Get kernel32.dll imagebase in Windows 7

This one is taken from skypher’s blog. Its a shellcode for getting the kernel32.dll address. Before Windows 7 kernel32.dll was loaded second. Windows 7 load the kernelbase.dll before kernel32.dll so now it comes third. A universal way to get the kernel32.dll base address is to check for a null termination after the 12th unicode character (12*2 bytes). Here is the code for getting kernel32.dll before Windows 7.

    
    XOR     ECX, ECX                    ; ECX = 0
    MOV     ESI, [FS:ECX + 0x30]       ; ESI = &(PEB) ([FS:0x30])
    MOV     ESI, [ESI + 0x0C]           ; ESI = PEB->Ldr
    MOV     ESI, [ESI + 0x1C]           ; ESI = PEB->Ldr.InInitOrder (ntdll.dll)
    LODSD                               ; EAX = PEB->Ldr.InInitOrder.flink (kernel32.dll)
    MOV     EBP, [EAX + 0x08]           ; EBP = PEB->Ldr.InInitOrder.flink.base_address

And the universal one

    XOR     ECX, ECX                    ; ECX = 0
    MOV     ESI, [FS:ECX + 0x30]        ; ESI = &(PEB) ([FS:0x30])
    MOV     ESI, [ESI + 0x0C]           ; ESI = PEB->Ldr
    MOV     ESI, [ESI + 0x1C]           ; ESI = PEB->Ldr.InInitOrder
next_module:
    MOV     EBP, [ESI + 0x08]           ; EBP = InInitOrder[X].base_address
    MOV     EDI, [ESI + 0x20]           ; EBP = InInitOrder[X].module_name (unicode)
    MOV     ESI, [ESI]                  ; ESI = InInitOrder[X].flink (next module)
    CMP     [EDI + 12*2], CL            ; Check modulename[12] == 0x??00 // for Win2k the register hast to be CX 
    JNE     next_module                 ; No: try next module.

I ‘ve seen one other alternative like iterating the module list till the third record but they say that it does not work well for Win2k show I prefer skyphers method.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: