;'search2' version 28.05.1999 by anarchriz (copyright (c) all rights reserved) ;This test program looks up the base address (or modhandle or hinstance) of ; kernel32.dll without calling any imported function. ;It uses the address of any random from kernel32 imported function to find the ; base address. Because of the possibility of a page fault when searching in ; memory, i had to implement SEH. ;TO DO : implement GetProcAddress .386P Locals jumps .Model Flat ,StdCall mb_ok equ 0 ;mb_ok gets the value "0" hWnd equ 0 extrn ExitProcess : PROC ;procedure to shut down a process extrn MessageBoxA : PROC ;procedure to show a MessageBox .Data msgFound db 'Kernel32 found at offset: 0x' msgFoundOffset db 'xxxxxxxx ', 10, 13 db 'ModHandle in import table: 0x' msgFoundOffset2 db 'xxxxxxxx ',0 caption db "Kernel32 lookup",0 Data: thisModuleHandle dd (?) thisPEoffset dd (?) thisSectionTable dd (?) thisImportSection dd (?) thisK32dll dd (?) kernel32ModHandle dd (?) kernel32ModHandle2 dd (?) .Code start: call getDelta getDelta: pop ebp mov eax, ebp shr eax, 1 shl eax, 1 ;make the offset even ;add ebp, offset Data-offset getDelta ;compute base addr Data call SearchModuleHandle test eax, eax jz nothingFound ;mov [ebp+offset ThisPEoffset-offset Data], eax mov [thisModuleHandle], eax mov [thisPEoffset], edi mov eax, edi movzx ecx, word ptr[eax+6] ;ecx contains number of sections movzx ebx, word ptr[eax+20] add eax, ebx add eax, 24 ;eax now points to Section Table mov [thisSectionTable], eax call SearchImport mov [thisImportSection], eax mov edi, [thisModuleHandle] call SearchK32dll mov [thisK32dll], eax mov esi, [eax+8] ;in ForwarderChain is the ModHandle for ; the imported dll (theory). mov [kernel32ModHandle2], esi mov eax, [eax+16] add eax, edi mov eax, [eax] ;now holds pointer to a random kernel32 ; imported function cmp eax, 0 je nothingFound shr eax, 1 shl eax, 1 ;make the offset even call SearchModuleHandle test eax, eax jz nothingFound ;*****************************************vvvvvvvvvvvvvv mov edx, offset msgFoundOffset mov ecx, 8 call HexToAscii mov eax, [kernel32ModHandle2] mov edx, offset msgFoundOffset2 mov ecx, 8 call HexToAscii push mb_ok push offset caption push offset msgFound push hWnd call MessageBoxA ;CALL MessageBoxA exit: push 0 CALL ExitProcess ;End (exit) program nothingFound: jmp exit ;parameters: eax number to convert ; ecx length in characters ; ds:edx pointer to writebuffer (at least 8 bytes) ;returns: nothing asciiHex db '0123456789ABCDEF' HexToAscii proc push ebx hexToAsciiLoop: dec ecx mov ebx, eax and ebx, 0fh mov bl, [asciiHex+ebx] mov [edx+ecx], bl shr eax, 4 test ecx, ecx jnz hexToAsciiLoop pop ebx ret HexToAscii endp ;*****************************************^^^^^^^^^^^^^^^ ;Parameters: eax offset whereToStart ;Returns: eax offset MZheader ; edi offset PEheader ; eax=0 when not found (not implemented, should be SEH) SearchModuleHandle proc push ecx push esi push offset ExceptionHandler push dword ptr[fs:0] mov [fs:0], esp mov edi, eax std mov ecx, 40000000h mov ax, 'ZM' searchModuleHandleLoop: repne scasw mov esi, [edi+2+3ch] searchModuleHandleCmpAddr: cmp dword ptr [edi+esi+2], 'EP' jne searchModuleHandleLoop searchModuleHandleFound: inc edi inc edi mov eax, edi add edi, esi mov esi, [esp] mov [fs:0], esi add esp, 8 searchModuleHandleReturn: pop esi pop ecx ret searchModuleHandleNotFound: xor eax, eax jmp searchModuleHandleReturn SearchModuleHandle endp ;Handles Access violation exceptions ExceptionHandler proc mov eax, [esp+4] ;=contextrecord cmp dword ptr[eax], 0C0000005h ;STATUS_ACCESS_VIOLATION jne continueSearch cmp dword ptr[eax+0c8h+12], offset searchModuleHandleCmpAddr ;check eip jne exceptionHandlerFatal mov dword ptr[eax+0c8h+12], offset searchModuleHandleLoop jmp continueExecution exceptionHandlerFatal: mov dword ptr[eax+0c8h+12], offset searchModuleHandleNotFound continueExecution: mov eax, 0 ;SEH_CONTINUE_EXECUTION ret continueSearch: mov eax, 1 ;SEH_CONTINUE_SEARCH ret ExceptionHandler endp ;Parameters: eax offset Section Table ; ecx number of sections ;Returns: eax offset Import Section ; eax=0 something went wrong (very improbable) SearchImport proc searchImportLoop: cmp dword ptr[eax], 'adi.' je searchImportCheck searchImportLoopon: add eax, 28h loop searchImportLoop jmp searchImportNotFound searchImportCheck: cmp word ptr[eax+4], 'at' jne searchImportLoopon mov eax, [eax+12] ;VirtualAddress add eax, [thisModuleHandle] searchImportReturn: ret searchImportNotFound: xor eax, eax ret SearchImport endp ;Parameters: eax offset Import Section ; edi ModuleHandle SearchK32dll proc push esi searchK32dllLoop: cmp dword ptr[eax], 0 je searchK32dllNotFound mov esi, [eax+12] ;RVA name dll cmp dword ptr[edi+esi], 'NREK' je searchK32dllCheck searchK32dllLoopon: add eax, 20 ;goto next IMAGE_IMPORT_DESCRIPTOR jmp searchK32dllLoop searchK32dllCheck: cmp dword ptr[edi+esi+4], '23LE' jne searchK32dllLoopon searchK32dllReturn: pop esi ret searchK32dllNotFound: xor eax, eax jmp searchK32dllReturn SearchK32dll endp ;Parameters: eax ModuleHandle ;Returns: eax addr of edata GetExportSection proc ret ;yet to implement GetExportSection endp ;Parameters: eax Pointer to name of function ; ebx ModuleHandle (base addr) ; ecx addr of edata of module ;Returns: eax addr of function GetProcAddress proc ret ;yet to implement GetProcAddress endp end start