I saw some sources which retrieves the kernel32 base address via peb/teb, but i need the user32 base. Is there any way to get this via peb/teb without using api's?
Get User32 base via PEB/TEB?
Started By
Tony
, Nov 30 2013 12:05 PM
8 replies to this topic
#2
Hess
Contributor
-
- Loyalist
-
-
Reputation: 766Excellent
- 2,821 posts
Intelligence Service
- LocationBelgrade
Contributor
Posted 30 November 2013 - 01:55 PM
If I recall an old topic from exetools , we had a problem and question what to do when we land @ ntdll.dll and , first answer was to do nothing , but someone came to idea to reverse it and point main executable to reversed one. I am not sure if this still works. So , in this way , You don't use API's to access it and You access it directly in main program. I don't have codes from that time to show You how it worked , but I recall that method. I hope that it can help , since both are windows OS libraries. And , be aware , if not done correctly , it can result in BSOD , so , use it with caution and never add startup to it until You are sure that it works 100%.
Meet me here: http://www.voa.mod.gov.rs/en/
#3
Posted 30 November 2013 - 02:12 PM
Hess, your reply is totally useless. What you are saying has really nothing to do with the content of this topic. You are a nice guy but please stop talking nonsense 
- delphifocus and Hess like this
#4
Hess
Contributor
-
- Loyalist
-
-
Reputation: 766Excellent
- 2,821 posts
Intelligence Service
- LocationBelgrade
Contributor
Posted 30 November 2013 - 02:30 PM
I was unsure what is this about , so , that is what came to my head first. I'll look into that matter little more , since I felt that when I was responding something is not right , but I posted it anyway , to be sure or not am I correct , since I am somehow getting into shape again , but everything is blured and mixed.
Edit: Can You provide me sample codes , because I think I know what are You talking about.
Meet me here: http://www.voa.mod.gov.rs/en/
#5
steve10120
-
- Notorious
-
-
Reputation: 55Good
- 61 posts
Member
- Locationic0de.org
Posted 30 November 2013 - 02:46 PM
User32 will only be there if its imported by the file or loaded after execution, so there is no guarantee it will be there, unlike kernel32 which is always loaded.
- Hess and Tony like this
#6
Posted 30 November 2013 - 02:59 PM
The file doesn't have any imports, so the only way to get the base of user32 is to load it using LoadLibrary dynamically?
#7
Hess
Contributor
-
- Loyalist
-
-
Reputation: 766Excellent
- 2,821 posts
Intelligence Service
- LocationBelgrade
Contributor
Posted 30 November 2013 - 02:59 PM
steve10120, on 30 Nov 2013 - 2:46 PM, said:
User32 will only be there if its imported by the file or loaded after execution, so there is no guarantee it will be there, unlike kernel32 which is always loaded.
Yes that is what I saw on MSDN , as a reference if someone who mades drivers makes mistake and gets BSOD. And recommendation is that a dev does it via kernel32 and NOT via User32.
Meet me here: http://www.voa.mod.gov.rs/en/
#8
Posted 30 November 2013 - 03:23 PM
Quote
The file doesn't have any imports, so the only way to get the base of user32 is to load it using LoadLibrary dynamically?
yes... user32.dll is not mapped to the process address space by default... generally speaking only ntdll.dll is guarantied to be loaded, it is mapped by kernel mode code, when the process is created... ntdll.dll is required by each process, as the loader's code is situated in it (the code that actually loads PE files, fix imports and relocations and etc)... you can use LdrLoadDll to load any additional libraries...
- Jochen, Hess and Tony like this
