I just realized that my original post was much too big and complex for what was necessary for my real question, so here is the edited short version instead :):
I have seen some win32 assembly programs that assume that there is a pointer, pointing into the code of a kernel32.dll function, located at the top of the stack (i.e. at ) immediately when any win32 process starts execution.
Does anyone know if this is always the case, in all 32-bit Windows versions?
Which kernel32 function's code is located at this address? Is it always the same function in all 32-bit Windows versions?
Any info regarding this would be very cool.
Thanks!
I have seen some win32 assembly programs that assume that there is a pointer, pointing into the code of a kernel32.dll function, located at the top of the stack (i.e. at ) immediately when any win32 process starts execution.
Does anyone know if this is always the case, in all 32-bit Windows versions?
Which kernel32 function's code is located at this address? Is it always the same function in all 32-bit Windows versions?
Any info regarding this would be very cool.
Thanks!
That address points into CreateProcess inside Kernel32.
dELTA,
Very very very SLOWWWWWW
U can use:
Regards,
Lingo
Very very very SLOWWWWWW
Start:
Call Get_Kernel ; 4 mops-> 2 clocks
... ; and 4 mops-> 2 clocks for Ret
... ; total at least 4 clocks waste Why?
Get_Kernel:
Mov Ecx,[Esp+4] ; get kerneladdr from stack
; wrong- must be get address from stack
Kernel_Loop:
Xor Edx,Edx ; D0 p01-1 mops-> prepare for dx usage - 1Clock
; but why it is in the loop?
Dec Ecx ; D1 p01-1 mops->VERY BAD (see note)
Mov Dx,[Ecx+3Ch] ; D0 p2-1 mops (it is not D2 ->Ecx->dependent)-1Clock
Test Dx,0F800H ; D0 p01-1mops (it is not D1->Edx->dependent)-1Clock
Jnz Kernel_Loop ; D1 p1 - 1 mops
Cmp Ecx,[Ecx+Edx+34H] ; D0 p01,p2-2 mops->1 Clock
Jnz Kernel_Loop ; D1 p1-1 mops
Mov [Ebp+Offset _Kernel],Ecx ; D0 p3,p4 - 2 mops->1 Clock
Mov [Ebp+Offset _Default],Ecx ; D0 p3,p4 - 2 mops->1 Clock
; where is Xor Edx, Edx before return?
Ret ; p1, p01, p2 - 4 mops - 2 Clocks
Note: must be sub ecx, 1000h !!!U can use:
Start:
mov eax, [esp] ; Return address of call from CreateProcess
mov ecx, 0FFFFF800h ; searching mask
and eax, 0FFFF1000h ; the last three are zeros always
KrLoop: ; Get Kernel32 module base address
mov edx, [eax-1000h+3Ch] ;D0 p2 1mops 1 clock; edx->beginning of PE header
sub eax, 1000h ;D1 - p01 1 mops; Scan backward
test edx, ecx ;D0 - p01 1 mops 1 clock ->edx(dep); Is it a PE header?
jnz KrLoop ;D1 - p1 1 mops ; No, search again
cmp eax, [eax+edx+34h] ; compare current address with the
jnz KrLoop ; address that PE should be loaded at
mov KernelBase, eax ;Regards,
Lingo
Ah, thanks David, strange that I didn't find that when looking at the kernel32.dll exports. :confused:
(and thanks for the optimization lingo12, even though it was only a piece of example code :))
(and thanks for the optimization lingo12, even though it was only a piece of example code :))
It's actually called CreateProcessInternalW, that's all I know about it. ( for NT/2k/XP, win9x I don't know )
I guess it's not an application-callable api, as the title suggest.
I guess it's not an application-callable api, as the title suggest.
Faster solution (WinNT,2k,XP) is:
Regards,
Lingo
assume fs:nothing
mov eax, fs:[30h] ; eax->PEB base
mov eax, [eax+0Ch] ; eax->PEB_LDR_DATA
mov eax, [eax+1Ch] ; eax->the first entry in the InitOrderModuleList
mov eax, [eax] ; eax->go forwards
mov eax, [eax+08h] ; eax->Kernel image baseRegards,
Lingo
Not bad guys but here is the world champion in speed and size :)
and ofcourse it all win32 compatabile
mov eax, fs:[30h] ; *PEB
mov eax, [eax+34h]
mov eax, [eax+0b8h] ; now eax should be kernel's imagebase
and ofcourse it all win32 compatabile
Hi Mikky,
Where did you find all the reference for TIB block on segment register fs:xx??? I know there was a thread here posted reference for a first few values of this block but a complete foolproof reference would be really nice and handy..
Thanx,
crUs
Where did you find all the reference for TIB block on segment register fs:xx??? I know there was a thread here posted reference for a first few values of this block but a complete foolproof reference would be really nice and handy..
Thanx,
crUs
Hi crusader,
actually this is not my code and I know just about nothing about TIB, I will learn about it when I get some time, anyway AFAIK there is not much documentation about this topic, so one need to goooooogle very hard to find somthing useful
so currently I cant help you with this, sorry :(
actually this is not my code and I know just about nothing about TIB, I will learn about it when I get some time, anyway AFAIK there is not much documentation about this topic, so one need to goooooogle very hard to find somthing useful
so currently I cant help you with this, sorry :(
Mikky said:
------
Not bad guys but here is the world champion in speed and size
-------
Cool!
Last summer I did torture myself with these kind of PE-related stuff,
and sweated through trying to understand all these sources I collected through the web. (much like Lingo's but uncommented)
I never found something like this though, pity you didn't post this earlier.
Like Crusader said, if somebody has info, please explain... =)
(sorry for useless posting, I just wanted to point out my interest in knowing about this too)
------
Not bad guys but here is the world champion in speed and size
-------
Cool!
Last summer I did torture myself with these kind of PE-related stuff,
and sweated through trying to understand all these sources I collected through the web. (much like Lingo's but uncommented)
I never found something like this though, pity you didn't post this earlier.
Like Crusader said, if somebody has info, please explain... =)
(sorry for useless posting, I just wanted to point out my interest in knowing about this too)
Not bad guys but here is the world champion in speed and size :)
mov eax, fs:[30h] ; *PEB
mov eax, [eax+34h]
mov eax, [eax+0b8h] ; now eax should be kernel's imagebase
and ofcourse it all win32 compatabile
Doesn't work here ( Win XP )
The info and include files in this thread might help in understanding these techniques (read all the posts of the thread first, since some info is updated/corrected during the thread). I myself was unable to determine which of those structs/fields corresponded to the ones used in the code above, but if someone understands it, you are very welcome to explain it here.
Also, david, this stuff is not really "PE-related" per se, it has more to do with internal operating system data structures, and that might be why you did not find anything about it while studying the PE stuff.
And Axial, it is mentioned it that thread that some of the structures are changed in WinXP. If someone can determine the corresponding offsets for XP (e.g. by looking in the XP specific include files in that thread) you are very welcome to explain/post it here too.
Also, david, this stuff is not really "PE-related" per se, it has more to do with internal operating system data structures, and that might be why you did not find anything about it while studying the PE stuff.
And Axial, it is mentioned it that thread that some of the structures are changed in WinXP. If someone can determine the corresponding offsets for XP (e.g. by looking in the XP specific include files in that thread) you are very welcome to explain/post it here too.