Log in

View Full Version : Make a Loader -> How to get Baseadress of a external DLL


Drigo
July 15th, 2009, 06:01
Hello Guys.

Having a trouble in programming a Loader (coded in VB.net) for a strong encrypted App.
Loader work ok, but not all the time.
Protections are in a lot of DLL files, wich are loaded from the Main EXE.
How can I get the Baseadresses of loaded DLL files?

Somebody having a Example, or can give me Keywords (of Api calls), that I (and google) can help myself ?


Thanks
Drigo

evaluator
July 15th, 2009, 06:38
yuu should inject you code in process & control DLL loading events. (my guess, loader-debugger will hard for yuu )

Drigo
July 15th, 2009, 06:58
Now i use this:

Create a list from hex(0001) to hex(5000)
Then I added the 2nd part of the adress to it (for Example HEX(1234))
Then I read the whole Processmemory of the EXE from hex(00011234) till HEX(50001234).
If in the readed Address my "demo byte" occure, I write the Address using
WriteprocessA.

This often works, but not always.

So I like to read the Baseadress of DLL and calculate the Offset to it -> WriteProcessMemory and ready.

But this reads simpler, then it is.

Now I have tried to get the DLL Handle. This look good.
Tried it with : GetModuleHandle
How can I solve the DLL HAndle in a Baseaddres?

WaxfordSqueers
July 15th, 2009, 07:12
Quote:
[Originally Posted by Drigo;81791]How can I solve the DLL HAndle in a Baseaddres?


I'm not a programmer but how about GetProcAddress?

http://msdn.microsoft.com/en-us/library/ms683212(VS.85).aspx

It says GetModuleHandle or LoadLibrary gives you a handle for the DLL and the handle can be passed to GetProcAddress to get the DLL address.

BanMe
July 15th, 2009, 07:55
LdrFindEntryForAddress is what you really need to learn..
but GetModuleHandleEx works..
as well as VirtualQuery..

If you use literal function naming theory to come up with the term GetModuleHandleFromAddress() and google this you get
http://code.google.com/p/omaha/source/browse/trunk/common/app_util.cc
GetModuleHandleFromAddress() definition, for a example of using VirtualQuery to do what you need

Basicly you just Compact all the details of what a function does into a word and google it..thats my theory at least..lol

and if you are already executing in your "target" process you can simply access the peb and retrieve all the base addresses.

regards BanMe

arc_
July 15th, 2009, 20:18
The functions that you want are CreateToolhelp32Snapshot and Module32First/Next. Create a snapshot, loop over all modules, and check the name of each module.

BanMe
July 15th, 2009, 20:28
Code:

//Get Debug Privileges..
RtlAdjustPrivilege(20L,true,false,&Enabled);
//Initialize the Unicode string with path to exe
RtlInitUnicodeString(&Unicode,szPathToModule);
//Create the DebugBuffer
pDbgbuf = RtlCreateQueryDebugBuffer(0,0);
//Query the Modules of the Process Pointed to by Pid
Status = RtlQueryProcessDebugInformation(Pid,PDI_MODULES,pDbgbuf);
if(!NT_SUCCESS(Status))
{
RtlInitUnicodeString(&Unicode,L"RtlQueryProcessDebugInformation Status:";
*(PULONG)0 = 0;
}
//copy the Initialized Unicode to a char string.
wcscpy((wchar_t*)&Err,Unicode.Buffer);
Index = 0;
//if Pathtest finds "C for C:..that one needs a little work..
//to determine the drive dynamically but for now bleh..
do
{
Index++;
Pathtest = wcsncmp(&Err[Index],L"C",1);
}while(Pathtest != 0);
wcstombs((char*)&mbPath,(wchar_t*)&Err[Index],wcslen((wchar_t*)&Err[Index]));
for(Index = 0;Index<=pDbgbuf->ModuleInformation->Count;Index++)
{
Pathtest = strcmp((char*)pDbgbuf->ModuleInformation->DbgModInfo[Index].ImageName,(char*)&mbPath);
if(Pathtest == 0)
{
TargetRegion = pDbgbuf->ModuleInformation->DbgModInfo[Index].Base;
break;
}
}
Status = RtlDestroyQueryDebugBuffer(pDbgbuf);
if(!NT_SUCCESS(Status))
{
RtlInitUnicodeString(&Unicode,L"RtlDestroyQueryDebugBuffer Status:";
*(PULONG)0 = 0;
}
//disable debug privilege..
RtlAdjustPrivilege(20L,false,false,&Enabled);


this also works

disavowed
July 17th, 2009, 14:51
GetModuleHandle(...)/GetModuleHandleEx(...) won't work since you're not calling it from the context of your target process.
I wouldn't recommend using RtlQueryProcessDebugInformation(...) since it's undocumented and could change.

The best way to do this is what arc_ said above, using CreateToolhelp32Snapshot(...) and Module32First(...)/Next(...).

BanMe
July 17th, 2009, 15:14
yes yes my suggestions where based on the OP alread executing in the "Context of" the target process.. ie a injected dll.. sorry for misunderstanding

regards BanMe