How to locate the kernel32 base address on Windows 7 platform-[overflow Research]

In previous windows versions, the method used to locate the kernel32 base address was found through fs: segment register TEB (thread environment block ), locate PEB (process environment block) at its offset 0x30, and then locate the PEB_LDR_DATA structure through PEB. This structure points to the Information List of loaded modules, finally, the base address of kernel32.dll is located through this list. The corresponding code is as follows:

Xor ecx, ECX; ECX = 0
Mov esi, [FS: ECX + 0x30]; ESI = & (PEB) ([FS: 0x30])
Mov esi, [ESI + 0x0C]; ESI = PEB-> Ldr
Mov esi, [ESI + 0x1C]; ESI = PEB-> Ldr. InInitOrder (ntdll. dll)
LODSD; EAX = PEB-> Ldr. InInitOrder. flink (kernel32.dll)
Mov ebp, [EAX + 0x08]; EBP = PEB-> Ldr. InInitOrder. flink. base

For details, refer to the following structure:

However, on Windows 7, the kernel32.dll module does not belong to the second module, but is the third module. See the following analysis:

0: 000>! Peb

PEB at 7ffd8000

InheritedAddressSpace: No

ReadImageFileExecOptions: No

BeingDebugged: Yes

ImageBaseAddress: 002f0000

Ldr 772b7880

Ldr. Initialized: Yes

Ldr. InInitializationOrderModuleList: 006f2068. 006f34c8

Ldr. InLoadOrderModuleList: 006f1fc8. 006f38f8

Ldr. InMemoryOrderModuleList: 006f1fd0. 006f3900

Base TimeStamp Module

2f0000 49a5f6b3 Feb 26 09:56:03 2009 C: Program FilesDebugging Tools for Windows (x861_kill.exe

771e0000 4a5bdadb Jul 14 09:09:47 2009 C: WindowsSYSTEM32tdll. dll

757c0000 4b1e3897 Dec 08 19:29:27 2009 C: Windowssystem32kernel32. dll

75500000 4a5bdaae Jul 14 09:09:02 2009 C: Windowssystem32KERNELBASE. dll

75630000 4a5bda6f Jul 14 09:07:59 2009 C: Windowssystem32msvcrt. dll

758b0000 4a5bd97e Jul 14 09:03:58 2009 C: Windowssystem32ADVAPI32. dll

Fc760000 4a5bdb04 Jul 14 09:10:28 2009 C: WindowsSYSTEM32sechost. dll

76850000 4a5bdade Jul 14 09:09:50 2009 C: Windowssystem32RPCRT4. dll

77320000 4a5bdb2f Jul 14 09:11:11 2009 C: Windowssystem32USER32. dll

76900000 4a5bd9dd Jul 14 09:05:33 2009 C: Windowssystem32GDI32. dll

756e0000 4a5bda19 Jul 14 09:06:33 2009 C: Windowssystem32LPK. dll

75980000 4a5bdb32 Jul 14 09:11:14 2009 C: Windowssystem32USP10. dll

......

View Ldr. InInitializationOrderModuleList:

0: 000> dd 006f2068

006f2068 006f24a8 772b789c 771e0000 00000000 // ntdll. dll

006f2078 0013c000 003c003a 006f1f28 00140012

006f2088 7724d4cc 00004004 0000 ffff 772ba680

006f2098 772ba680 4a5bdadb 00000000 00000000

View the next module entry:

0: 000> dd 006f24a8

006f24a8 006f2390 006f2068 75500000 75507a9d // KERNELBASE. dll, no longer kernel32.dll

006f24b8 0004a000 00460044 006f2438 001e001c

006f24c8 006f2460 00084004 0000 ffff 772ba690

006f24d8 772ba690 4a5bdaae 00000000 00000000

View the next module entry:

0: 000> dd 006f2390

006f2390 006f2dc8 006f24a8 757c0000 758110e5 // kernel32.dll, which has become the third module

006f23a0 000d4000 00420040 006f2320 001a0018

006f23b0 006f2348 00084004 0000 ffff 772ba640

006f23c0 772ba640 4b1e3897 00000000 00000000

To solve the problem of kernel32.dll base address location, we can traverse the "InInitializationOrder" list through the above method to detect the 13th-bit (25th bytes) in the module name string "kernel32.dll) whether it is a NULL Character/0 to find the base address of kernel32.dll. The Code is as follows:

Xor ecx, ECX; ECX = 0 mov esi, [FS: ECX + 0x30]; ESI = & (PEB) ([FS: 0x30]) mov esi, [ESI + 0x0C]; ESI = PEB-> Ldr mov esi, [ESI + 0x1C]; ESI = PEB-> Ldr. inininitordernext_module: mov ebp, [ESI + 0x08]; EBP = InInitOrder [X]. base_address mov edi, [ESI + 0x20]; EBP = InInitOrder [X]. module_name (unicode) mov esi, [ESI]; ESI = InInitOrder [X]. flink (next module) CMP [EDI + 12*2], CL; modulename [12] = 0? JNE & nbs