Hello,
I was wondering how I can retrieve the base address of an external process. My need it to get to its IAT and I suppose the base address could be a good starting point but ... I was not able to find any useful piece of code around.
I imagine I could always do an OpenProcess on the remote process and then start reading its memory looking for the dos header structure or any well known sequence of bytes ....
Is there anything better than this approach to find the IAT in a remote/external process?
Thanks.
Regards,
yaa
I was wondering how I can retrieve the base address of an external process. My need it to get to its IAT and I suppose the base address could be a good starting point but ... I was not able to find any useful piece of code around.
I imagine I could always do an OpenProcess on the remote process and then start reading its memory looking for the dos header structure or any well known sequence of bytes ....
Is there anything better than this approach to find the IAT in a remote/external process?
Thanks.
Regards,
yaa
Humm, it's been a while... toolhelp32 doesn't list the base address?
You could open the file on disk and read the PE header. And there's probably some magic you can do with a CreateRemoteThread.
Or you could just use 0x400000 and hope you won't have to deal with nonstandard PE's.
Now, for the most interesting question: why do you need to get to the IAT of a remote process?
You could open the file on disk and read the PE header. And there's probably some magic you can do with a CreateRemoteThread.
Or you could just use 0x400000 and hope you won't have to deal with nonstandard PE's.
Now, for the most interesting question: why do you need to get to the IAT of a remote process?
Hello f0dder, I also was suspecting that toolhelp32 might contain something useful for the job ... but I was too lazy too look into it ;)
I'll take a look now.
As for the reason ... I'm working on a very stupid and very useless little application that should redirect GetVersion, GetVersionExA, GetVersionExW APIs to let a process think that the OS is the one that I want ...
Thanks.
Regards,
yaa
I'll take a look now.
As for the reason ... I'm working on a very stupid and very useless little application that should redirect GetVersion, GetVersionExA, GetVersionExW APIs to let a process think that the OS is the one that I want ...
Thanks.
Regards,
yaa
Due to the new sub-forum, this thread is re-opened.
As for the reason ... I'm working on a very stupid and very useless little application that should redirect GetVersion, GetVersionExA, GetVersionExW APIs to let a process think that the OS is the one that I want ...
The answer to this question would all depend on if you wish to perform such an action in a legitimate way (i.e. using a pre-existing windows api) or if you are wishing to go below the OS and access memory directly (as would softice). Which way are you looking for?
Something like Microsoft's detours could probably be of great help to you, I've used it to instrument applications in the past. As long as you're doing legit no-harms stuff and not dealing with software protection, it works like a charm.
One thing that you could do is to hook the desired API's and then within your hook examine the (E/K)Process of the thread that made the call into your hooked API's and if it belongs to the desired remote process then you could perform your action.
One thing that you could do is to hook the desired API's and then within your hook examine the (E/K)Process of the thread that made the call into your hooked API's and if it belongs to the desired remote process then you could perform your action.
Sounds awfully complicated (global API hooking on NT? ick :)) when simple detour'ing of a specific app will (probably) do the trick.
Sounds awfully complicated (global API hooking on NT? ick :)) when simple detour'ing of a specific app will (probably) do the trick.
Oh sure, take the easy way out :lol: what fun is that!
Use VirtualAllocEx to allocate memory in the target process.
Use WriteProcessMemoryEx to copy a little 'pc-relative' code snippet into it.
Use CreateRemoteThread to execute the snippet in the context of the remote process.
Your remote thread makes a call to GetProcessHandle, communicates that information to the parent process in some way (I leave this to your imagination), and promptly terminates.
You can use this method to do all kinds of context-sensitive stuff.
Use WriteProcessMemoryEx to copy a little 'pc-relative' code snippet into it.
Use CreateRemoteThread to execute the snippet in the context of the remote process.
Your remote thread makes a call to GetProcessHandle, communicates that information to the parent process in some way (I leave this to your imagination), and promptly terminates.
You can use this method to do all kinds of context-sensitive stuff.
Homer: it's still by far easiest to do whatever you need to do in a DLL though :)
And those techniques can be put to good, non-malicious use. And yes, it's my patch that's used in the STEAM re-release of XCOM:TFTD.
And those techniques can be put to good, non-malicious use. And yes, it's my patch that's used in the STEAM re-release of XCOM:TFTD.
Sorry, for the off-topic:
F0dder, do you realize how popular this patch is? ^^ I've seen it on hunders of sites related to X-COM:TFTD ^^ And a sentnance like "Q: I have a problem , A: Download f0dder's patch" can be found on every X-COM forum, or FAQ ^^
( I guess you like X-COM? ^^ Actually, I'm playing TFTD (Sony PSX version) ATM ^^ )
F0dder, do you realize how popular this patch is? ^^ I've seen it on hunders of sites related to X-COM:TFTD ^^ And a sentnance like "Q: I have a problem , A: Download f0dder's patch" can be found on every X-COM forum, or FAQ ^^
( I guess you like X-COM? ^^ Actually, I'm playing TFTD (Sony PSX version) ATM ^^ )
ti_mo_n: yeah, and I've received a lot of (fan :P) mails about the patches too. There's problems for a few people :/, and I never got around to fixing those, since other people started writing patches and I sorta lost interest (my own patch lets me play the game, that was my main goal :)).
It really annoys me that 2k games didn't even seem to try to contact me before using my patch for their steam re-release... didn't know they'd done that until I received mail from some random guy. Contacted them and got a bunch of bla-bla, answered back and never got a reply again... think I'll send them a "so, cat got your tongue?" mail now :)
It's claimed that the source code for XCOM was lost, btw :(
It really annoys me that 2k games didn't even seem to try to contact me before using my patch for their steam re-release... didn't know they'd done that until I received mail from some random guy. Contacted them and got a bunch of bla-bla, answered back and never got a reply again... think I'll send them a "so, cat got your tongue?" mail now :)
It's claimed that the source code for XCOM was lost, btw :(
Sorry I've not replied in a while, I've been sick with the flu the past few days (damn brothers kids bringing shit home from school). I don't even really think Yaa is paying attention to this thread anymore. When I replied to him to let him know that I unlocked the topic I sent him a bit of pseudo code similiar to what homer posted. He thanked me and I figured he'd probably continue on this discussion from there but I guess he got what he needed based off of that.
f0dder: that detours library looks very interesting. I'm going to have to give it a go over when I get a chance, thanks for the link. (even though it wasn't for me) :p
f0dder: that detours library looks very interesting. I'm going to have to give it a go over when I get a chance, thanks for the link. (even though it wasn't for me) :p
detours is not interesting.
I don't think you can do it in user mode. You have to have ring0 access I'm pretty sure. It is a tedious task. I have a driver that can find it by searching memory and doing comparison strings. It will report back the physical address.
Here is how to calculate the base address from Descriptor table entries:
mov GlobalSel,ecx ; save to variable
push ecx ; save selector
push ebp ; A way of storing information
push esp ; on the stack
pop ebp
xor ecx,ecx
xor edx,edx
push ecx
push edx
SGDT ss: ; Store GDT address and seg. limit on stack
pop edx ; high word
pop ecx ; low word
pop ebp
mov GDTlimit,edx
and GDTlimit,0000FFFFh
mov eax,edx
shr eax,010h
shl ecx,010h
or eax,ecx ; GDT address now in "eax"
mov GDTbase,eax
pop ecx
---------------------------------------------------------------------------
again same algorhythm:
push ecx ; save selector
push ebp ; A way of storing information
push esp ; on the stack
pop ebp
xor ecx,ecx
xor edx,edx
push ecx
push edx
SIDT ss: ; Store IDT address and seg. limit on stack
pop edx ; high word
pop ecx ; low word
pop ebp
mov eax,edx
shr eax,010h
shl ecx,010h
or eax,ecx ; IDT address now in "eax"
mov IDTbase,eax
pop ecx
Here is how to calculate the base address from Descriptor table entries:
mov GlobalSel,ecx ; save to variable
push ecx ; save selector
push ebp ; A way of storing information
push esp ; on the stack
pop ebp
xor ecx,ecx
xor edx,edx
push ecx
push edx
SGDT ss: ; Store GDT address and seg. limit on stack
pop edx ; high word
pop ecx ; low word
pop ebp
mov GDTlimit,edx
and GDTlimit,0000FFFFh
mov eax,edx
shr eax,010h
shl ecx,010h
or eax,ecx ; GDT address now in "eax"
mov GDTbase,eax
pop ecx
---------------------------------------------------------------------------
again same algorhythm:
push ecx ; save selector
push ebp ; A way of storing information
push esp ; on the stack
pop ebp
xor ecx,ecx
xor edx,edx
push ecx
push edx
SIDT ss: ; Store IDT address and seg. limit on stack
pop edx ; high word
pop ecx ; low word
pop ebp
mov eax,edx
shr eax,010h
shl ecx,010h
or eax,ecx ; IDT address now in "eax"
mov IDTbase,eax
pop ecx
mrgone: poster wanted Process imagebase, not base of selector... and base of selector is pretty much pointless on windows (and linux) since they use FLAT mode :)
I beg to differ with you, but atleast Windows most definately uses paging.
And...that is base address....Hello??????
And...that is base address....Hello??????
Well, for ring3 apps, code/data/stack selectors are BASE=0 LIMIT=4Gig, at least the last time I looked... so retrieving base/limit of those selectors is pretty useless. The TEB is a different thing, but since the TEB contains a self-pointer, well...
PS: original poster said IAT, not IDT.
PS: original poster said IAT, not IDT.
That's what I said. It is a driver. I don't think you can do it from user mode. It is pointless to give a base address since they are all virtual addresses anyway. ;)