First, prepare a program, run, with WinDbg for additional debugging, because each Windows program will load Kernel32.dll, therefore, the process of finding a base address is the same;
Second, view PEB address;
Law I, R $PEB
Law II, obtained through TEB, R $teb
After obtaining the TEB address, the _TEB structure is parsed by DT _teb 3ca000
Third, through the FS register to get, we know fs:[0] is the TEB structure of the first address, but in WinDbg DD Fs:[0], the address has been hidden:
What to do, in fact, it depends on the structure of the TEB
In the TEB structure of the 0x18 offset, storage is actually TEB address, and Fs:[0] is the same;
In addition, in the TEB structure of the 0x30 offset, storage is the address of the PEB, we look at:
And the above two methods, the results are consistent, which also validates our ideas;
Third, the next, since the address of PEB found, on the PEB to parse:
First Find LDR:
Next, Parse Ldr:
Here, perhaps some people will have doubts: the _list_entry behind, how to have two values, what is the meaning of it? Add a-B and you'll see:
struct _list_entry { struct _list_entry *Flink; struct _list_entry **plist_entry, *restricted_pointer prlist_entry;In fact, the kernel data structure, more common, the use of this doubly linked list;
We will choose Inloadordermodulelist this chain, the flink of its analysis,
By looking at MSDN, you know that the specific data structure type that this flink points to is: _ldr_data_table_entry
Continue traversing the Inloadorderlinks flink field:
It's not Kernel32.dll, keep walking:
To this, by traversing the inloadorderlinks chain, we find the KERNEL32.DLL, take out the base address is relatively easy, at the 0x18 offset;
Take out this base address, we can parse the PE export table, find the address of the function we need;
Four, the code
intgetkernel32base () {intNaddress =0;_asm {Pusheax; moveaxFS:[0x30];//PEB moveax, [eax + 0xC]//LDRmoveax, [eax + 0xC]//inloadordermodulelist, EXEmovEAX, [EAX];//Nt.dll movEAX, [EAX];//Kernel32.dll movEAX, DWORD ptrds:[Eax + 0x18];//baseaddr; movNaddress, EAX; Popeax;} return naddress;}
Appendix:
Reference Msdn:https://msdn.microsoft.com/en-us/library/windows/desktop/aa813708%28v=vs.85%29.aspx?f=255&mspperror =-2147217396
WinDbg find Kernel32.dll Base addresses
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
