;----------------------------------------------------------------------------------
;                    Retrieve Kernel32.dll Address
;                   -------------------------------
;
;
;This is the example asm code to retrieve the Kernel32.dll address from the memory.
;It is useful when you code the Win32 virus, :p
;
;
;The code is simple and straighforward, so, it should be easy enough to follow
;
;
;
;
;
;Credit go to Lord Julus, Billy Belcebu.
;Thanks go to F-13 Labs 
;
;
;                    Disclaimer										
;                    ----------
;THIS CODE IS MEANT FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR CANNOT BE HELD
;RESPONSIBLE FOR ANY DAMAGE CAUSED DUE TO USE, MISUSE OR INABILITY TO USE THE
;SAME
;
;
;Author		:	lclee_vx
;Group		:	F-13 Labs
;Web		:	http://f13.host.sk
;Email		:	lclee_vx@yahoo.com
;
;
;


a. Example 1
;-------------------------------------
;Input   	:   esi = begin [esp]
;Output 	:   esi	= Kernel base
;-------------------------------------

GetK32	proc
	push	eax
	
Step1:
	dec	esi
	mov	ax, [esi+3ch]	;ax=PE header offset

 	test	ax, 0f000h	; ax	= 0000 xxxx xxxx xxxx
				;      		AND
                                ; f000h	= 1111 0000 0000 0000
				; zero? = 0000 0000 0000 0000
				;
				;so, value ax < 1000h (4096d byte / 1 page) 
				;
  	jnz	Step1
	cmp	esi, [esi+eax+34h]	
	jnz	Step1
	pop	eax
	ret

GetK32	endp
-----------------------------------------



b. Example2
;----------------------------------------------------
;Input		: esi= begin [esp]
;Output		: eax= kernel base
;----------------------------------------------------

Limit	equ     	(50000h/1000h)

.code
GetK32:

__1: 	cmp	byte ptr [ebp+K32_Limit],00h
        jz	WeFailed

       	cmp	word ptr [esi],"ZM"
       	jz      CheckPE

__2: 	sub     esi,1000h
       	dec     byte ptr [ebp+K32_Limit]
       	jmp     __1

CheckPE:
	mov	edi,[esi+3Ch]
       	add     edi,esi
       	cmp     dword ptr [edi],"EP"
       	jz      WeGotK32
       	jmp     __2

WeFailed:
   	stc

WeGotK32:
        xchg    eax,esi
        ret

K32_Limit       dw      limit
;-------------------------------------------------------------




c. Example 3
;-------------------------------------
;Input		: esi= begin [esp]
;Output		: eax= kernel base
;-------------------------------------

GetK32	proc

ScanK32:
	cmp	word ptr [esi], “ZM”
	je	K32Found	
	sub	esi, 1000h
	jmp	ScanK32

K32Found:
	mov	eax, esi
	ret

GetK32	endp
;------------------------------------------------------