XR3X

Jump to content


Photo

Get User32 base via PEB/TEB?


  • You cannot start a new topic
  • Please log in to reply
8 replies to this topic

#1 Tony

Tony

    Intermediate Member

  • Associate
  • Reputation: 145
    Very Good
  • 270 posts
Contributor

Posted 30 November 2013 - 12:05 PM

I saw some sources which retrieves the kernel32 base address via peb/teb, but i need the user32 base. Is there any way to get this via peb/teb without using api's?



#2 Hess

Hess

    Intelligence Service

  • Loyalist
  • Reputation: 766
    Excellent
  • 2,821 posts
  • LocationBelgrade
Contributor

Posted 30 November 2013 - 01:55 PM

If I recall an old topic from exetools , we had a problem and question what to do when we land @ ntdll.dll and , first answer was to do nothing , but someone came to idea to reverse it and point main executable to reversed one. I am not sure if this still works. So , in this way , You don't use API's to access it and You access it directly in main program. I don't have codes from that time to show You how it worked , but I recall that method. I hope that it can help , since both are windows OS libraries. And , be aware , if not done correctly , it can result in BSOD , so , use it with caution and never add startup to it until You are sure that it works 100%.



#3 Tony

Tony

    Intermediate Member

  • Associate
  • Reputation: 145
    Very Good
  • 270 posts
Contributor

Posted 30 November 2013 - 02:12 PM

Hess, your reply is totally useless. What you are saying has really nothing to do with the content of this topic. You are a nice guy but please stop talking nonsense :)


  • delphifocus and Hess like this

#4 Hess

Hess

    Intelligence Service

  • Loyalist
  • Reputation: 766
    Excellent
  • 2,821 posts
  • LocationBelgrade
Contributor

Posted 30 November 2013 - 02:30 PM

I was unsure what is this about , so , that is what came to my head first. :) I'll look into that matter little more , since I felt that when I was responding something is not right , but I posted it anyway , to be sure or not am I correct , since I am somehow getting into shape again , but everything is blured and mixed. :)

Edit: Can You provide me sample codes , because I think I know what are You talking about. :)



#5 steve10120

steve10120

    Member

  • Notorious
  • Reputation: 55
    Good
  • 61 posts
  • Locationic0de.org

Posted 30 November 2013 - 02:46 PM

User32 will only be there if its imported by the file or loaded after execution, so there is no guarantee it will be there, unlike kernel32 which is always loaded.


  • Hess and Tony like this

#6 Tony

Tony

    Intermediate Member

  • Associate
  • Reputation: 145
    Very Good
  • 270 posts
Contributor

Posted 30 November 2013 - 02:59 PM

The file doesn't have any imports, so the only way to get the base of user32 is to load it using LoadLibrary dynamically?



#7 Hess

Hess

    Intelligence Service

  • Loyalist
  • Reputation: 766
    Excellent
  • 2,821 posts
  • LocationBelgrade
Contributor

Posted 30 November 2013 - 02:59 PM

User32 will only be there if its imported by the file or loaded after execution, so there is no guarantee it will be there, unlike kernel32 which is always loaded.

Yes that is what I saw on MSDN , as a reference if someone who mades drivers makes mistake and gets BSOD. And recommendation is that a dev does it via kernel32 and NOT via User32.
 



#8 LeFF

LeFF

    Advanced Member

  • Moderator
  • Reputation: 457
    Very Good
  • 426 posts
Contributor

Posted 30 November 2013 - 03:23 PM

The file doesn't have any imports, so the only way to get the base of user32 is to load it using LoadLibrary dynamically?

yes... user32.dll is not mapped to the process address space by default... generally speaking only ntdll.dll is guarantied to be loaded, it is mapped by kernel mode code, when the process is created... ntdll.dll is required by each process, as the loader's code is situated in it (the code that actually loads PE files, fix imports and relocations and etc)... you can use LdrLoadDll to load any additional libraries...


  • Jochen, Hess and Tony like this

#9 Tony

Tony

    Intermediate Member

  • Associate
  • Reputation: 145
    Very Good
  • 270 posts
Contributor

Posted 30 November 2013 - 03:36 PM

Okay, thanks steven10120 & LeFF ! :wub:   :P‚Äč