Author Topic: Retrieving the module handle to kernel32.dll  (Read 279 times)

Vortex

  • Member
  • *****
  • Posts: 1692
Retrieving the module handle to kernel32.dll
« on: April 17, 2017, 03:52:29 AM »
Code: [Select]
OPTION DOTNAME
option casemap:none

include     GetKern32.inc

.data

kernel32    db 'kernel32.dll',0
str1        db 'GetModuleHandle = %X',13,10
            db 'GetKern32Base   = %X',0

.data?

hKern32     dq ?

.code

start PROC

    sub     rsp,8+4*8
   
    invoke  GetKern32Base
    mov     hKern32,rax

    invoke  GetModuleHandle,ADDR kernel32
    invoke  printf,ADDR str1,rax,hKern32

    invoke  ExitProcess,0

start ENDP

GetKern32Base PROC

    mov     rax,gs:[60h]    ; Process Environment Block ( PEB )
    mov     rax,[rax+018h]  ; PEB_LDR_DATA *Ldr
    mov     rax,[rax+020h]  ; InMemoryOrderModuleList
    mov     rax,[rax]       ; 2st entry
    mov     rdx,[rax+020h]  ; base address of ntdll.dll
    mov     rax,[rax]       ; 3nd entry
    mov     rax,[rax+020h]  ; base of kernel32.dll
    ret

GetKern32Base ENDP

END