Questi 2 comandi ci danno l'indirizzo base del modulo attualmente in esecuzione
Codice Comando
64:A1 30000000 MOV EAX,DWORD PTR FS:[30]
8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]
Per capirlo meglio dovremo sapere cosa la tabella TIB, ma per essere coincisi vi mostro un estratto della memoria di un processo, ed in particolar modo la sua TIB:
TIB
Dump - 7FFDF000..7FFDFFFF
Indirizzo Codice Hex Hex decodificato Commenti
7FFDF000 98FF1200 DD 0012FF98 ; SEH chain = 12FF98 -> {Next=0012FFB4,Handler=004091E5}
7FFDF004 00001300 DD 00130000 ; Thread's stack base = 130000
7FFDF008 00C01200 DD 0012C000 ; Thread's stack limit = 12C000
7FFDF00C 00000000 DD 00000000 ; TIB of OS/2 Subsystem = NULL
7FFDF010 001E0000 DD 00001E00 ; Fiber data = 00001E00
7FFDF014 00000000 DD 00000000 ; Arbitrary user data = 0
7FFDF018 00F0FD7F DD 7FFDF000 ; TIB linear address = 7FFDF000
7FFDF01C 00000000 DD 00000000 ; 00000000
7FFDF020 D40B0000 DD 00000BD4 ; Process ID = 00000BD4
7FFDF024 8C0F0000 DD 00000F8C ; Thread ID = 00000F8C
7FFDF028 00000000 DD 00000000 ; 00000000
7FFDF02C 482A1400 DD 00142A48 ; TLS array = 00142A48
7FFDF030 0070FD7F DD 7FFD7000 ; Process database = 7FFD7000
7FFDF034 00000000 DD 00000000 ; Thread's last error = ERROR_SUCCESS
Il registro FS punta alla TIB del processo in esecuzione, il 30esimo elemento della tabella l'indirizzo lineare del "process database" (PEB), quindi con
MOV EAX,DWORD PTR FS:[30]
stiamo memorizzando nel registro EAX l'indirizzo del PEB
Con la seconda istruzione invece andiamo a prelevare l'ottavo elemento del PEB
PEB
Dump - 7FFD7000..7FFD7FFF
Indirizzo Codice Hex Hex decodificato Commenti
7FFD7000 00 DB 00 ; InheritedAddressSpace = 0
7FFD7001 00 DB 00 ; ReadImageFileExecOptions = 0
7FFD7002 01 DB 01 ; BeingDebugged = TRUE
7FFD7003 00 DB 00 ; SpareBool = FALSE
7FFD7004 FFFFFFFF DD FFFFFFFF ; Mutant = INVALID_HANDLE_VALUE
7FFD7008 00004000 DD OFFSET test1.<STRUCT ; ImageBaseAddress = 00400000
7FFD700C A01E2400 DD 00241EA0 ; LoaderData = 241EA0
7FFD7010 00000200 DD 00020000 ; ProcessParameters = 20000
7FFD7014 00000000 DD 00000000 ; SubSystemData = NULL
7FFD7018 00001400 DD 00140000 ; ProcessHeap = 00140000
7FFD701C C0E4987C DD OFFSET ntdll.7C98E4C0 ; FastPebLock = ntdll.7C98E4C0
7FFD7020 0510917C DD ntdll.RtlEnterCritica ; FastPebLockRoutine = 7C911005
7FFD7024 ED10917C DD ntdll.RtlLeaveCritica ; FastPebUnlockRoutine = 7C9110ED
7FFD7028 01000000 DD 00000001 ; EnvironmentUpdateCount = 1
7FFD702C 8029D177 DD USER32.77D12980 ; KernelCallbackTable = 77D12980
7FFD7030 00000000 DD 00000000 ; Reserved = 0
7FFD7034 00000000 DD 00000000 ; ThunksOrOptions = 0
7FFD7038 00000000 DD 00000000 ; FreeList = 0
7FFD703C 00000000 DD 00000000 ; TlsExpansionCounter = 0
7FFD7040 80E4987C DD OFFSET ntdll.7C98E480 ; TlsBitmap = ntdll.7C98E480
7FFD7044 1F000000 DD 0000001F ; TlsBitmapBits[2] = 1F
7FFD7048 00000000 DD 00000000
7FFD704C 00006F7F DD 7F6F0000 ; ReadOnlySharedMemoryBase = 7F6F0000
7FFD7050 00006F7F DD 7F6F0000 ; ReadOnlySharedMemoryHeap = 7F6F0000
7FFD7054 88066F7F DD 7F6F0688 ; ReadOnlyStaticServerData = 7F6F0688
7FFD7058 0000FB7F DD 7FFB0000 ; AnsiCodePageData = 7FFB0000
7FFD705C 0010FC7F DD 7FFC1000 ; OemCodePageData = 7FFC1000
7FFD7060 0020FD7F DD 7FFD2000 ; UnicodeCaseTableData = 7FFD2000
7FFD7064 02000000 DD 00000002 ; NumberOfProcessors = 2
7FFD7068 70000000 DD 00000070 ; NtGlobalFlag = 112.
7FFD706C 00000000 DD 00000000 ; Reserved = 0
7FFD7070 00809B07 DD 079B8000 ; CriticalSectionTimeout_Lo = 79B8000
7FFD7074 6DE8FFFF DD FFFFE86D ; CriticalSectionTimeout_Hi = -1793
7FFD7078 00001000 DD 00100000 ; HeapSegmentReserve = 1048576.
7FFD707C 00200000 DD 00002000 ; HeapSegmentCommit = 8192.
7FFD7080 00000100 DD 00010000 ; HeapDeCommitTotalFreeThreshold = 65536.
7FFD7084 00100000 DD 00001000 ; HeapDeCommitFreeBlockThreshold = 4096.
7FFD7088 04000000 DD 00000004 ; NumberOfHeaps = 4
7FFD708C 10000000 DD 00000010 ; MaximumNumberOfHeaps = 16.
7FFD7090 80DE987C DD OFFSET ntdll.7C98DE80 ; ProcessHeaps = 7C98DE80
7FFD7094 00004F00 DD 004F0000 ; GdiSharedHandleTable = 004F0000
7FFD7098 00000000 DD 00000000 ; ProcessStarterHelper = NULL
7FFD709C 14000000 DD 00000014 ; GdiDCAttributeList = 14
7FFD70A0 D8C0987C DD OFFSET ntdll.7C98C0D8 ; LoaderLock = 7C98C0D8
7FFD70A4 05000000 DD 00000005 ; OSMajorVersion = 5
7FFD70A8 01000000 DD 00000001 ; OSMinorVersion = 1
7FFD70AC 280A DW 0A28 ; OSBuildNumber = 2600.
7FFD70AE 0002 DW 200 ; OSCSDVersion = 512.
7FFD70B0 02000000 DD 00000002 ; OSPlatformId = 2
7FFD70B4 03000000 DD 00000003 ; ImageSubsystem = 3
7FFD70B8 04000000 DD 00000004 ; ImageSubsystemMajorVersion = 4
7FFD70BC 00000000 DD 00000000 ; ImageSubsystemMinorVersion = 0
7FFD70C0 00000000 DD 00000000 ; ImageProcessAffinityMask = 0
7FFD70C4 00000000 DD 00000000 ; GdiHandleBuffer[34.] = 0
In questo modo avremo recuperato l'ImageBaseAddress del programma
