Over Open Sights: PEB

PEB analysis is the most popular among all methods of determining the base load address. As you recall, PEB is an auxiliary data structure that, along with other useful information, contains base addresses of all loaded modules.

This popularity is undeserved and cannot be explained. After all, PEB is the internals of the Windows NT-like operating systems, for which neither documentation nor include files are available. Only Microsoft Kernel Debugger detects odds and ends of some information. This lack of documentation makes hackers prick up their ears. Because PEB is undocumented, its structure can change in any future Windows version. This change has taken place multiple times. If this happens again, then the example shown in Listing 11.8 will cease to operate (by the way, it works only under the Windows NT line and doesn't work under Windows 9 x ).

Listing 11.8: Determining the base address of kernel32.dll by analyzing PEB
image from book
 00000000: 33C0    XOR   EAX,  EAX          ; EAX := 0 00000002: B030    MOV   AL,  030           ; EAX := 30h 00000004: 648B00  MOV   EAX,  fs:[EAX]     ; PEB base 00000007: 8B400C  MOV   EAX,  [EAX][0000C] ; PEB_LDR_DATA 0000000A: 8B401C  MOV   EAX,  [EAX][0001C] ; First element of                                            ; InInitOrderModuleList 0000000D: AD      LODSD                    ; Next element 0000000E: 8B4008  MOV   EAX,  [EAX][00008] ; Next address kernel32.dll 
image from book
 

So decide if you really need PEB. The only advantage is that it provides extremely compact code.



Shellcoder's Programming Uncovered
Shellcoders Programming Uncovered (Uncovered series)
ISBN: 193176946X
EAN: 2147483647
Year: 2003
Pages: 164

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net