Sunday, January 22, 2012
Get Kernel32 Base Address 2.0
[1.0]
xor ebx, ebx // clear ebx
mov ebx, fs:[ 0x30 ] // get a pointer to the PEB
mov ebx, [ ebx + 0x0C ] // get PEB->Ldr
mov ebx, [ ebx + 0x14 ] // get PEB->Ldr.InInitializationOrderModuleList.Flink (1st entry)
mov ebx, [ ebx ] // get the next entry (2nd entry)
mov ebx, [ ebx ] // get the next entry (3rd entry)
mov ebx, [ ebx + 0x10 ] // get the 3rd entries base address (kernel32.dll)
From : http://hi.baidu.com/heartdbg/blog/item/c1f16fdd4a7f88e677c63858.html
21 bytes, use only one register, ebx.
Dump:
Hex dump Command
---------------------------------------------
33DB XOR EBX,EBX
64:8B1D 300000 MOV EBX,DWORD PTR FS:[30]
8B5B 0C MOV EBX,DWORD PTR DS:[EBX+0C]
8B5B 14 MOV EBX,DWORD PTR DS:[EBX+14]
8B1B MOV EBX,DWORD PTR DS:[EBX]
8B1B MOV EBX,DWORD PTR DS:[EBX]
8B5B 10 MOV EBX,DWORD PTR DS:[EBX+10]
[2.0]
xor eax, eax
mov eax, fs:[ eax + 30h ] // get PEB pointer
mov eax, [ eax + 0x0C ] // get PEB->Ldr
mov esi, [ eax + 0x14 ] // get PEB->Ldr.InMemoryOrderModuleList.Flink (1st entry)
lodsd // get the next entry (2nd entry)
xchg esi, eax
lodsd // get the next entry (3rd entry)
mov eax, [ eax + 0x10 ] // get the 3rd entries base address (kernel32.dll)
18 bytes, use two registers, eax, esi, and it's null-free.
Dump:
Hex dump Command
--------------------------------------------
33C0 XOR EAX,EAX
64:8B40 30 MOV EAX,DWORD PTR FS:[EAX+30]
8B40 0C MOV EAX,DWORD PTR DS:[EAX+0C]
8B70 14 MOV ESI,DWORD PTR DS:[EAX+14]
AD LODS DWORD PTR DS:[ESI]
96 XCHG EAX,ESI
AD LODS DWORD PTR DS:[ESI]
8B40 10 MOV EAX,DWORD PTR DS:[EAX+10]
Subscribe to:
Post Comments (Atom)
1 comment:
It's the best time to make some plans for the future and it is time to be happy. I've read this post and if I could I desire to suggest you few interesting things or suggestions. Maybe you could write next articles referring to this article. I wish to read even more things about it!
My site :: Microsoft exchange server Recovery
Post a Comment