Home » Forums » Algorithms & Source Code » For f0dder

For f0dder
Name of the current module, without the path in NT (UNICODE): 


	mov eax, dword ptr fs:[30h]

	mov eax, dword ptr [eax + 0Ch]

	mov eax, dword ptr [eax + 70h]


not 100% sure, because i couldn't test it in win2k. My old Fujitsu said goodbye, altough i haven't even used it in months. :mad:
Posted on 2004-07-10 01:28:05 by Petroizki
For f0dder
donkey, :eek:
What OS did you test the current directory stuff? In XP and 2k it seems to work just fine, that path is changed by SetCurrentDirectory. However you can't change the path directly, you must always use SetCurrentDirectory.

Are you sure the SetCurrentDirectory call didn't fail?
Did you try to enter the same path with differenct case, windows is clever enough to think the "C:Winnt" to be the same as "c:winnt", so it won't change the path.
Posted on 2004-07-10 04:51:48 by Petroizki
For f0dder
Actually you're right. I just looked at a debug dump and didn't notice that it had inserted a 00 ... 

00020290:  43 00 3A 00-5C 00 00 00-61 00 64 00-41 00 53 00   C.:....a.d.A.S.

000202A0:  4D 00 5C 00-47 00 6F 00-41 00 73 00-6D 00 5C 00   M..G.o.A.s.m..

000202B0:  50 00 72 00-6F 00 6A 00-65 00 63 00-74 00 73 00   P.r.o.j.e.c.t.s.

000202C0:  5C 00 52 00-65 00 61 00-64 00 46 00-69 00 6C 00   .R.e.a.d.F.i.l.

000202D0:  65 00 4C 00-69 00 6E 00-65 00 73 00-5C 00 00 00   e.L.i.n.e.s....

000202E0:  00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00   ................

000202F0:  00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00   ................

00020300:  00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00   ................
Posted on 2004-07-10 06:38:54 by donkey
For f0dder
IsDebuggerPresent: (NT) :) 


	mov eax, dword ptr fs:[30h]

	movzx eax, byte ptr [eax + 2]


..could someone please see if it works on 9x too?
Posted on 2004-07-24 10:41:02 by Petroizki
For f0dder
In 98SE it returns 4, both standalone and using Ollydbg.
Had to put the assume fs:nothing to assemble but not
sure if it is the right thing to do. Used Masm32 v8 



    .386

    .model flat, stdcall

    option casemap :none



    include masm32includewindows.inc

    include masm32includekernel32.inc

    include masm32includeuser32.inc



    includelib masm32libkernel32.lib

    includelib masm32libuser32.lib



.data 

    deb      dd 0

    szCap    db 'IsDebuggerPresent 9x',0

    szFmt    db 'IsDebuggerPresent %lu',0

    szBuf    db '                                        ',0

    

.code

start:

    assume fs: nothing

    mov   eax, dword ptr fs:[30h]

    movzx eax, byte ptr [eax + 2]

    mov   deb, eax

    invoke wsprintf,ADDR szBuf,ADDR szFmt,deb

    invoke MessageBox,0,ADDR szBuf,0,0



    mov    eax, 0

    invoke ExitProcess,0

end start
Posted on 2004-08-13 05:08:40 by geraldream
For f0dder
regarding evilhomer2k's kernel32 getting code: in that struct that ratter uses there are 3 lists with modules, sorted in LoadOrder, MemoryOrder and InitOrder. he uses the LoadOrder list ofcourse. with these structs you can write your own PSAPI and such :)

regarding to the posts about the structures you'll find with this code:

mov eax, dword ptr fs:[30h]
mov eax, dword ptr

eax points now to a struct named RTL_USER_PROCESS_PARAMETERS. you can find here the current directory (+handle), std i/o handles for console, command line, environment, window title, etc.
Posted on 2004-08-13 06:51:20 by Mbee
For f0dder
dsouza123,
Thanks for testing it. In MASM you must assume the fs to nothing, because by default it is assumed as error.

xlifewirex,
that's true, i have the PROCESS_PARAMETERS structure prototype in ntdll.h, but most of those stuff there have been already revealed in this thread. ;)

Here are the standard handles (NT): 


	mov eax, dword ptr fs:[30h]

	mov eax, dword ptr [eax + 10h]

	; mov eax, dword ptr [eax + 18h] ; STD_INPUT_HANDLE

	; mov eax, dword ptr [eax + 1Ch] ; STD_OUTPUT_HANDLE

	; mov eax, dword ptr [eax + 20h] ; STD_ERROR_HANDLE
Posted on 2004-08-13 09:08:05 by Petroizki
For f0dder
more fun on NT: at 0x7ffe0000 there is a structure named KUSER_SHARED_DATA. that is an struct that is shared among all user process and is a mirror of some kernelspace structure. for example, GetTickCount uses the first 2 dwords to calculate the tickcount. it also contains the ntversion, systemroot, systemtime and the processor features.

these processorfeatures start at 0x7ffe0274 and if you check IsProcessorFeaturePresent you'll see that it uses the same structure internally. the argument given to IsProcessorFeaturePresent is added to 0x7ffe0274 and the byte on that address is returned. these are some indices in the byte array at 0x7ffe0274: 



PF_FLOATING_POINT_PRECISION_ERRATA = 0,

  PF_FLOATING_POINT_EMULATED = 1,

  PF_COMPARE_EXCHANGE_DOUBLE = 2,

  PF_MMX_INSTRUCTIONS_AVAILABLE = 3,

  PF_PPC_MOVEMEM_64BIT_OK = 4,

  PF_ALPHA_BYTE_INSTRUCTIONS = 5,

  PF_XMMI_INSTRUCTIONS_AVAILABLE = 6,

  PF_3DNOW_INSTRUCTIONS_AVAILABLE = 7,

  PF_RDTSC_INSTRUCTION_AVAILABLE = 8,

  PF_PAE_ENABLED = 9,
Posted on 2004-08-13 14:29:48 by Mbee
For f0dder
and now the shortest way to find the base of kernel32.dll in the world (tested only on xp with SP0, seems very very unreliable but just for fun) :

mov eax,[077ed6030] ;hModule

or

mov eax,[077ed6054] ;BaseDllHandle

comments named according the debugging symbols.
Posted on 2004-08-13 15:16:19 by Mbee