In previous windows versions, the method used to locate the kernel32 base address was found through fs: segment register TEB (thread environment block ), locate PEB (process environment block) at its offset 0x30, and then locate the PEB_LDR_DATA structure through PEB. This structure points to the Information List of loaded modules, finally, the base address of kernel32.dll is located through this list. The corresponding code is as follows:
Xor ecx, ECX; ECX = 0
Mov esi, [FS: ECX + 0x30]; ESI = & (PEB) ([FS: 0x30])
Mov esi, [ESI + 0x0C]; ESI = PEB-> Ldr
Mov esi, [ESI + 0x1C]; ESI = PEB-> Ldr. InInitOrder (ntdll. dll)
LODSD; EAX = PEB-> Ldr. InInitOrder. flink (kernel32.dll)
Mov ebp, [EAX + 0x08]; EBP = PEB-> Ldr. InInitOrder. flink. base
For details, refer to the following structure:
However, on Windows 7, the kernel32.dll module does not belong to the second module, but is the third module. See the following analysis:
0: 000>! Peb
PEB at 7ffd8000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 002f0000
Ldr 772b7880
Ldr. Initialized: Yes
Ldr. InInitializationOrderModuleList: 006f2068. 006f34c8
Ldr. InLoadOrderModuleList: 006f1fc8. 006f38f8
Ldr. InMemoryOrderModuleList: 006f1fd0. 006f3900
Base TimeStamp Module
2f0000 49a5f6b3 Feb 26 09:56:03 2009 C: Program FilesDebugging Tools for Windows (x861_kill.exe
771e0000 4a5bdadb Jul 14 09:09:47 2009 C: WindowsSYSTEM32tdll. dll
757c0000 4b1e3897 Dec 08 19:29:27 2009 C: Windowssystem32kernel32. dll
75500000 4a5bdaae Jul 14 09:09:02 2009 C: Windowssystem32KERNELBASE. dll
75630000 4a5bda6f Jul 14 09:07:59 2009 C: Windowssystem32msvcrt. dll
758b0000 4a5bd97e Jul 14 09:03:58 2009 C: Windowssystem32ADVAPI32. dll
Fc760000 4a5bdb04 Jul 14 09:10:28 2009 C: WindowsSYSTEM32sechost. dll
76850000 4a5bdade Jul 14 09:09:50 2009 C: Windowssystem32RPCRT4. dll
77320000 4a5bdb2f Jul 14 09:11:11 2009 C: Windowssystem32USER32. dll
76900000 4a5bd9dd Jul 14 09:05:33 2009 C: Windowssystem32GDI32. dll
756e0000 4a5bda19 Jul 14 09:06:33 2009 C: Windowssystem32LPK. dll
75980000 4a5bdb32 Jul 14 09:11:14 2009 C: Windowssystem32USP10. dll
......
View Ldr. InInitializationOrderModuleList:
0: 000> dd 006f2068
006f2068 006f24a8 772b789c 771e0000 00000000 // ntdll. dll
006f2078 0013c000 003c003a 006f1f28 00140012
006f2088 7724d4cc 00004004 0000 ffff 772ba680
006f2098 772ba680 4a5bdadb 00000000 00000000
View the next module entry:
0: 000> dd 006f24a8
006f24a8 006f2390 006f2068 75500000 75507a9d // KERNELBASE. dll, no longer kernel32.dll
006f24b8 0004a000 00460044 006f2438 001e001c
006f24c8 006f2460 00084004 0000 ffff 772ba690
006f24d8 772ba690 4a5bdaae 00000000 00000000
View the next module entry:
0: 000> dd 006f2390
006f2390 006f2dc8 006f24a8 757c0000 758110e5 // kernel32.dll, which has become the third module
006f23a0 000d4000 00420040 006f2320 001a0018
006f23b0 006f2348 00084004 0000 ffff 772ba640
006f23c0 772ba640 4b1e3897 00000000 00000000
To solve the problem of kernel32.dll base address location, we can traverse the "InInitializationOrder" list through the above method to detect the 13th-bit (25th bytes) in the module name string "kernel32.dll) whether it is a NULL Character/0 to find the base address of kernel32.dll. The Code is as follows:
Xor ecx, ECX; ECX = 0 mov esi, [FS: ECX + 0x30]; ESI = & (PEB) ([FS: 0x30]) mov esi, [ESI + 0x0C]; ESI = PEB-> Ldr mov esi, [ESI + 0x1C]; ESI = PEB-> Ldr. inininitordernext_module: mov ebp, [ESI + 0x08]; EBP = InInitOrder [X]. base_address mov edi, [ESI + 0x20]; EBP = InInitOrder [X]. module_name (unicode) mov esi, [ESI]; ESI = InInitOrder [X]. flink (next module) CMP [EDI + 12*2], CL; modulename [12] = 0? JNE & nbs