Last active
April 27, 2022 02:17
-
-
Save CCCougar/fb7ce99bede829d1484d0ffc92bd3800 to your computer and use it in GitHub Desktop.
32/64位汇编获取kernel32.dll基址
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; 32位 -- 参考:https://github.com/mai1zhi2/ShellCodeFramework/blob/bb16c47cf6bbc673b80a2743f0841d2b2d86846b/Framework/Shellcode.cpp | |
| GetKernel32Base32 PROC | |
| mov eax, fs:[18h] ; 找到teb | |
| mov eax, [eax + 30h] ; peb | |
| mov eax, [eax + 0ch] ; PEB_LDR_DATA | |
| mov eax, [eax + 0ch] ; LIST_ENTRY 主模块 | |
| mov eax, [eax] ; ntdll | |
| mov eax, [eax] ; kernel32 | |
| mov eax, dword ptr[eax + 18h] ; kernel32基址 | |
| ret | |
| GetKernel32Base32 ENDP | |
| ; 64位 -- 参考:https://blog.xenoscr.net/2019/12/08/Locating-Kernel32-Base-Address.html | |
| GetKernel32Base64 PROC | |
| mov rax, gs:[60h] ; Find the Address of the PEB Structure | |
| mov rax, [rax+18h] ; Find the Address of the PEB_LDR_DATA Structure | |
| mov rax, [rax+20h] ; Find the Address of the InMemoryOrderModuleList list | |
| mov rax, [rax] ; ntdll -- Iterate to the Third InMemoryOrderModuleList Entry | |
| mov rax, [rax] ; kernel32 -- Iterate to the Third InMemoryOrderModuleList Entry | |
| mov r12, [rax+20h] ; kernel32基址 | |
| mov rax, r12 | |
| ret | |
| GetKernel32Base64 ENDP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment