能力值:
( LV9,RANK:280 )
|
-
-
2 楼
0.你确定Win10的_PEB结构跟win7一样吗?
1.GetModuleHandle("kernel32.dll")
2.用CE
3.不用api的话,不能。用api的话,见1。基址不一样。
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
PVOID BBGetUserModule(IN PEPROCESS pProcess, IN PUNICODE_STRING ModuleName, IN BOOLEAN isWow64, IN BOOLEAN isWait)
{
//ASSERT(pProcess != NULL);
LARGE_INTEGER time = { 0 };
PPEB pPeb;
PPEB32 pPeb32;
INT i;
UNICODE_STRING ustr;
PLDR_DATA_TABLE_ENTRY32 pEntry32;
PLDR_DATA_TABLE_ENTRY pEntry;
PLIST_ENTRY32 pListEntry32;
PLIST_ENTRY pListEntry;
if (pProcess == NULL)
return NULL;
// Protect from UserMode AV
__try
{
time.QuadPart = -250ll * 10 * 1000; // 250 msec.
// Wow64 process
if (isWow64)
{
#ifdef _WIN64
pPeb32 = (PPEB32)PsGetProcessWow64Process(pProcess);
#else
pPeb32 = (PPEB32)PsGetProcessPeb(pProcess);
#endif
//pPeb32 = NULL;
//pPeb32 = (PPEB32)PsGetProcessWow64Process(pProcess);
if (pPeb32 == NULL)
{
DPRINT("BlackBone: %s: No PEB present. Aborting\n", __FUNCTION__);
return NULL;
}
if ( isWait )
{
// Wait for loader a bit
for (i = 0; !pPeb32->Ldr && i < 500; i++)
{
DPRINT("BlackBone: %s: Loader not intialiezd, waiting\n", __FUNCTION__);
KeDelayExecutionThread(KernelMode, TRUE, &time);
}
}
// Still no loader
if (!pPeb32->Ldr)
{
DPRINT("BlackBone: %s: Loader was not intialiezd in time. Aborting\n", __FUNCTION__);
return NULL;
}
// Search in InLoadOrderModuleList
for (
pListEntry32 = (PLIST_ENTRY32)((PPEB_LDR_DATA32)(pPeb32->Ldr))->InLoadOrderModuleList.Flink;
pListEntry32 != &(((PPEB_LDR_DATA32)(pPeb32->Ldr))->InLoadOrderModuleList);
pListEntry32 = (PLIST_ENTRY32)pListEntry32->Flink
)
{
pEntry32 = CONTAINING_RECORD(pListEntry32, LDR_DATA_TABLE_ENTRY32, InLoadOrderLinks);
RtlUnicodeStringInit(&ustr, (PWCH)pEntry32->BaseDllName.Buffer);
if (RtlCompareUnicodeString(&ustr, ModuleName, TRUE) == 0)
return (PVOID)pEntry32->DllBase;
}
}
// Native process
else
{
pPeb = PsGetProcessPeb(pProcess);
if (!pPeb)
{
DPRINT("BlackBone: %s: No PEB present. Aborting\n", __FUNCTION__);
return NULL;
}
if (isWait)
{
// Wait for loader a bit
for (i = 0; !pPeb->Ldr && i < 500; i++)
{
DPRINT("BlackBone: %s: Loader not intialiezd, waiting\n", __FUNCTION__);
KeDelayExecutionThread(KernelMode, TRUE, &time);
}
}
// Still no loader
if (!pPeb->Ldr)
{
DPRINT("BlackBone: %s: Loader was not intialiezd in time. Aborting\n", __FUNCTION__);
return NULL;
}
// Search in InLoadOrderModuleList
for (pListEntry = (PLIST_ENTRY)pPeb->Ldr->InLoadOrderModuleList.Flink;
pListEntry != &pPeb->Ldr->InLoadOrderModuleList;
pListEntry = pListEntry->Flink)
{
pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
if (RtlCompareUnicodeString(&pEntry->BaseDllName, ModuleName, TRUE) == 0)
return pEntry->DllBase;
}
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
DPRINT("BlackBone: %s: Exception, Code: 0x%X\n", __FUNCTION__, GetExceptionCode());
}
return NULL;
}
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
///XP/Vista/WIN7以及X86/X64 通吃
function Kernel32Handle(): HMODULE;
{$IFDEF CPUX64}
asm
mov rbx,$60
mov rax,[gs:rbx] // peb
mov rax,[rax+$18] // LDR
mov rax,[rax+$30] // InLoadOrderModuleList.Blink,
mov rax,[rax] // [_LDR_MODULE.InLoadOrderModuleList].Blink kernelbase.dll
mov rax,[rax] // [_LDR_MODULE.InLoadOrderModuleList].Blink kernel32.dll
mov rax,[rax+$10] //[_LDR_MODULE.InLoadOrderModuleList]. BaseAddress
end;
{$ELSE}
asm
mov eax,[fs:$30] // Peb
mov eax,[eax+$C] // LDR
mov eax,[eax+$C] // InLoadOrderModuleList
mov eax,[eax] // [_LDR_MODULE.InLoadOrderModuleList].Blink kernelbase.dll
mov eax,[eax] //[_LDR_MODULE.InLoadOrderModuleList].Blink kernel32.dll
mov eax,[eax+$18] //[_LDR_MODULE.InLoadOrderModuleList]. BaseAddress
end;
{$ENDIF}
一段百度找到delphi 内嵌汇编的代码
|
能力值:
( LV9,RANK:170 )
|
-
-
5 楼
非常感谢你的指点,刚才试了下,GetModulehandle得到的结果和那段汇编得到的基址是相同的,谢谢
|
能力值:
( LV9,RANK:170 )
|
-
-
6 楼
非常感谢大神的指点,按照你说的方法,GetModuleHandle获取到的结果跟我之前写的那个汇编获取到的基址是一致的!
|
能力值:
( LV2,RANK:10 )
|
-
-
7 楼
非常感谢大大神指点
|
能力值:
( LV1,RANK:0 )
|
-
-
8 楼
win10 64位的汇编获取地址 上图的只能获取到后八位 前八位怎么获得
|
|
|
|
