ContributorThis is my first GetProcAddress attempt by hash. The programm does only create a textfile as test.
Tested on WinXp but i don´t know about Win7 or so.
Useful comments are welcome...
My GetProcAddress
Started By
ComeBack
, Nov 17 2013 01:33 AM
7 replies to this topic
#2
karcrack
-
- Moderator
-
-
Reputation: 347Very Good
- 310 posts
Advanced Member
Posted 17 November 2013 - 01:46 AM
Nice code ^^ As I bet you know won't be working with ordinals or forwarded exports... Anyway I just have a minor suggestion, don't abuse unnamed labels haha
Sure next attempt would be better ;D
(PGP ID 0xCC050E77)
ASM, C, C++, VB6... skilled [malware] developer
#3
Posted 17 November 2013 - 03:10 AM
very nice code. I got a Access Violation running on W7 x86 in this code part.
cmp dword [eax+7],'ileW' ; CreateFileW
saludos
#4
Posted 17 November 2013 - 01:36 PM
Just make sure that getting Kernel base works on all versions of windows, both x86 and x64.
proc GetKernel32
; GetKernel by PEB x86 + x64
mov eax, [fs:30h]
mov eax, [eax + 0Ch]
mov eax, [eax + 0Ch]
mov eax, [eax]
mov eax, [eax]
mov eax, [eax + 18h]
ret
endp
- ComeBack likes this
#5
Posted 18 November 2013 - 11:57 PM
Thx people at the moment i don´t have expirience with browsing the PEB,
so i hope it will got the image base also with win7
And i made sure that it got the right PE-header address, because it is different (rich header size) in each dll (user32,advapi32..) and Win7kernel32 maybe too.
thx,but i did found my procaddress, so i thinking i don´t need to do it with ordinals
And forwared function should also work, but I have not tried it, but why u made a bet ?
so i hope it will got the image base also with win7
And i made sure that it got the right PE-header address, because it is different (rich header size) in each dll (user32,advapi32..) and Win7kernel32 maybe too.
karcrack, on 17 Nov 2013 - 01:46 AM, said:
Nice code ^^ As I bet you know won't be working with ordinals or forwarded exports...
thx,but i did found my procaddress, so i thinking i don´t need to do it with ordinals
And forwared function should also work, but I have not tried it, but why u made a bet ?
#6
Posted 19 November 2013 - 07:06 AM
karcrack, on 17 Nov 2013 - 01:46 AM, said:
As I bet you know won't be working with ordinals or forwarded exports
#7
steve10120
-
- Notorious
-
-
Reputation: 55Good
- 61 posts
Member
- Locationic0de.org
Posted 19 November 2013 - 02:57 PM
ComeBack, on 18 Nov 2013 - 11:57 PM, said:
thx,but i did found my procaddress, so i thinking i don´t need to do it with ordinals
And forwared function should also work, but I have not tried it, but why u made a bet ?
You need the oridinal to get the correct function address.
Quote
Use the value from the AddressOfNameOrdinals array as the index into the AddressOfFunctions array. Say, if the value is 5, you must extract the value in the 5th element of the AddressOfFunctions array. That value is the RVA of the function.
#8
steve10120
-
- Notorious
-
-
Reputation: 55Good
- 61 posts
Member
- Locationic0de.org
Posted 19 November 2013 - 06:51 PM
Can't edit my post? Ok. This is something I did a long time ago, it explains what I mean.
It doesn't support forwarded exports.
- ComeBack likes this
