my program as follow:


.386
.model flat,stdcall
option casemap:none

include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib

.data
szTitle db "Kernel address",0
outputbuffer db 100 dup(?)
.code
start:
      mov eax,
      invoke dw2ah,eax,addr outputbuffer
      invoke MessageBox,NULL,addr outputbuffer,addr szTitle,MB_OK
      invoke ExitProcess,0

end start
Posted on 2005-08-12 01:17:22 by Abuseyourdna
No.
There's lots of different ways to get the base address of kernel32, but thats not one of them.
What you just got is "some address inside kernel32", but not the base.
One popular way to find the base is to search from that address, backwards, until we find the letters "MZ" (which indicate the beginning of the PE Header).. we could use code similar to the following:


start:
mov eax,
.while word ptr !="ZM"
  dec eax
.endw


Not elegant, but it works...

Care to elaborate on why you are interested in this topic?

Posted on 2005-08-12 01:53:58 by Homer
i am studying some tutorials about virus.

i had checked the "ZM" and "EP" flags
and showed me i got the right base address of kernel.
Posted on 2005-08-12 02:05:43 by Abuseyourdna
I'm not going to attack you for wanting to learn.
Regardless, you will find this forum very hostile towards you, since the users here are a little paranoid when it comes to malicious software. Tread carefully, and don't be suprised if this thread is closed by a moderator very soon. Just be careful how you word your questions and everything is cool.
Posted on 2005-08-12 02:13:14 by Homer
i don't remember full link, but here take the code
this code finds kernel base and ExitProcess addres...
Attachments:
Posted on 2005-08-12 02:24:53 by Criminal2
To evilhomer2k

haha,okey,i get it.

i just want to study something i interest in.

Not really want to destroy.


Posted on 2005-08-12 02:28:13 by Abuseyourdna

.386
.model flat, STDCALL
option casemap :none

include \masm32\include\windows.inc

return macro retval
mov eax, retval
ret
endm

.data
api db 'Beep', 0h
apilen dd 5d
apiaddr dd 0h

.data?
search dd ?
kernel dd ?
expnum dd ?

aTable dd ?
nTable dd ?

.code
Main:

call Delta                  ;Delta-Trick: get current eip
Delta:
pop ebp
sub ebp, offset Delta      ;make all addressings relative to current eip

mov esi, dword ptr
and esi, 0FFFF0000h        ;round esi
call KernelSearch          ;esi holds the jump-back address of the createprocess api

.IF eax == TRUE && apiaddr != 0h
    push 2000d
    push 500d
    mov eax, apiaddr
    call eax                ;call the Beep-API
.ENDIF

;cmp eax, TRUE
;je Unload
;some fix addresses
;mov esi, 0BFF70000h    ;WIN95
;call KernelSearch
;cmp eax, TRUE
;je Unload
;mov esi, 077F00000h    ;WINNT
;call KernelSearch
;cmp eax, TRUE
;je Unload
;mov esi, 077e00000h    ;WIN2K
;call KernelSearch



Unload:
ret



KernelSearch:              ;TRY TO FIND THE KERNEL FROM ESI
mov search, 10d

KernelSearch2:

cmp word ptr , 'ZM'    ;MZ AND PE CHECK
jne NextKernelSearch
mov edi,
add edi, esi
cmp word ptr , 'EP'
jne NextKernelSearch

add edi, 16h                ;DLL FLAG CHECK
mov ax, word ptr
and ax, 02000h
cmp ax, 02000h
jne NextKernelSearch

sub edi, 16h

mov kernel, esi            ;SAVE THE KERNEL ADDRESS

                            ;READ KERNEL DATA
add esi,
add esi, 24d                ;NUMBER OF EXPORTS
lodsd
mov expnum, eax
lodsd                      ;ADDRESS OF ADDRESS TABLE
add eax, kernel            ;MAKE IT ABSOLUTE
mov aTable, eax            ;AND SAVE
lodsd                      ;ADDRESS OF NAME TABLE
add eax, kernel
mov nTable, eax

                            ;START THE API SEARCH
mov esi, eax
SearchAPI:
push esi
mov edx, esi
sub edx, nTable
add edx, aTable
mov edx,               ;READ ADDRESS FROM ADDRESS TABLE
add edx, kernel            ;ABSOLUTE
lodsd
add eax, kernel            ;ABSOLUTE
                            ;EAX POINTS TO THE FOUND EXPORT FUNCTION NAME

mov esi, eax                ;CHECK IF API WAS FOUND
mov edi, offset api
mov ecx, apilen
call CompareAPINames
.IF eax == TRUE
    mov apiaddr, edx
.ENDIF

NextAPISearch:              ;CHECK NEXT EXPORT
pop esi
add esi, 4d
dec expnum
cmp expnum, 0h
jne SearchAPI

return TRUE                ;END OF SEARCH

NextKernelSearch:
sub esi, 10000h
dec search
cmp search, 0h
jne KernelSearch2

return FALSE                ;COULD NOT LOCATE THE KERNEL


CompareAPINames:
cmp ecx, 0h
je FoundAPI
lodsb
cmp byte ptr , al
jne EndComparison
dec ecx
inc edi
jmp CompareAPINames
FoundAPI:
mov eax, TRUE
ret
EndComparison:
mov eax, FALSE
ret

end Main


some time ago i wrote this so probably not the shortest way to get there ... but it works :)
Dominik
Posted on 2005-08-12 03:37:25 by Dom
oh,god!

i think the best way to get the base address of kernel just as follow:


.386
.model flat,stdcall
option casemap:none

include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib

.data
szTitle db "Base address of Kernel",0
outputbuffer db 10 dup(?)

.code
start:

mov eax,
.while word ptr !="ZM"
  dec eax
.endw
mov esi,eax
invoke dw2ah,esi,addr outputbuffer
invoke MessageBox,NULL,addr outputbuffer,addr szTitle,MB_OK
invoke ExitProcess,0
end start

Posted on 2005-08-13 07:19:47 by Abuseyourdna
You should search the board. There are better methods.
Posted on 2005-08-13 09:38:26 by roticv
Get value from stack (or any entry in kernel32.dll), mask off the lowest 4k (modules are always loaded to a 4k boundary; you *could* mask off the lower 64k, which "should" work, but there's not much reason to do this). Scan backwards by 4k until you find MZ signature. Remember that you must have an import that ends up importing from kernel32, otherwise your application won't work on all win32 versions.
Posted on 2005-08-14 08:29:30 by f0dder
Well,

If you are going to scan around for the MZ by jumping back 4K at a time I guess it would work, however, in Win32 the module handle is actually a pointer to exactly that portion of the module. For example ...

invoke GetModuleHandle,"Kernel32.dll"

Will return the offset of the "MZ" in Kernel32, this was well documented in the original specs for Win32.
Posted on 2005-08-14 11:26:23 by donkey
Donkey, the problem is that when you're tempted to do scan-for-kernel, you usually don't have access to API calls.

This could be because somebody is doing virus or shellcode programming (sigh), or it can be used for software protection as it is slightly harder to break on (and divert to "hijacked" code) than a GetMouldeHandle or LoadLibrary call.
Posted on 2005-08-16 10:15:45 by f0dder