my program as follow:
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib
.data
szTitle db "Kernel address",0
outputbuffer db 100 dup(?)
.code
start:
mov eax,
invoke dw2ah,eax,addr outputbuffer
invoke MessageBox,NULL,addr outputbuffer,addr szTitle,MB_OK
invoke ExitProcess,0
end start
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib
.data
szTitle db "Kernel address",0
outputbuffer db 100 dup(?)
.code
start:
mov eax,
invoke dw2ah,eax,addr outputbuffer
invoke MessageBox,NULL,addr outputbuffer,addr szTitle,MB_OK
invoke ExitProcess,0
end start
No.
There's lots of different ways to get the base address of kernel32, but thats not one of them.
What you just got is "some address inside kernel32", but not the base.
One popular way to find the base is to search from that address, backwards, until we find the letters "MZ" (which indicate the beginning of the PE Header).. we could use code similar to the following:
Not elegant, but it works...
Care to elaborate on why you are interested in this topic?
There's lots of different ways to get the base address of kernel32, but thats not one of them.
What you just got is "some address inside kernel32", but not the base.
One popular way to find the base is to search from that address, backwards, until we find the letters "MZ" (which indicate the beginning of the PE Header).. we could use code similar to the following:
start:
mov eax,
.while word ptr !="ZM"
dec eax
.endw
Not elegant, but it works...
Care to elaborate on why you are interested in this topic?
i am studying some tutorials about virus.
i had checked the "ZM" and "EP" flags
and showed me i got the right base address of kernel.
i had checked the "ZM" and "EP" flags
and showed me i got the right base address of kernel.
I'm not going to attack you for wanting to learn.
Regardless, you will find this forum very hostile towards you, since the users here are a little paranoid when it comes to malicious software. Tread carefully, and don't be suprised if this thread is closed by a moderator very soon. Just be careful how you word your questions and everything is cool.
Regardless, you will find this forum very hostile towards you, since the users here are a little paranoid when it comes to malicious software. Tread carefully, and don't be suprised if this thread is closed by a moderator very soon. Just be careful how you word your questions and everything is cool.
i don't remember full link, but here take the code
this code finds kernel base and ExitProcess addres...
this code finds kernel base and ExitProcess addres...
To evilhomer2k
haha,okey,i get it.
i just want to study something i interest in.
Not really want to destroy.
haha,okey,i get it.
i just want to study something i interest in.
Not really want to destroy.
.386
.model flat, STDCALL
option casemap :none
include \masm32\include\windows.inc
return macro retval
mov eax, retval
ret
endm
.data
api db 'Beep', 0h
apilen dd 5d
apiaddr dd 0h
.data?
search dd ?
kernel dd ?
expnum dd ?
aTable dd ?
nTable dd ?
.code
Main:
call Delta ;Delta-Trick: get current eip
Delta:
pop ebp
sub ebp, offset Delta ;make all addressings relative to current eip
mov esi, dword ptr
and esi, 0FFFF0000h ;round esi
call KernelSearch ;esi holds the jump-back address of the createprocess api
.IF eax == TRUE && apiaddr != 0h
push 2000d
push 500d
mov eax, apiaddr
call eax ;call the Beep-API
.ENDIF
;cmp eax, TRUE
;je Unload
;some fix addresses
;mov esi, 0BFF70000h ;WIN95
;call KernelSearch
;cmp eax, TRUE
;je Unload
;mov esi, 077F00000h ;WINNT
;call KernelSearch
;cmp eax, TRUE
;je Unload
;mov esi, 077e00000h ;WIN2K
;call KernelSearch
Unload:
ret
KernelSearch: ;TRY TO FIND THE KERNEL FROM ESI
mov search, 10d
KernelSearch2:
cmp word ptr , 'ZM' ;MZ AND PE CHECK
jne NextKernelSearch
mov edi,
add edi, esi
cmp word ptr , 'EP'
jne NextKernelSearch
add edi, 16h ;DLL FLAG CHECK
mov ax, word ptr
and ax, 02000h
cmp ax, 02000h
jne NextKernelSearch
sub edi, 16h
mov kernel, esi ;SAVE THE KERNEL ADDRESS
;READ KERNEL DATA
add esi,
add esi, 24d ;NUMBER OF EXPORTS
lodsd
mov expnum, eax
lodsd ;ADDRESS OF ADDRESS TABLE
add eax, kernel ;MAKE IT ABSOLUTE
mov aTable, eax ;AND SAVE
lodsd ;ADDRESS OF NAME TABLE
add eax, kernel
mov nTable, eax
;START THE API SEARCH
mov esi, eax
SearchAPI:
push esi
mov edx, esi
sub edx, nTable
add edx, aTable
mov edx, ;READ ADDRESS FROM ADDRESS TABLE
add edx, kernel ;ABSOLUTE
lodsd
add eax, kernel ;ABSOLUTE
;EAX POINTS TO THE FOUND EXPORT FUNCTION NAME
mov esi, eax ;CHECK IF API WAS FOUND
mov edi, offset api
mov ecx, apilen
call CompareAPINames
.IF eax == TRUE
mov apiaddr, edx
.ENDIF
NextAPISearch: ;CHECK NEXT EXPORT
pop esi
add esi, 4d
dec expnum
cmp expnum, 0h
jne SearchAPI
return TRUE ;END OF SEARCH
NextKernelSearch:
sub esi, 10000h
dec search
cmp search, 0h
jne KernelSearch2
return FALSE ;COULD NOT LOCATE THE KERNEL
CompareAPINames:
cmp ecx, 0h
je FoundAPI
lodsb
cmp byte ptr , al
jne EndComparison
dec ecx
inc edi
jmp CompareAPINames
FoundAPI:
mov eax, TRUE
ret
EndComparison:
mov eax, FALSE
ret
end Main
some time ago i wrote this so probably not the shortest way to get there ... but it works :)
Dominik
oh,god!
i think the best way to get the base address of kernel just as follow:
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib
.data
szTitle db "Base address of Kernel",0
outputbuffer db 10 dup(?)
.code
start:
mov eax,
.while word ptr !="ZM"
dec eax
.endw
mov esi,eax
invoke dw2ah,esi,addr outputbuffer
invoke MessageBox,NULL,addr outputbuffer,addr szTitle,MB_OK
invoke ExitProcess,0
end start
i think the best way to get the base address of kernel just as follow:
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib
.data
szTitle db "Base address of Kernel",0
outputbuffer db 10 dup(?)
.code
start:
mov eax,
.while word ptr !="ZM"
dec eax
.endw
mov esi,eax
invoke dw2ah,esi,addr outputbuffer
invoke MessageBox,NULL,addr outputbuffer,addr szTitle,MB_OK
invoke ExitProcess,0
end start
You should search the board. There are better methods.
Get value from stack (or any entry in kernel32.dll), mask off the lowest 4k (modules are always loaded to a 4k boundary; you *could* mask off the lower 64k, which "should" work, but there's not much reason to do this). Scan backwards by 4k until you find MZ signature. Remember that you must have an import that ends up importing from kernel32, otherwise your application won't work on all win32 versions.
Well,
If you are going to scan around for the MZ by jumping back 4K at a time I guess it would work, however, in Win32 the module handle is actually a pointer to exactly that portion of the module. For example ...
invoke GetModuleHandle,"Kernel32.dll"
Will return the offset of the "MZ" in Kernel32, this was well documented in the original specs for Win32.
If you are going to scan around for the MZ by jumping back 4K at a time I guess it would work, however, in Win32 the module handle is actually a pointer to exactly that portion of the module. For example ...
invoke GetModuleHandle,"Kernel32.dll"
Will return the offset of the "MZ" in Kernel32, this was well documented in the original specs for Win32.
Donkey, the problem is that when you're tempted to do scan-for-kernel, you usually don't have access to API calls.
This could be because somebody is doing virus or shellcode programming (sigh), or it can be used for software protection as it is slightly harder to break on (and divert to "hijacked" code) than a GetMouldeHandle or LoadLibrary call.
This could be because somebody is doing virus or shellcode programming (sigh), or it can be used for software protection as it is slightly harder to break on (and divert to "hijacked" code) than a GetMouldeHandle or LoadLibrary call.