is it possible to find function API32 in memory to use them without necessity to load any dll or static link anything else?
Posted on 2003-09-03 05:05:27 by etn
No, because they are all in libraries, and some process has to load them at some time in order to use them. In the old days the equivalent of the todays APIs use to reside on ROM, so they were always loaded, always there. But that was before multitasking hit the desktop pc.
Posted on 2003-09-03 05:31:18 by sluggy
Okay I understood.

But what will happen, when one of system's procecesses is running and are useing dll which exist in memory because (the process) has load it?

May I take advantage of the loaded dll?
Posted on 2003-09-03 07:03:04 by etn
If a DLL has been loaded by your process calling LoadLibrary will return the handle of the existing DLL, it will not load another one so use LoadLibrary/GetProcAddress. By using LoadLibrary you will increment the reference count on the DLL so it isn't unloaded before you are done. The same thing applies to the PE Loader, if your program requires a DLL that is already loaded in your process it will use the existing DLL not load another one. Otherwise it would be loading a copy for each different function call.
Posted on 2003-09-03 07:24:22 by donkey
Yes. If I am not wrong, kernel32.dll is always loaded. There are ways to find the base of kernel32.dll, should not be too hard to find it.
Posted on 2003-09-03 07:33:27 by roticv
From another thread posted by pazuluo
KernelAdress dd ?

mov ecx,[esp] ; Return adress of call from
; CreateProcess
GetKrnlBaseLoop: ; Get Kernel32 module base adress
xor edx,edx ;
dec ecx ; Scan backward
mov dx,[ecx+03ch] ; Take beginning of PE header
test dx,0f800h ; Is it a PE header ?
jnz GetKrnlBaseLoop ; No, forget about it
cmp ecx,[ecx+edx+34h] ; Compare current adress with the
; address that PE should be loaded at
jnz GetKrnlBaseLoop ; Different ? Search again
mov [KernelAdress+ebp],ecx ; ecx hold KernelBase... Store it
Posted on 2003-09-03 07:36:00 by donkey
I personally perfers lingo's code, since there is no loops in it.

assume fs:nothing
mov eax,fs:[30h]
mov edx,0B8h
mov ecx,[eax+30h]
test eax,eax
jns KI_1
mov ebx,[eax+34h]
or ecx,ecx
jnz KI_2
mov eax,[eax+0Ch]
sub edx,0B0h
mov eax,[eax+1Ch]
mov ebx,[eax]
mov eax,[ebx+edx] ;eax= kernel base
Posted on 2003-09-03 07:39:29 by roticv
all was needed was the base adress of kernel32 because without this I can't use
the LoadLibrary function.

THX for your help!
Posted on 2003-09-03 07:54:03 by etn
:stupid: The 2 above code snipplets find the kernel32 base.
Posted on 2003-09-03 08:12:12 by roticv

I personally perfers lingo's code, since there is no loops in it.

Nice, I hadn't seen that one. Not something I would ever use anyway so I never put much thought into it other than to keep the sniplet, it's a virii and injection thing and those don't really interest me much.
Posted on 2003-09-03 08:14:12 by donkey
Your code is fine! and works OK!

I have another question:

Is it hard to get 0 privilige level ?

I have some my programs for transfer binary data from PC to different machines by LPT port.
All had work OK before I changed the system.
Now I use W2K, before i had use W95.
Solution like port-talk have less efficiency.
Is it possible to free opcodes like IN OUT under W2k/XP/NT?

;) to roticv: I'm not stupid, everything I want to say is: Thank You!
Posted on 2003-09-04 01:38:03 by etn
The cleanest way or the best way is to write a kmd. Or perhaps have a look at the following:
Posted on 2003-09-04 06:03:24 by roticv