DLL functions access

DLL functions access

Post by » Sat, 01 May 2004 23:56:11


Here is the next part about my "accessing to DLLs functions in no
conventional way" texts.

http://www.yqcomputer.com/

Feedback and english corrections are welcome.

--
AMcD
http://www.yqcomputer.com/
 
 
 

DLL functions access

Post by Alex Iones » Mon, 03 May 2004 09:59:08

Good for research stuff, I love doing this kind of thing too...but some
warnings:

1) EPROCESS changes almost every single new build of Windows.
2) The PEB is now dynamic in SP2/Win2K3 and Longhorn, which means you will
have to read it by using
mov ebx, fs:30h

(I've used EBX because it is the register which *usually* receives the PEB).
Anyways, it's much safer then reading from EPROCESS because that offset will
always change. In Kernel mode you can always use the API to retrieve the
PEB...(don't know the name by heart)
3) Once again, all the loader structures are subject to change (and HAVE
changed between 2K and XP)
4) Some APIs are not exported by name, only by ordinal, keep that in mind.

Otherwise, a good article, although I'm afraid that some of the content is
quite advanced for the regular user (I mean, it looks to me like it's
targetted to the average Joe, because you are explaning things like
Little/Big Endian, which anyone that programmed in anything else then
VBScript should be award of, and yet you're talking about stuff like
EPROCESS...)

Best regards,
Alex Ionescu

>> Here is the next part about my "accessing to DLLs functions in no >> conventional way" texts. >> >> http://www.yqcomputer.com/ >> >> Feedback and english corrections are welcome. >> >> -- >> AMcDgt; >> > http://www.yqcomputer.com/ ; >> >

 
 
 

DLL functions access

Post by » Mon, 03 May 2004 10:42:46


I know...


Yep. Using TLS, it's the classic way.


I know, I know...


Good point. Actually, a next article is following soon, as other guys said,
some stuff is lacking, bound exports, forwarding and so on. I did not forget
to mention that, it's just because I intended to talk about that elsewhere
;o). In fact, these are only short texts, nothing exhaustive. See these
articles as introductory texts. The aim is to interest people in debugging,
"white" hacking, etc. Hence, it's somehow incomplete. If I had to be very
very accurate, texts would be too long and only a few "hackers" should be
interested. Well, it's a step-by-step trap :o).


Lol, good point. As I said above, these are my first attemps to "teach"
something useful to others. I'm still looking for the good balance. It's not
that easy to decide where to give a figure, where not, what to detail, etc.
Furthermore I want a kind of gradual set of texts. Then, posts like yours
are very helpful to me because I can improve all that stuff. You know, I got
6,5 Kpages view since the beginning of the site 3 months ago... but only 2
mails!!! Peole are used to take, not to help. Well, when you have got no
feedback, it's pretty hard to improve :o).

So, great thanks.

CU.

--
AMcD
http://www.yqcomputer.com/
 
 
 

DLL functions access

Post by Jochen Kal » Mon, 03 May 2004 14:55:33


Why not use NtCurrentPeb() !?

--
Greetings
Jochen

Do you need a memory-leak finder ?
http://www.yqcomputer.com/

Do you need daily reports from your server?
http://www.yqcomputer.com/
 
 
 

DLL functions access

Post by Alex Iones » Tue, 04 May 2004 00:15:37

To be really picky about it, because NtCurrentPeb is a CALL Opcode (5 bytes)
to a jump opcode ( 6 bytes) to an IAT entry (4 bytes for the pointer, 4
bytes for the ordinal, and 13 bytes for the Name).

mov ebx, fs:30h is 5 bytes, and works even on Win9X.

Best regards,
Alex Ionescu