locate the base address in a 32-bit process of NTDLL ( Use inline assembly or st
ID: 3883561 • Letter: L
Question
locate the base address in a 32-bit process of NTDLL (Use inline assembly or straight assembly (demod in class), load the value of NTDLL base into memory or a register)
The goal of part 1 is to locate the base address (i.e. image base) of NTDLL. To do this, we will utilize the FS register and a structure called the Process Environment Block (PEB). You can find more information about the PEB structure on MSDN: https://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx.
Use inline assembly or straight assembly (demod in class), load the value of NTDLL base into memory or a register, and print the value as proof that you were successful. For example:
(#] Found NT DLL Base at 0x776b0000Explanation / Answer
PEB structure
Contains process data.
Language structure
C++
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved4[104];
PVOID Reserved5[52];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved6[128];
PVOID Reserved7[1];
ULONG SessionId;
} PEB, *PPEB;
Individuals
Reserved1
Held for inward use by the working framework.
BeingDebugged
Demonstrates whether the predetermined procedure is as of now being repaired. The PEB structure, nonetheless, is an inner working framework structure whose format may change later on. It is best to utilize the CheckRemoteDebuggerPresent work.
Reserved2
Held for interior use by the working framework.
Reserved3
Held for interior use by the working framework.
Ldr
A pointer to a PEB_LDR_DATA structure that contains data about the stacked modules for the procedure.
ProcessParameters
A pointer to a RTL_USER_PROCESS_PARAMETERS structure that contains procedure parameter data, for example, the order line.
Reserved4
Held for interior use by the working framework.
Reserved5
Saved for inside use by the working framework.
PostProcessInitRoutine
Not upheld.
Reserved6
Saved for inside use by the working framework.
Reserved7
Saved for inside use by the working framework.
SessionId
The Terminal Services session identifier related with the present procedure.
Comments
The language structure for this structure on 64-bit Windows is as per the following:
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[21];
PPEB_LDR_DATA LoaderData;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved3[520];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved4[136];
ULONG SessionId;
} PEB;
GCC Inline Assembly Syntax
Low level computing construct shows up in two flavors: Intel Style and AT&T style. GNU C compiler i.e. GCC utilizes AT&T sentence structure and this is the thing that we would utilize. Give us a chance to take a gander at a portion of the real contrasts of this style as against the Intel Style.
On the off chance that you are thinking about how you can utilize GCC on Windows, you can simply download Cygwin from www.cygwin.com.
1. Register Naming: Register names are prefixed with %, so enlists are %eax, %cl and so forth, rather than just eax, cl.
2. Ordering of operands: Unlike Intel tradition (first operand is goal), the request of operands is source(s) to start with, and goal last. For instance, Intel grammar "mov eax, edx" will resemble "mov %edx, %eax" in AT&T gathering.
3. Operand Size: In AT&T language structure, the span of memory operands is resolved from the last character of the operation code name. The addition is b for (8-bit) byte, w for (16-bit) word, and l for (32-bit) long. For instance, the right linguistic structure for the above direction would have been "movl %edx, %eax".
4. Immediate Operand: Immediate operands are set apart with a $ prefix, as in "addl $5, %eax", which implies add prompt long esteem 5 to enroll %eax).
5. Memory Operands: Missing operand prefix shows it is a memory-address; henceforth "movl $bar, %ebx" puts the address of variable bar into enroll %ebx, however "movl bar, %ebx" puts the substance of variable bar into enlist %ebx.
6. Indexing: Indexing or indirection is finished by encasing the file enroll or indirection memory cell address in enclosures. For instance, "movl 8(%ebp), %eax" (moves the substance at balance 8 from the cell indicated by %ebp into enlist %eax).
For all our code, we would be taking a shot at Intel x86 processors. This data is important since all directions might work with different processors.
Fundamental Inline Code
We can utilize both of the accompanying configurations for fundamental inline gathering.
asm("assembly code");
or, then again
__asm__ ("gathering code");
Case:
asm("movl %ebx, %eax");/* moves the substance of ebx enlist to eax */
__asm__("movb %ch, (%ebx)");/* moves the byte from ch to the memory pointed by ebx */
Just in the event that we have more than one get together guideline, utilize semicolon toward the finish of every direction.
It would be ideal if you allude to the case beneath
#include <stdio.h>
int primary() {
/* Add 10 and 20 and store result into enlist %eax */
__asm__ ( "movl $10, %eax;"
"movl $20, %ebx;"
"addl %ebx, %eax;"
);
/* Subtract 20 from 10 and store result into enlist %eax */
__asm__ ( "movl $10, %eax;"
"movl $20, %ebx;"
"subl %ebx, %eax;"
);
/* Multiply 10 and 20 and store result into enlist %eax */
__asm__ ( "movl $10, %eax;"
"movl $20, %ebx;"
"imull %ebx, %eax;"
);
return 0 ;
}
Arrange it utilizing "- g" choice of GNU C compiler "gcc" to continue troubleshooting data with the executable and after that utilizing GNU Debugger "gdb" to review the substance of CPU registers.
Broadened Assembly
In broadened get together, we can likewise determine the operands. It enables us to determine the info registers, yield registers and a rundown of clobbered registers.
asm ( "get together code"
: yield operands/* discretionary */
: input operands/* discretionary */
: rundown of clobbered registers/* discretionary */
);
On the off chance that there are no yield operands however there are input operands, we should put two continuous colons encompassing where the yield operands would go.
It is not required to determine the rundown of clobbered registers to utilize, we can leave that to GCC and GCC's advancement conspire do the needful.
Case
asm ("movl %%eax, %0;" : "=r" ( val ));
In this case, the variable "val" is kept in an enroll, the incentive in enlist eax is replicated onto that enlist, and the estimation of "val" is refreshed into the memory from this enlist.
At the point when the "r" requirement is determined, gcc may keep the variable in any of the accessible General Purpose Registers. We can likewise determine the enroll names specifically by utilizing particular enlist limitations.
The enlist limitations are as per the following :
r Register(s)
--------------------------------
a %eax, %ax, %al
b %ebx, %bx, %bl
c %ecx, %cx, %cl
d %edx, %dx, %dl
S %esi, %si
D %edi, %di
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.