
                       kl,\
                       "Name Table: 0x",\
                       [hEt]


invoke MessageBox,0,bufor,0,0

        xor ecx,ecx             ;clearing index of serching engine
                                ;ecx is an index
                                ;ebx is a base
                                ;eax is four letters frame window mapper
        mov ebx,[hKer]          ;save handle to Kernel32.dll maped into memory address space at ebx
loopek:
        mov eax,[ebx+ecx]       ;use ecx as a index of KernelBase arrea for searching engine
        cmp eax,'Load'          ;first piece of searching string checking with memory data placed in eax
        je loopek2              ;if found it go forward
        inc ecx                 ;else increase index
        jmp loopek              ;and go to the begining

loopek2:
        mov eax,[ebx+ecx+8]     ;KernelBase+index+4 for second segment of the name checking
        cmp eax,'aryA'          ;second piece of searching string
        je finish               ;if found go to finish
        inc ecx                 ;else increase index
        jmp loopek              ;and go to the begining
finish:
        lea eax,[ebx+ecx]       ;pointer to name string of LL
        mov ecx,eax             ;
        sub ecx,ebx             ;offset to name string of LL


cinvoke wsprintf,bufor,"Kernel:0x%x%s%s:0x%x%sNameOffset:0x%x%sExportNameBase:0x%x%sExportAddresBase:0x%x",ebx,kl,eax,eax,kl,ecx,kl,[hEt],kl,[hExp]
invoke MessageBox,0,bufor,"LoadLibrary Retrival INFORMATOR",0



invoke ExitProcess,0

.end start
    

_________________
Microsoft: brings power of yesterday to computers of today.
Post 09 Jan 2005, 16:29
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 10 Jan 2005, 04:28
Are you from Brazil?

To retrieve address of LoadLibrary(), or other function, you must traverse through kernel32 export table:

Code:
start:  mov     eax, [esp]                      ; eax = some address within kernel32
        and     eax, 0FFFF0000h                 ; assume kernel32 base is aligned on 64kb boundary
@@chk:        cmp     dword ptr [eax], 00905A4Dh      ; compare the address to "MZ" DOS header
  je      @@fnd                           ; if equal, we found it
     sub     eax, 1000h                      ; subtract 64kb
     jmp     @@chk                           ; check again
@@fnd:     push    ebp                             ; save registers
    push    ebx
 push    esi
 push    edi
 mov     ebp, eax                        ; ebp = kernel32 base
       add     eax, [eax][IMAGE_DOS_HEADER.e_lfanew]   ; get PE header
     mov     edi, [eax][IMAGE_NT_HEADERS.OptionalHeader.DataDirectory]       ; get export table from the data directory
  add     edi, ebp
    mov     esi, [edi][IMAGE_EXPORT_DIRECTORY.AddressOfNames]       ; get the pointer to names table
    add     esi, ebp

        xor     edx, edx
@@name: mov     eax, [esi]      ; get the pointer to the name
       add     eax, ebp
@@chgp: ; check for GetProcAddress()
        cmp     dword ptr [eax+00h], "PteG"   ; GetP
      jne     @@next
      cmp     dword ptr [eax+04h], "Acor"   ; rocA
      jne     @@next
      cmp     dword ptr [eax+08h], "erdd"   ; ddre
      jne     @@next
      cmp     word ptr [eax+0Ch], "ss"      ; ss
        jne     @@next
      mov     eax, [edi][IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals]
    add     eax, ebp
    movzx   ebx, word ptr [edx*2+eax]       ; get the function ordinal
  mov     eax, [edi][IMAGE_EXPORT_DIRECTORY.AddressOfFunctions]
       add     eax, ebp
    mov     ebx, [ebx*4+eax]
    add     ebx, ebp                        ; ebx = GetProcAddress()
@@next: add     esi, 4
      inc     edx
 cmp     edx, [edi][IMAGE_EXPORT_DIRECTORY.NumberOfNames]
    jne     @@name

  ; get pointer to LoadLibrary()
      _call   ebx, ebp, OFFSET szProcLoadLib

  ; load user32 library
       _call   eax, OFFSET szLibUser32

 push    eax                     ; save handle for FreeLibrary()

 ; get pointer to MessageBox()
       _call   ebx, eax, OFFSET szProcMsgBox

   ; display the message box
   _call   eax, 0, OFFSET szMsgAbout, OFFSET szAppTitle, MB_OK OR MB_ICONASTERISK OR MB_APPLMODAL

  ; get pointer to FreeLibrary()
      _call   ebx, ebp, OFFSET szProcFreeLib
      call    eax                     ; unload user32 library using handle that's already on stack

   ; get pointer to ExitProcess()
      _call   ebx, ebp, OFFSET szProcExitProc

 pop     edi                     ; restore registers
 pop     esi
 pop     ebx
 pop     ebp

     ; ExitProcess()
     _call   eax, 0    


You can ignore everything until mov ebp, eax instruction, and simply substitute with the kernel32 base you retrieved from PEB.
Post 10 Jan 2005, 04:28
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
HarryTuttle



Joined: 26 Sep 2003
Posts: 211
Location: Poland
HarryTuttle 10 Jan 2005, 12:54
Code:
 mov     ebp, eax                        ; ebp = kernel32 base
        add     eax, [eax][IMAGE_DOS_HEADER.e_lfanew]   ; get PE header
        mov     edi, [eax][IMAGE_NT_HEADERS.OptionalHeader.DataDirectory]       ; get export table from the data directory
        add     edi, ebp
        mov     esi, [edi][IMAGE_EXPORT_DIRECTORY.AddressOfNames]       ; get the pointer to names table
        add     esi, ebp

        xor     edx, edx
@@name: mov     eax, [esi]      ; get the pointer to the name
        add     eax, ebp
@@chgp: ; check for GetProcAddress()
        cmp     dword ptr [eax+00h], "PteG"     ; GetP
        jne     @@next
        cmp     dword ptr [eax+04h], "Acor"     ; rocA
        jne     @@next
        cmp     dword ptr [eax+08h], "erdd"     ; ddre
        jne     @@next
        cmp     word ptr [eax+0Ch], "ss"        ; ss
        jne     @@next
        mov     eax, [edi][IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals]
        add     eax, ebp
        movzx   ebx, word ptr [edx*2+eax]       ; get the function ordinal
        mov     eax, [edi][IMAGE_EXPORT_DIRECTORY.AddressOfFunctions]
        add     eax, ebp
        mov     ebx, [ebx*4+eax]
        add     ebx, ebp                        ; ebx = GetProcAddress()  
@@next: add     esi, 4 
        inc     edx 
        cmp     edx, [edi][IMAGE_EXPORT_DIRECTORY.NumberOfNames] 
        jne     @@name 
   
    


the piece of your code I cut and placed above will be useful 4 me but I can not understand some details.

Code:
mov eax,[eax] [something.what.here]
    

My brain gave me some errors when I tryed to disasm and understand the code.
Also the structures are enigmatic and no idea what is it:
Code:
mov     esi, [edi][IMAGE_EXPORT_DIRECTORY.AddressOfNames]
or
mov     eax, [edi][IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals]
    


thx for the source code but please answer my question:
How the address table and string table are connected?
I'm not so smart in understanding the asm code like you .
Some time I forget what my own code does Sad

THX anyway Smile

_________________
Microsoft: brings power of yesterday to computers of today.
Post 10 Jan 2005, 12:54
View user's profile Send private message Reply with quote
HarryTuttle



Joined: 26 Sep 2003
Posts: 211
Location: Poland
HarryTuttle 10 Jan 2005, 13:01
OK
now PEstudio gave me more of light

but still can't understand construction like:

Code:
 mov eax,[eax][aaa.bb.c]
    

_________________
Microsoft: brings power of yesterday to computers of today.
Post 10 Jan 2005, 13:01
View user's profile Send private message Reply with quote
beppe85



Joined: 23 Oct 2004
Posts: 181
beppe85 10 Jan 2005, 15:32
c is a struct inside bb which is a struct inside aaa.
The instruction fetchs dword at offset eax from c.
e.g.
Code:
mov eax,[aaa.bb.c + eax]    


HarryTuttle wrote:
OK
now PEstudio gave me more of light

but still can't understand construction like:

Code:
 mov eax,[eax][aaa.bb.c]
    
Post 10 Jan 2005, 15:32
View user's profile Send private message Reply with quote
HarryTuttle



Joined: 26 Sep 2003
Posts: 211
Location: Poland
HarryTuttle 10 Jan 2005, 16:07
THX to both of YOU
I'm not from Brasil but Purtuguese is melodic laguage and my favourite actor Robert Deniro plays an important role in Film under the title "Brazil" as a plumber and Techincian-Hacker of air conditions equipment.

His name was HarryTuttle so it's my nickname.

very thank you 4 Comrare for piece of exploit and 4 beppe85 for syntax explanation.

see you next time in IRC /server freenode #flatassembler (just Advert Smile )

_________________
Microsoft: brings power of yesterday to computers of today.
Post 10 Jan 2005, 16:07
View user's profile Send private message Reply with quote
beppe85



Joined: 23 Oct 2004
Posts: 181
beppe85 10 Jan 2005, 16:30
Eu pensei que você fosse brasileiro, como eu...
I guessed you was a brazilian, as me...

Wink
Post 10 Jan 2005, 16:30
View user's profile Send private message Reply with quote
HarryTuttle



Joined: 26 Sep 2003
Posts: 211
Location: Poland
HarryTuttle 10 Jan 2005, 19:06
Haker é programador bom mas não sempre

boa noite

_________________
Microsoft: brings power of yesterday to computers of today.
Post 10 Jan 2005, 19:06
View user's profile Send private message Reply with quote
beppe85



Joined: 23 Oct 2004
Posts: 181
beppe85 10 Jan 2005, 19:13
hehe...not always...google?

Good night for you too!
Post 10 Jan 2005, 19:13
View user's profile Send private message Reply with quote
HarryTuttle



Joined: 26 Sep 2003
Posts: 211
Location: Poland
HarryTuttle 12 Jan 2005, 11:57
yes google but I'm going to study portuguese

best regards
Code:
;                       +++++++++++++++++++++++++
;                       +Harry Tuttle 12.01.2005+
;                       +Kern32 API LISTER v0.1 +
;                       +++++++++++++++++++++++++
;
;This program shows you how to retrive proc's addreses from Kernel32 module and kernel handle.
;The source is total free to change it. I hope it will be helpful for someone.
;                             CONSOLE MODE
;command line :
; AL.exe >> filename.txt

include '%fasminc%/win32ax.inc'


.data
hKer    dd      ?                        ;Kernel baza
hPe     dd      ?                        ;Kernel PE header
hExp    dd      ?                        ;Kernel Export addres
hEt     dd      ?                        ;Kernel Export name
hPEB    dd      ?                        ;PEB
hSCR    dd      ?                        ;Console Handle
kl      db      13,10,0                  ;end of line
NOA     dd      ?                        ;number of Api
hAT     dd      ?                        ;Export table of Pointers to EnryPoint exported functions
LL      dd      ?                        ;LoadLibraryA
GPA     dd      ?                        ;GetProcAddress
AC      dd      ?                        ;AllocConsole
GSH     dd      ?                        ;GetStdHandle
FC      dd      ?                        ;FreeConsole
HCRT    dd      ?                        ;handle to crtdll.dll
PF      dd      ?                        ;printf
SlP     dd      ?                        ;Sleep



.code
start:

        mov eax,[fs:30h]                 ;PEB base
        mov [hPEB],eax
        mov eax   ,[eax+0ch]             ;PEB_LDR_DATA
        mov esi   ,[eax+1ch]
        mov eax   ,[esi]
        mov ebx   ,[eax+8h]              ;Base of Kernel
        mov [hKer],ebx                   ;save Base
        mov esi   ,[ebx+3ch]
        add esi   ,ebx
        mov [hPe] ,esi                   ;Kernel PE
        mov esi   ,[esi+78h]
        add esi   ,ebx
        mov [hExp],esi                   ;Image Export Directory
        mov ecx,esi
        mov edi   ,[esi+20h]
        add edi   ,ebx
        mov [hEt] ,edi                   ;Export table of Pointers to Addreses of StringNameFunctions
        mov esi   ,[ecx+1ch]
        add esi   ,ebx
        mov [hAT] ,esi                   ;Export table of Pointers to EnryPoint of Functions exported
        mov eax   ,[ecx+14h]
        mov [NOA] ,eax                   ;number of ALL THE API's


        xor ecx   ,ecx                   ;set ECX =0 ;ECX hold function index
loopy:
        lea eax   ,[edi+ecx*4]
        mov eax   ,[eax]
        add eax   ,ebx                   ;now EAX holds pointer to stringname
        mov edx   ,[esi+ecx*4]           ;now EDX holds entry point to function represented by string name
        add edx   ,ebx
        inc ecx
        cmp dword ptr eax+0,"GetP"
        jne loopy
        cmp dword ptr eax+4,"rocA"
        jne loopy
        cmp dword ptr eax+8,"ddre"
        jne loopy
        mov [GPA],edx

invoke GPA,[hKer],"LoadLibraryA"
        mov [LL],eax
invoke GPA,[hKer],"AllocConsole"
        mov [AC],eax
invoke GPA,[hKer],"GetStdHandle"
        mov [GSH],eax
invoke GPA,[hKer],"Sleep"
        mov [SlP],eax
invoke GPA,[hKer],"FreeConsole"
        mov [FC],eax
;invoke AC
invoke GSH,STD_OUTPUT_HANDLE
        mov[hSCR],eax
invoke LL,"crtdll.dll"
        mov [HCRT],eax
invoke GPA,eax,"printf"
        mov [PF],eax

        mov ebx,[hKer]
        mov esi,[hAT]
        mov edi,[hEt]
        xor ecx,ecx
loppex:
        lea eax   ,[edi+ecx*4]
        mov eax   ,[eax]
        add eax   ,ebx                   ;now EAX holds pointer to stringname
        mov edx   ,[esi+ecx*4]           ;now EDX holds entry point to function represented by string name
        add edx   ,ebx
        inc ecx
        cmp ecx,[NOA]
        je finish
        pushad
cinvoke PF,"API number %d: %s  EntryPoint : 0x%x%s",ecx,eax,edx,kl
;invoke  SlP,100
        popad
        jmp loppex

finish:

invoke FC
invoke ExitProcess,0

.end start
    


Description:
Download
Filename: ApiLister.zip
Filesize: 700 Bytes
Downloaded: 413 Time(s)


_________________
Microsoft: brings power of yesterday to computers of today.
Post 12 Jan 2005, 11:57
View user's profile Send private message Reply with quote
Opcode



Joined: 07 Jan 2005
Posts: 12
Opcode 13 Jan 2005, 22:01
beppe85 wrote:
Eu pensei que você fosse brasileiro, como eu...
I guessed you was a brazilian, as me...

Wink

Até que enfim achei um brasileiro que não
programe somente em Java e Delphi Laughing
Post 13 Jan 2005, 22:01
View user's profile Send private message Reply with quote
HarryTuttle



Joined: 26 Sep 2003
Posts: 211
Location: Poland
HarryTuttle 13 Jan 2005, 23:12
Opcode do you know only Brasilian who knows java and delphi?
you must be jocking...
are you from Brasil?
I'm from Poland
Small Country in midle Europe.
People are nice but goverment is a pice of shit.
I would like to change it but I'm only little piece of sand.... sound.....
Arrow voice

_________________
Microsoft: brings power of yesterday to computers of today.
Post 13 Jan 2005, 23:12
View user's profile Send private message Reply with quote
Opcode



Joined: 07 Jan 2005
Posts: 12
Opcode 14 Jan 2005, 00:42
Hi HarryTuttle,

Yes, it is a joke... but Java appears like a religion here. Smile
I'm from Brazil and I remember your PM too me in the Win32ASM messageboard.

Regards,
Opcode
Post 14 Jan 2005, 00:42
View user's profile Send private message Reply with quote
beppe85



Joined: 23 Oct 2004
Posts: 181
beppe85 14 Jan 2005, 14:57
Opcode wrote:
Até que enfim achei um brasileiro que não
programe somente em Java e Delphi Laughing

And I tell you the same.... Surprised Very Happy
Actually I'm used to be the best Delphi programmer(read programmer, not developer) here, but Borland was attempting to remove inline assembly...grrrrrrrrr

PS: I know, I do not do the modest kind Smile
Post 14 Jan 2005, 14:57
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.