Image base address of foreign exe/dll or WTF?

Сейчас на форуме: (+5 невидимых)

Посл.ответ	Сообщение
tguglanaklona Ранг: 1.6 (гость) Активность: 0=0 Статус: Участник	Создано: 19 сентября 2012 15:39 · Личное сообщение · #1 I have a foreign process (exe-file DllProj.exe is running), that has SampleDll.dll linked to it (implicit linking). I can find the base address of the linked dll with the help of my function imageBase(), but not the base address of the process itself! What is the difference and why it's not working as is? I mean, this code returns pBase with correct DOS/NT-headers: Code: LPVOID pBase = imageBase("DllProj.exe", "SampleDll.dll"); if (!pBase) return false; PIMAGE_DOS_HEADER pDosHeader = PIMAGE_DOS_HEADER((HMODULE)pBase); if (::IsBadReadPtr(pDosHeader, sizeof(IMAGE_DOS_HEADER)) \|\| IMAGE_DOS_SIGNATURE != pDosHeader->e_magic) return false; but this code return is FALSE: Code: LPVOID pBase = imageBase("DllProj.exe", "DllProj.exe"); //and so on... Here is my procedure: Code: LPVOID imageBase(LPSTR szVictimProcess, LPSTR szVictim) { //находим процесс szVictimProcess DWORD aProcesses[1024], cbNeeded, nProcesses; unsigned int i; if (!EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded)) return NULL; nProcesses = cbNeeded / sizeof(DWORD); HANDLE ProcHandle = 0; TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>"); for (i = 0; i < nProcesses; i++) { ProcHandle = OpenProcess(PROCESS_QUERY_INFORMATION \| PROCESS_VM_READ, false, aProcesses[i]); if (NULL != ProcHandle) { HMODULE hMod[1024]; if ( EnumProcessModules(ProcHandle, hMod, sizeof(hMod), &cbNeeded) ) { GetModuleBaseName(ProcHandle, hMod[0], szProcessName, sizeof(szProcessName)/sizeof(TCHAR)); // Get the process name if (0 == lstrcmpiA(szVictimProcess, szProcessName)) { //находим модуль szVictim DWORD nModules = cbNeeded / sizeof(HMODULE); char szModName[MAX_PATH]; for (unsigned int j = 0; j < nModules; j++) { if (GetModuleFileNameEx(ProcHandle, hMod[j], szModName, sizeof(szModName))) // Get the module name { shortName(szModName); if (0 == lstrcmpiA(szModName, szVictim)) { MODULEINFO info; GetModuleInformation(ProcHandle, hMod[j], &info, sizeof(info)); return info.lpBaseOfDll; //Equal To: //return hMod[j]; //Debug: //LPSTR string = new char[256]; //wsprintf(string,"\t%s (0x%08X)\n", szModName, hMod[j]); } } } break; } } } CloseHandle(ProcHandle); } return NULL; } P.S.: My next goal is to get import-table of DllProj.exe (where Sample.dll is) and hiijack dll's function call

HandMill Ранг: 222.2 (наставник), 115thx Активность: 0.14↘0.01 Статус: Участник	Создано: 19 сентября 2012 15:49 · Личное сообщение · #2 You can more easy find base address of loaded module: GetModuleHandle(TEXT("SampleDll.dll")) - you will find the base of loaded DLL file GetModuleHandle(NULL) - you will find the base of main executable file ----- все багрепорты - в личные сообщения
ajax Ранг: 337.6 (мудрец), 224thx Активность: 0.21↘0.1 Статус: Участник born to be evil	Создано: 19 сентября 2012 16:03 · Личное сообщение · #3 HandMill tguglanaklona пишет: I have a foreign process ----- От многой мудрости много скорби, и умножающий знание умножает печаль
tomac Ранг: 65.3 (постоянный), 10thx Активность: 0.02↘0 Статус: Участник	Создано: 19 сентября 2012 19:25 · Личное сообщение · #4 Isn't the process started as suspended and scanned before resuming? If not, try to debug this line: 32. shortName(szModName); And look which modules it actually enumerates. Maybe shortName does not handle exe files properly. Basically, the function is not intended to find process base address, it uses APIs that are designed to enumerate DLLs. For instance, msdn claims that you should pass NULL as module handle to GetModuleFileNameEx in order to obtain main executable file name. You can modify the function to try and send NULL as the module handle.
tguglanaklona Ранг: 1.6 (гость) Активность: 0=0 Статус: Участник	Создано: 19 сентября 2012 19:54 · Личное сообщение · #5 HandMill writes: You can more easy find base address of loaded module: GetModuleHandle(TEXT("SampleDll.dll")) - you will find the base of loaded DLL file GetModuleHandle(NULL) - you will find the base of main executable file ?? ??? ?? ????? ?? ??? ??????? main, ? ?????, ??????????? ? ???????. ??? ? ???-?? ?? ??????? ? ?????? GetModuleHandle.. ajax writes: HandMill tguglanaklona ?????: I have a foreign process ?? ??-?? ??)) tomac writes: 32. shortName(szModName); short name - ??? ???????, ?????????? ??? ????? (??????, ?????? ????????): void shortName(LPSTR strToChange) { std::string path(strToChange); std::string filename; size_t pos = path.find_last_of("\"); if (pos != std::string::npos) filename.assign(path.begin() + pos + 1, path.end()); else filename = path; lstrcpy(strToChange, filename.data()); } ? ????????? GetModuleFileNameEx(ProcHandle, hMod[j], szModName, sizeof(szModName))) // Get the module name ?????????? ?????? ??? exe-????????, ? DOS-????? ??? ????? ? ?????????? ????????????. ????? ??? ???????? ??? ?????? ?????? ??-???????? ?? ???????.
tguglanaklona Ранг: 1.6 (гость) Активность: 0=0 Статус: Участник	Создано: 19 сентября 2012 20:06 · Личное сообщение · #6 HandMill writes: You can more easy find base address of loaded module: GetModuleHandle(TEXT("SampleDll.dll")) - you will find the base of loaded DLL file GetModuleHandle(NULL) - you will find the base of main executable file No it's not my process, but another program (victim) process. And it states that GetModuleHandle(NULL) returns a handle to the file used to create the calling process... Or there s something I can't understand ajax writes: HandMill tguglanaklona ?????: I have a foreign process Yyyyyyes)) tomac writes: 32. shortName(szModName); short name - its my function, its return is OK: void shortName(LPSTR strToChange) { std::string path(strToChange); std::string filename; size_t pos = path.find_last_of("\"); if (pos != std::string::npos) filename.assign(path.begin() + pos + 1, path.end()); else filename = path; lstrcpy(strToChange, filename.data()); } Also (see prog listing) GetModuleFileNameEx(ProcHandle, hMod[j], szModName, sizeof(szModName))) // Get the module name returns correct name of the victim exe-file. Perhaps some shifting inside ??? Understand nothing - nothing already in my head Please, help me, what to do Must it works as an idea, or something wrong 'ideologically'?
tguglanaklona Ранг: 1.6 (гость) Активность: 0=0 Статус: Участник	Создано: 19 сентября 2012 20:08 · Личное сообщение · #7 tomac writes: You can modify the function to try and send NULL as the module handle. If I sent NULL and for not victim but my procwss - everything is OK!
HandMill Ранг: 222.2 (наставник), 115thx Активность: 0.14↘0.01 Статус: Участник	Создано: 19 сентября 2012 20:25 · Личное сообщение · #8 So, may be this example will help you: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686701(v=vs.85).aspx Look to the MODULEENTRY32.modBaseAddr when you will list all modules you will also list main process module(exe) ----- все багрепорты - в личные сообщения
tomac Ранг: 65.3 (постоянный), 10thx Активность: 0.02↘0 Статус: Участник	Создано: 20 сентября 2012 00:36 · Личное сообщение · #9 HandMill EnumProcessModules effectively uses CreateToolhelp32Snapshot. I do not think it will be much different from the used solution. tguglanaklona What if you send NULL as module handle for the foreign process? Does it work? A few days ago I was solving a similar problem, I needed to inject a library into another process. But I created the process as suspended, and it was impossible to get modules info using CreateToolhelp32Snapshot for this process. You did not reply whether you create the process suspended and do not resume it before analyzing. tguglanaklona writes: short name - its my function, its return is OK: I advised you to debug this line, not the function. Toggle a breakpoint at this line and look what names the program iterates through. If there is no exe file name, something's wrong with EnumProcessModules, consider using CreateToolhelp32Snapshot. If there is the exe file name, something wrong elsewhere. Maybe in GetModuleInformation. Consider using CreateToolhelp32Snapshot, again.
ajax Ранг: 337.6 (мудрец), 224thx Активность: 0.21↘0.1 Статус: Участник born to be evil	Создано: 20 сентября 2012 11:28 · Поправил: ajax · Личное сообщение · #10 tguglanaklona Check --> Link <--. Delphi code, but easy to port to C function LoadedModulesList(const List: TStrings; ProcessID: DWORD; HandlesOnly: Boolean): Boolean; ----- От многой мудрости много скорби, и умножающий знание умножает печаль
tguglanaklona Ранг: 1.6 (гость) Активность: 0=0 Статус: Участник	Создано: 22 сентября 2012 18:20 · Личное сообщение · #11 tomac writes: A few days ago I was solving a similar problem, I needed to inject a library into another process. But I created the process as suspended, and it was impossible to get modules info using CreateToolhelp32Snapshot for this process. You did not reply whether you create the process suspended and do not resume it before analyzing. I think it is the reason. I already come to the same thought. And exe file name and the image base address is really correct (I've catched it with NULL handle), but this tguglanaklona writes: ::IsBadReadPtr(pDosHeader, sizeof(IMAGE_DOS_HEADER)) \|\| IMAGE_DOS_SIGNATURE != pDosHeader->e_magic is not. Perhaps, the real possibility for the running exe-process is to make an assembler insertion, isn't it Anyway I'll go to analyse it further

Для печати