eXeLab
eXeL@B ВИДЕОКУРС !

ВИДЕОКУРС ВЗЛОМ
выпущен 2 июля!


УЗНАТЬ БОЛЬШЕ >>
Домой | Статьи | RAR-cтатьи | FAQ | Форум | Скачать | Видеокурс
Новичку | Ссылки | Программирование | Интервью | Архив | Связь

Русский / Russian English / Английский

Сейчас на форуме: (+1 невидимый пользователь)
 · Начало · Статистика · Регистрация · Поиск · ПРАВИЛА ФОРУМА · Язык · RSS · SVN ·

 eXeL@B —› WorldWide —› Image base address of foreign exe/dll or WTF?
Посл.ответ Сообщение

Ранг: 1.6 (гость)
Статус: Участник

Создано: 19 сентября 2012 15:39 New!
Цитата · Личное сообщение · #1

I have a foreign process (exe-file DllProj.exe is running), that has SampleDll.dll linked to it (implicit linking). I can find the base address of the linked dll with the help of my function imageBase(), but not the base address of the process itself! What is the difference and why it's not working as is?

I mean, this code returns pBase with correct DOS/NT-headers:
Code:
  1.      LPVOID pBase = imageBase("DllProj.exe", "SampleDll.dll");
  2.      if (!pBase) return false;
  3.      PIMAGE_DOS_HEADER pDosHeader = PIMAGE_DOS_HEADER((HMODULE)pBase);
  4.      if (::IsBadReadPtr(pDosHeader, sizeof(IMAGE_DOS_HEADER)) ||
  5.         IMAGE_DOS_SIGNATURE != pDosHeader->e_magic)
  6.         return false;

but this code return is FALSE:
Code:
  1.     LPVOID pBase = imageBase("DllProj.exe", "DllProj.exe");
  2.     //and so on...

Here is my procedure:
Code:
  1.     LPVOID imageBase(LPSTR szVictimProcess, LPSTR szVictim)
  2.     {
  3.         //находим процесс szVictimProcess
  4.         DWORD aProcesses[1024], cbNeeded, nProcesses;
  5.         unsigned int i;
  6.  
  7.         if (!EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded))
  8.             return NULL;
  9.         nProcesses = cbNeeded / sizeof(DWORD);
  10.  
  11.         HANDLE ProcHandle = 0;
  12.         TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");
  13.         for (= 0; i < nProcesses; i++)
  14.         {
  15.             ProcHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, aProcesses[i]);
  16.  
  17.             if (NULL != ProcHandle) 
  18.             {
  19.                 HMODULE hMod[1024];
  20.                 if ( EnumProcessModules(ProcHandle, hMod, sizeof(hMod), &cbNeeded) )
  21.                 {
  22.                     GetModuleBaseName(ProcHandle, hMod[0], szProcessName, sizeof(szProcessName)/sizeof(TCHAR)); // Get the process name
  23.                     if (0 == lstrcmpiA(szVictimProcess, szProcessName))
  24.                     {
  25.                         //находим модуль szVictim
  26.                          DWORD nModules = cbNeeded / sizeof(HMODULE);
  27.                         char szModName[MAX_PATH];
  28.                         for (unsigned int j = 0; j < nModules; j++)
  29.                         {
  30.                             if (GetModuleFileNameEx(ProcHandle, hMod[j], szModName, sizeof(szModName))) // Get the module name
  31.                             {
  32.                                 shortName(szModName);
  33.                                 if (0 == lstrcmpiA(szModName, szVictim)) 
  34.                                 {
  35.                                     MODULEINFO info;
  36.                                     GetModuleInformation(ProcHandle, hMod[j], &info, sizeof(info));
  37.                                     return info.lpBaseOfDll;
  38.  
  39.                                     //Equal To:
  40.                                     //return hMod[j];
  41.  
  42.                                     //Debug:
  43.                                     //LPSTR string = new char[256];
  44.                                     //wsprintf(string,"\t%s (0x%08X)\n", szModName, hMod[j]);
  45.                                 }
  46.                             }
  47.                         }
  48.                         break;
  49.                     }
  50.                 }
  51.             }
  52.  
  53.             CloseHandle(ProcHandle);
  54.         }
  55.  
  56.         return NULL;
  57.     }

P.S.: My next goal is to get import-table of DllProj.exe (where Sample.dll is) and hiijack dll's function call


Ранг: 222.3 (наставник)
Статус: Участник

Создано: 19 сентября 2012 15:49 New!
Цитата · Личное сообщение · #2

You can more easy find base address of loaded module:

GetModuleHandle(TEXT("SampleDll.dll")) - you will find the base of loaded DLL file
GetModuleHandle(NULL) - you will find the base of main executable file


Ранг: 327.6 (мудрец)
Статус: Участник
born to be evil

Создано: 19 сентября 2012 16:03 New!
Цитата · Личное сообщение · #3

HandMill
tguglanaklona пишет:
I have a foreign process

Ранг: 65.3 (постоянный)
Статус: Участник

Создано: 19 сентября 2012 19:25 New!
Цитата · Личное сообщение · #4

Isn't the process started as suspended and scanned before resuming?
If not, try to debug this line:
32. shortName(szModName);
And look which modules it actually enumerates. Maybe shortName does not handle exe files properly.
Basically, the function is not intended to find process base address, it uses APIs that are designed to enumerate DLLs. For instance, msdn claims that you should pass NULL as module handle to GetModuleFileNameEx in order to obtain main executable file name.
You can modify the function to try and send NULL as the module handle.

Ранг: 1.6 (гость)
Статус: Участник

Создано: 19 сентября 2012 19:54 New!
Цитата · Личное сообщение · #5

HandMill writes:
You can more easy find base address of loaded module:

GetModuleHandle(TEXT("SampleDll.dll")) - you will find the base of loaded DLL file
GetModuleHandle(NULL) - you will find the base of main executable file


?? ??? ?? ????? ?? ??? ??????? main, ? ?????, ??????????? ? ???????. ??? ? ???-?? ?? ??????? ? ?????? GetModuleHandle..

ajax writes:
HandMill
tguglanaklona ?????:
I have a foreign process


?? ??-?? ??))

tomac writes:
32. shortName(szModName);


short name - ??? ???????, ?????????? ??? ????? (??????, ?????? ????????):

void shortName(LPSTR strToChange)
{
std::string path(strToChange);
std::string filename;

size_t pos = path.find_last_of("\");
if (pos != std::string::npos)
filename.assign(path.begin() + pos + 1, path.end());
else
filename = path;

lstrcpy(strToChange, filename.data());
}

? ?????????
GetModuleFileNameEx(ProcHandle, hMod[j], szModName, sizeof(szModName))) // Get the module name
?????????? ?????? ??? exe-????????, ? DOS-????? ??? ????? ? ?????????? ????????????. ????? ??? ???????? ??? ?????? ?????? ??-???????? ?? ???????.

Ранг: 1.6 (гость)
Статус: Участник

Создано: 19 сентября 2012 20:06 New!
Цитата · Личное сообщение · #6

HandMill writes:
You can more easy find base address of loaded module:

GetModuleHandle(TEXT("SampleDll.dll")) - you will find the base of loaded DLL file
GetModuleHandle(NULL) - you will find the base of main executable file


No it's not my process, but another program (victim) process. And it states that GetModuleHandle(NULL) returns a handle to the file used to create the calling process... Or there s something I can't understand

ajax writes:
HandMill
tguglanaklona ?????:
I have a foreign process


Yyyyyyes))

tomac writes:
32. shortName(szModName);


short name - its my function, its return is OK:

void shortName(LPSTR strToChange)
{
std::string path(strToChange);
std::string filename;

size_t pos = path.find_last_of("\");
if (pos != std::string::npos)
filename.assign(path.begin() + pos + 1, path.end());
else
filename = path;

lstrcpy(strToChange, filename.data());
}

Also (see prog listing)

GetModuleFileNameEx(ProcHandle, hMod[j], szModName, sizeof(szModName))) // Get the module name

returns correct name of the victim exe-file. Perhaps some shifting inside ??? Understand nothing - nothing already in my head Please, help me, what to do Must it works as an idea, or something wrong 'ideologically'?

Ранг: 1.6 (гость)
Статус: Участник

Создано: 19 сентября 2012 20:08 New!
Цитата · Личное сообщение · #7

tomac writes:
You can modify the function to try and send NULL as the module handle.


If I sent NULL and for not victim but my procwss - everything is OK!


Ранг: 222.3 (наставник)
Статус: Участник

Создано: 19 сентября 2012 20:25 New!
Цитата · Личное сообщение · #8

So, may be this example will help you: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686701(v=vs.85).aspx
Look to the MODULEENTRY32.modBaseAddr
when you will list all modules you will also list main process module(exe)

Ранг: 65.3 (постоянный)
Статус: Участник

Создано: 20 сентября 2012 00:36 New!
Цитата · Личное сообщение · #9

HandMill
EnumProcessModules effectively uses CreateToolhelp32Snapshot. I do not think it will be much different from the used solution.

tguglanaklona
What if you send NULL as module handle for the foreign process? Does it work?

A few days ago I was solving a similar problem, I needed to inject a library into another process. But I created the process as suspended, and it was impossible to get modules info using CreateToolhelp32Snapshot for this process. You did not reply whether you create the process suspended and do not resume it before analyzing.


tguglanaklona writes:
short name - its my function, its return is OK:


I advised you to debug this line, not the function. Toggle a breakpoint at this line and look what names the program iterates through. If there is no exe file name, something's wrong with EnumProcessModules, consider using CreateToolhelp32Snapshot. If there is the exe file name, something wrong elsewhere. Maybe in GetModuleInformation. Consider using CreateToolhelp32Snapshot, again.


Ранг: 327.6 (мудрец)
Статус: Участник
born to be evil

Создано: 20 сентября 2012 11:28 · Поправил: ajax New!
Цитата · Личное сообщение · #10

tguglanaklona
Check --> Link <--. Delphi code, but easy to port to C
function LoadedModulesList(const List: TStrings; ProcessID: DWORD; HandlesOnly: Boolean): Boolean;

Ранг: 1.6 (гость)
Статус: Участник

Создано: 22 сентября 2012 18:20 New!
Цитата · Личное сообщение · #11

tomac writes:
A few days ago I was solving a similar problem, I needed to inject a library into another process. But I created the process as suspended, and it was impossible to get modules info using CreateToolhelp32Snapshot for this process. You did not reply whether you create the process suspended and do not resume it before analyzing.


I think it is the reason. I already come to the same thought. And exe file name and the image base address is really correct (I've catched it with NULL handle), but this
tguglanaklona writes:
::IsBadReadPtr(pDosHeader, sizeof(IMAGE_DOS_HEADER)) ||
        IMAGE_DOS_SIGNATURE != pDosHeader->e_magic

is not.

Perhaps, the real possibility for the running exe-process is to make an assembler insertion, isn't it

Anyway I'll go to analyse it further
 eXeL@B —› WorldWide —› Image base address of foreign exe/dll or WTF?

Оригинальный DVD-ROM: eXeL@B DVD !

Вы находитесь на форуме сайта EXELAB.RU
Проект ReactOS