Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Finding base address in a remote process (https://forum.exetools.com/showthread.php?t=11242)

yaa 11-01-2007 06:23
Finding base address in a remote process
 
Hello,

I was wondering how I can retrieve the base address of an external process. My need it to get to its IAT and I suppose the base address could be a good starting point but ... I was not able to find any useful piece of code around.

I imagine I could always do an OpenProcess on the remote process and then start reading its memory looking for the dos header structure or any well known sequence of bytes ....

Is there anything better than this approach to find the IAT in a remote/external process?

Thanks.


Regards,

zzsx 11-01-2007 08:02
You can use EnumProcessModules() to retrive the existing modules in the remote process. The first module is the executable file.

taos 11-01-2007 16:09
Quote:
Originally Posted by yaa
I was wondering how I can retrieve the base address of an external process. My need it to get to its IAT and I suppose the base address could be a good starting point but ... I was not able to find any useful piece of code around.
Code:
//
// Gets the address of the entry point routine given a
// handle to a process and its primary thread.
//
DWORD GetProcessEntryPointAddress( HANDLE hProcess, HANDLE hThread )
{
    CONTEXT            context;
    LDT_ENTRY          entry;
    TEB                teb;
    PEB                peb;
    DWORD              read;
    DWORD              dwFSBase;
    DWORD              dwImageBase, dwOffset;
    DWORD              dwOptHeaderOffset;
    optional_header    opt;
   
    //
    // get the current thread context
    //
    context.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;
    GetThreadContext( hThread, &context );
   
    //
    // use the segment register value to get a pointer to
    // the TEB
    //
    GetThreadSelectorEntry( hThread, context.SegFs, &entry );
    dwFSBase = ( entry.HighWord.Bits.BaseHi << 24 ) |
                    ( entry.HighWord.Bits.BaseMid << 16 ) |
                    ( entry.BaseLow );
   
    //
    // read the teb
    //
    ReadProcessMemory( hProcess, (LPCVOID)dwFSBase,
                      &teb, sizeof( TEB ), &read );
   
    //
    // read the peb from the location pointed at by the teb
    //
    ReadProcessMemory( hProcess, (LPCVOID)teb.Peb,
                      &peb, sizeof( PEB ), &read );
   
    //
    // figure out where the entry point is located;
    //
    dwImageBase = (DWORD)peb.ImageBaseAddress;
    ReadProcessMemory( hProcess, (LPCVOID)( dwImageBase + 0x3c ),
                      &dwOffset, sizeof( DWORD ), &read );
   
    dwOptHeaderOffset = ( dwImageBase + dwOffset + 4 + sizeof( coff_header ) );
    ReadProcessMemory( hProcess, (LPCVOID)dwOptHeaderOffset,
                      &opt, sizeof( optional_header ), &read );
   
    return ( dwImageBase + opt.entry_point );
}
More usefull information
hppp://www.codeproject.com/useritems/selfdel.asp

ahmadmansoor 11-02-2007 03:42
Nice One Taos . is there Code In VB6 pls
many thanks for u ......

ricnar456 11-02-2007 17:46
GetModuleHandleA i think will be useful, look when is called and see in EAX the value when return from api.

ricnar

yaa 11-03-2007 21:24
ricnar456, your post made me wonder, how can you discover if a routine is a function (thus returns a value) or is a procedure (returns nothing)? Is there any to understand it?

yaa

taos 11-04-2007 01:38
Simple, look at API prototypes. GetmodulehandleA is an API function.

yaa 11-05-2007 02:05
taos :D :D :D

the meaning of my question was, if there is a way, at runtime, to discover if a routine is a function or a procedure. My knowledge of assembly is really lousy but I can't find any clue to answer my question based on registers or flags. I mean, EAX could have changed value during a routine's execution without it meaning that it is a return value.

Am I right or am I missing something?


yaa

taos 11-05-2007 04:23
Quote:
Originally Posted by yaa
I mean, EAX could have changed value during a routine's execution without it meaning that it is a return value.

Am I right or am I missing something?
Not exactly, any procedure must push all generic registers and before to return pop it so if they are procedures, you must have the same values in generic registers (EAX,EDX,etc...) but not in stack register and others.

It's more easy to test it, use sleep procedure api (Declare Sub Sleep Lib "kernel32.dll" (ByVal dwMilliseconds As Long) ) and messagebeep api function (Declare Function MessageBeep Lib "user32.dll" (ByVal wType As Long) As Long), in a simple asm program.Debug with olly and follow generic registers before and after sleep and messagebeep APIs.

yaa 11-05-2007 06:12
I tested this in a small C app, with a function that returns a value and one that returns void. I can't in any way distinguish the two cases. btw, EAX is not among the registers whose values a C programs expects each routine will maintain so ...

yaa

Nacho_dj 11-05-2007 07:17
In fact, in assembler instructions it is quite difficult to decide if you are facing a procedure or a function.

But you could follow this approach: if the EAX value after the return of the CALL is used immediately in the code, it should be a function, and if the EAX value is ignored after that return, you could think of it as a procedure...

Normally, this should work if you are reversing code to a higher level of programming.

Cheers

Nacho_dj

yaa 11-05-2007 07:40
Yes, if the application is written in a high level language ... but if it is not ...

yaa


All times are GMT +8. The time now is 21:48.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX