hi,

you may problably know this piece of code mostly used in packers/protectors or even viruses...

mov ecx,[esp] ; Return adress of call from
; CreateProcess
GetKrnlBaseLoop: ; Get Kernel32 module base adress
xor edx,edx ;
dec ecx ; Scan backward
mov dx,[ecx+03ch] ; Take beginning of PE header
test dx,0f800h ; Is it a PE header ?
jnz GetKrnlBaseLoop ; No, forget about it
cmp ecx,[ecx+edx+34h] ; Compare current adress with the
; address that PE should be loaded at
jnz GetKrnlBaseLoop ; Different ? Search again
mov [KernelAdress+ebp],ecx ; ecx hold KernelBase... Store it

I use this code and it works ok in 32 bits OS but fails in 64 bits (Vista). While i search a little i found that the imagebase its in 30h and it is a qword so i tried:

cmp ecx,[ecx+edx+30h]
&
cmp ecx,[ecx+edx+34h]

but didnt work. maybe im missing something

i woulf apreciate any ideas, suggestions, etc...

P.D (excuse my poor english)

Use peb, it's much faster to locate kernel32.dll base in that way (here is how I locate ntdll, kernel32 and imagebase using PEB in x64 windows):



Also if you prefer backward scan, it would be smart to and ret address with 0FFFFF000h and decresase by PAGE_SIZE, faster and accurate. So you would only check for MZ string, as I doubt there will be numerous occurances of MZ at page boundary.

Dacid: You are using 32bit size registers to handle 64 bit pointers. If an address is above 00000000FFFFFFFF, which I think system .dlls are, you lose the information contained in the upper bytes.

n00b question, how can i access to 64 bits pointers under 32 bits without loosing anything?