获取kernel32.dll基址

2023年12月24日发(作者：)

ULONG Win32ClientInfo[62]; /* 6CCh */ PVOID glDispatchTable[0xE9]; /* 7C4h */ ULONG glReserved1[0x1D]; /* B68h */ PVOID glReserved2; /* BDCh */ PVOID glSectionInfo; /* BE0h */ PVOID glSection; /* BE4h */ PVOID glTable; /* BE8h */ PVOID glCurrentRC; /* BECh */ PVOID glContext; /* BF0h */ NTSTATUS LastStatusValue; /* BF4h */ UNICODE_STRING StaticUnicodeString; /* BF8h */ WCHAR StaticUnicodeBuffer[0x105]; /* C00h */ PVOID DeallocationStack; /* E0Ch */ PVOID TlsSlots[0x40]; /* E10h */ LIST_ENTRY TlsLinks; /* F10h */ PVOID Vdm; /* F18h */ PVOID ReservedForNtRpc; /* F1Ch */ PVOID DbgSsReserved[0x2]; /* F20h */ ULONG HardErrorDisabled; /* F28h */ PVOID Instrumentation[14]; /* F2Ch */ PVOID SubProcessTag; /* F64h */ PVOID EtwTraceData; /* F68h */ PVOID WinSockData; /* F6Ch */ ULONG GdiBatchCount; /* F70h */ BOOLEAN InDbgPrint; /* F74h */ BOOLEAN FreeStackOnTermination; /* F75h */ BOOLEAN HasFiberData; /* F76h */ UCHAR IdealProcessor; /* F77h */ ULONG GuaranteedStackBytes; /* F78h */ PVOID ReservedForPerf; /* F7Ch */ PVOID ReservedForOle; /* F80h */ ULONG WaitingOnLoaderLock; /* F84h */ ULONG SparePointer1; /* F88h */ ULONG SoftPatchPtr1; /* F8Ch */ ULONG SoftPatchPtr2; /* F90h */ PVOID *TlsExpansionSlots; /* F94h */ ULONG ImpersionationLocale; /* F98h */ ULONG IsImpersonating; /* F9Ch */ PVOID NlsCache; /* FA0h */ PVOID pShimData; /* FA4h */ ULONG HeapVirualAffinity; /* FA8h */ PVOID CurrentTransactionHandle; /* FACh */ PTEB_ACTIVE_FRAME ActiveFrame; /* FB0h */ PVOID FlsData; /* FB4h */ UCHAR SafeThunkCall; /* FB8h */ UCHAR BooleanSpare[3]; /* FB9h */ } TEB, *PTEB;

2 PEB结构 typedef struct _PEB { UCHAR InheritedAddressSpace; // 00h UCHAR ReadImageFileExecOptions; // 01h UCHAR BeingDebugged; // 02h UCHAR Spare; // 03h PVOID Mutant; // 04h

#include

#include

#include

int _tmain(int argc, _TCHAR* argv[])

{

DWORD dwKrnlAddr = 0;

__asm

{

mov edx, fs:[0] // 获得EXCEPTION_REGISTRATION结构地址

Next:

inc dword ptr [edx] // 将prev+1，如果是-1为0

jz Krnl

dec dword ptr [edx] // 不为-1，还原

mov edx, [edx] // 获得prev指向的地址

jmp Next

Krnl:

dec dword ptr [edx] // 恢复

mov edx, [edx + 4] // 获得handle指向的地址

Looop:

cmp word ptr [edx], 'ZM'

jz IsPe

dec edx

xor dx, dx

jmp Looop

IsPe:

mov eax, dword ptr [edx + 3ch]

cmp word ptr [edx + eax], 'EP'

jnz Next

mov dwKrnlAddr, edx

}

_tprintf(TEXT(" address: %xrn"), dwKrnlAddr);

_tprintf(TEXT("GetModuleHandle address: %xrn"),

GetModuleHandle(TEXT("")));

return 0;

}

五 PEB法代码1 程序1#include