Sunday, January 22, 2012

Get Kernel32 Base Address 2.0


[1.0]

xor ebx, ebx // clear ebx
mov ebx, fs:[ 0x30 ] // get a pointer to the PEB
mov ebx, [ ebx + 0x0C ] // get PEB->Ldr
mov ebx, [ ebx + 0x14 ] // get PEB->Ldr.InInitializationOrderModuleList.Flink (1st entry)
mov ebx, [ ebx ] // get the next entry (2nd entry)
mov ebx, [ ebx ] // get the next entry (3rd entry)
mov ebx, [ ebx + 0x10 ] // get the 3rd entries base address (kernel32.dll)


From : http://hi.baidu.com/heartdbg/blog/item/c1f16fdd4a7f88e677c63858.html

21 bytes, use only one register, ebx.

Dump:

Hex dump       Command
---------------------------------------------
33DB           XOR EBX,EBX
64:8B1D 300000 MOV EBX,DWORD PTR FS:[30]
8B5B 0C        MOV EBX,DWORD PTR DS:[EBX+0C]
8B5B 14        MOV EBX,DWORD PTR DS:[EBX+14]
8B1B           MOV EBX,DWORD PTR DS:[EBX]
8B1B           MOV EBX,DWORD PTR DS:[EBX]
8B5B 10        MOV EBX,DWORD PTR DS:[EBX+10]

[2.0]

xor eax, eax
mov eax, fs:[ eax + 30h ] // get PEB pointer
mov eax, [ eax + 0x0C ] // get PEB->Ldr
mov esi, [ eax + 0x14 ] // get PEB->Ldr.InMemoryOrderModuleList.Flink (1st entry)
lodsd // get the next entry (2nd entry)
xchg esi, eax
lodsd // get the next entry (3rd entry)
mov eax, [ eax + 0x10 ] // get the 3rd entries base address (kernel32.dll)

18 bytes, use two registers, eax, esi, and it's null-free.

Dump:

Hex dump      Command
--------------------------------------------
33C0          XOR EAX,EAX
64:8B40 30    MOV EAX,DWORD PTR FS:[EAX+30]
8B40 0C       MOV EAX,DWORD PTR DS:[EAX+0C]
8B70 14       MOV ESI,DWORD PTR DS:[EAX+14]
AD            LODS DWORD PTR DS:[ESI]
96            XCHG EAX,ESI
AD            LODS DWORD PTR DS:[ESI]
8B40 10       MOV EAX,DWORD PTR DS:[EAX+10]

Saturday, January 21, 2012

GetProcAddress

Get API address from the given dll and api name.



Download (with Source)

MASM String Instructions


The x86-64 processor has a number of instructions that provide the programmer with the ability to manipulate strings at a byte, word, double and quadruple word length. These instructions are, stosx, movsxcmpsx. lodsx and scasx, and can be combined with conditional repeat mnemonics, these are rep, repe, repne, repz, and repnz, and they are convenient because they let you avoid writing lots of little loops, which can make the code really bad for the readers . The “x” represent the size of the basic unit, these units are b, byte, w word, d doubleword, and q quadword respectively.

The main goal of this paper is to provide some knowledge about string manipulation, without using the common instruction set.