Hello,

I was wondering how I can retrieve the base address of an external process. My need it to get to its IAT and I suppose the base address could be a good starting point but ... I was not able to find any useful piece of code around.

I imagine I could always do an OpenProcess on the remote process and then start reading its memory looking for the dos header structure or any well known sequence of bytes ....

Is there anything better than this approach to find the IAT in a remote/external process?

Thanks.


Regards,
yaa

Posted on 2007-10-31 17:06:23 by yaa
Humm, it's been a while... toolhelp32 doesn't list the base address?

You could open the file on disk and read the PE header. And there's probably some magic you can do with a CreateRemoteThread.

Or you could just use 0x400000 and hope you won't have to deal with nonstandard PE's.

Now, for the most interesting question: why do you need to get to the IAT of a remote process?
Posted on 2007-10-31 19:23:58 by f0dder
Hello f0dder, I also was suspecting that toolhelp32 might contain something useful for the job ... but I was too lazy too look into it  ;)

I'll take a look now.

As for the reason ... I'm working on a very stupid and very useless little application that should redirect GetVersion, GetVersionExA, GetVersionExW APIs to let a process think that the OS is the one that I want ...

Thanks.

Regards,
yaa

Posted on 2007-10-31 20:12:35 by yaa
Due to the new sub-forum, this thread is re-opened.
Posted on 2007-10-31 23:33:28 by Synfire

As for the reason ... I'm working on a very stupid and very useless little application that should redirect GetVersion, GetVersionExA, GetVersionExW APIs to let a process think that the OS is the one that I want ...


The answer to this question would all depend on if you wish to perform such an action in a legitimate way (i.e. using a pre-existing windows api) or if you are wishing to go below the OS and access memory directly (as would softice).  Which way are you looking for?



Posted on 2007-11-03 12:52:58 by madprgmr
Something like Microsoft's detours could probably be of great help to you, I've used it to instrument applications in the past. As long as you're doing legit no-harms stuff and not dealing with software protection, it works like a charm.
Posted on 2007-11-04 14:41:11 by f0dder
One thing that you could do is to hook the desired API's and then within your hook examine the (E/K)Process of the thread that made the call into your hooked API's and if it belongs to the desired remote process then you could perform your action.

Posted on 2007-11-04 15:45:29 by madprgmr

One thing that you could do is to hook the desired API's and then within your hook examine the (E/K)Process of the thread that made the call into your hooked API's and if it belongs to the desired remote process then you could perform your action.

Sounds awfully complicated (global API hooking on NT? ick :)) when simple detour'ing of a specific app will (probably) do the trick.
Posted on 2007-11-04 17:35:14 by f0dder

Sounds awfully complicated (global API hooking on NT? ick :)) when simple detour'ing of a specific app will (probably) do the trick.


Oh sure, take the easy way out  :lol:  what fun is that!

Posted on 2007-11-04 17:48:51 by madprgmr
Use VirtualAllocEx to allocate memory in the target process.
Use WriteProcessMemoryEx to copy a little 'pc-relative' code snippet into it.
Use CreateRemoteThread to execute the snippet in the context of the remote process.

Your remote thread makes a call to GetProcessHandle, communicates that information to the parent process in some way (I leave this to your imagination), and promptly terminates.

You can use this method to do all kinds of context-sensitive stuff.
Posted on 2007-11-05 06:29:04 by Homer
Homer: it's still by far easiest to do whatever you need to do in a DLL though :)

And those techniques can be put to good, non-malicious use. And yes, it's my patch that's used in the STEAM re-release of XCOM:TFTD.
Posted on 2007-11-05 06:52:20 by f0dder
Sorry, for the off-topic:
F0dder, do you realize how popular this patch is? ^^ I've seen it on hunders of sites related to X-COM:TFTD ^^ And a sentnance like "Q: I have a problem , A: Download f0dder's patch" can be found on every X-COM forum, or FAQ ^^

( I guess you like X-COM? ^^ Actually, I'm playing TFTD (Sony PSX version) ATM ^^ )
Posted on 2007-11-05 20:30:19 by ti_mo_n
ti_mo_n: yeah, and I've received a lot of (fan :P) mails about the patches too. There's problems for a few people :/, and I never got around to fixing those, since other people started writing patches and I sorta lost interest (my own patch lets me play the game, that was my main goal :)).

It really annoys me that 2k games didn't even seem to try to contact me before using my patch for their steam re-release... didn't know they'd done that until I received mail from some random guy. Contacted them and got a bunch of bla-bla, answered back and never got a reply again... think I'll send them a "so, cat got your tongue?" mail now :)

It's claimed that the source code for XCOM was lost, btw :(
Posted on 2007-11-06 04:32:25 by f0dder
Sorry I've not replied in a while, I've been sick with the flu the past few days (damn brothers kids bringing shit home from school). I don't even really think Yaa is paying attention to this thread anymore. When I replied to him to let him know that I unlocked the topic I sent him a bit of pseudo code similiar to what homer posted. He thanked me and I figured he'd probably continue on this discussion from there but I guess he got what he needed based off of that.

f0dder: that detours library looks very interesting. I'm going to have to give it a go over when I get a chance, thanks for the link. (even though it wasn't for me) :p
Posted on 2007-11-06 18:32:18 by Synfire
detours is not interesting.
Posted on 2007-11-08 01:19:33 by Homer
  I don't think you can do it in user mode. You have to have ring0 access I'm pretty sure. It is a tedious task. I have a driver that can find it by searching memory and doing comparison strings. It will report back the physical address.


Here is how to calculate the base address from Descriptor table entries:


        mov GlobalSel,ecx  ; save to variable
        push ecx            ; save selector
        push ebp            ; A way of storing information
        push esp            ; on the stack
        pop ebp
        xor ecx,ecx
        xor edx,edx
        push ecx
        push edx
        SGDT ss:  ; Store GDT address and seg. limit on stack
        pop edx            ; high word
        pop ecx            ; low word
        pop ebp
        mov GDTlimit,edx
        and GDTlimit,0000FFFFh
        mov eax,edx
        shr eax,010h
        shl ecx,010h
        or eax,ecx          ; GDT address now in "eax"
        mov GDTbase,eax
        pop ecx
---------------------------------------------------------------------------
again same algorhythm:

        push ecx            ; save selector
        push ebp            ; A way of storing information
        push esp            ; on the stack
        pop ebp
        xor ecx,ecx
        xor edx,edx
        push ecx
        push edx
        SIDT ss:  ; Store IDT address and seg. limit on stack
        pop edx            ; high word
        pop ecx            ; low word
        pop ebp
        mov eax,edx
        shr eax,010h
        shl ecx,010h
        or eax,ecx          ; IDT address now in "eax"
        mov IDTbase,eax
        pop ecx
Posted on 2007-12-30 14:24:38 by mrgone
mrgone: poster wanted Process imagebase, not base of selector... and base of selector is pretty much pointless on windows (and linux) since they use FLAT mode :)
Posted on 2007-12-30 15:49:14 by f0dder
  I beg to differ with you, but atleast Windows most definately uses paging.

And...that is base address....Hello??????
Posted on 2007-12-30 15:52:21 by mrgone
Well, for ring3 apps, code/data/stack selectors are BASE=0 LIMIT=4Gig, at least the last time I looked... so retrieving base/limit of those selectors is pretty useless. The TEB is a different thing, but since the TEB contains a self-pointer, well...

PS: original poster said IAT, not IDT.

Posted on 2007-12-30 15:56:05 by f0dder
  That's what I said. It is a driver. I don't think you can do it from user mode. It is pointless to give a base address since they are all virtual addresses anyway.  ;)
Posted on 2007-12-30 16:05:34 by mrgone