Skip to content

Instantly share code, notes, and snippets.

@thatskriptkid

thatskriptkid/Search_kernel32dll_baseaddress.cpp

Last active August 10, 2021 06:21
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save thatskriptkid/7d38ecde1a514c1ba55a261e1116aedb to your computer and use it in GitHub Desktop.
Save thatskriptkid/7d38ecde1a514c1ba55a261e1116aedb to your computer and use it in GitHub Desktop.
Download ZIP
Search Kernel32dll base address (from MarsStealer malware)
Raw
Search_kernel32dll_baseaddress.cpp
// this is a reproduction of code from [MarsStealer](https://twitter.com/3xp0rtblog/status/1424638227160473602) malware
#include <Windows.h>
#include <stdio.h>
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
typedef struct _PEB_LDR_DATA
{
ULONG Length;
BOOLEAN Initialized;
HANDLE SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
} PEB_LDR_DATA, * PPEB_LDR_DATA;
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
void* BaseAddress;
void* EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
HANDLE SectionHandle;
ULONG CheckSum;
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
typedef struct _PEB
{
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
BOOLEAN SpareBool;
HANDLE Mutant;
PVOID ImageBaseAddress;
PPEB_LDR_DATA Ldr;
} PEB, * PPEB;
int main()
{
PPEB peb = (PPEB)__readfsdword(0x30); // mov eax, fs:[30]
PPEB_LDR_DATA ldr = peb->Ldr; // mov eax, [eax+C]
LIST_ENTRY list = ldr->InLoadOrderModuleList; // mov eax, [eax+C]
PLDR_DATA_TABLE_ENTRY Flink = *((PLDR_DATA_TABLE_ENTRY*)(&list));
PLDR_DATA_TABLE_ENTRY curr_module = Flink;
curr_module = (PLDR_DATA_TABLE_ENTRY)curr_module->InLoadOrderModuleList.Flink; //mov eax, [eax]
curr_module = (PLDR_DATA_TABLE_ENTRY)curr_module->InLoadOrderModuleList.Flink; //mov eax, [eax]
PVOID kernel32_base_addr = curr_module->BaseAddress; // mov eax, [eax+18]
printf("kernel32_base_addr = %p\n", kernel32_base_addr);
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment