Re: Getting Base Address using the Structured Exception Handler
From: Gerardo Richarte (gera_at_corest.com)
Date: Thu, 26 Jun 2003 12:24:45 -0300 To: firstname.lastname@example.org
Gerardo Richarte wrote:
> 2nd trick:
> I think I like it, if it works...
> to know the address of ntdll.dll may be easy using SEH:
> ntdll.dll calls the exception handler, and as call "is synonim" for push eip/jmp,
> ntdll.dll is pushing its own address in the stack before execution the exception
> handler. Now, if the exception handler you install, gets the return address from
> the stack (pop eax), and uses compares to a list of known ntdll.dll addresses,
> it will be easy to find out the version of ntdll.dll. Then, if you can, somehow,
> infer the version of kernel32.dll from the version of ntdll.dll, well... Bingo!
Yeah, I know this is about to become insane (answering myself so many times I mean),
I think it'll be easier to learn to use
and probably LdrUnloadDll()
(use The Oracle [google] to find out info about them)
They look pretty promising.
And then, once again as hernan told me, it may be enough to mask out the least
significant bits of the return address (address after the call in ntdll.dll:KiUserExceptionDispatcher())
to get ntdll.dll's base address. Then with that, we could walk the PE header and get
the address of LdrGetProcedureAddress (if that's enough), or use a table stored
in our code, as used in the first example (in a previous email)...