____________________________________________________________________________________________
...:: Get da Kernel Base via Hardcodeing in Win32 ::..
- by DiA /auXnet -
[GermanY]
____________________________________________________________________________________________
+++++Disclaimer+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+I am NOT responsible for any damage that you do! You can need the code however you want...+
+My motherlanguage is not English, I hope you understand what I mean. +
+Feel FREE to write any Comments to +
+ DiA_hates_machine@gmx.de +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.............................................
. .
. Index: _1_ : What the fuck is Hardcoded .
. .
. _2_ : Some Kernel Bases .
. .
. _3_ : How to check Kernel Bases .
. .
. _4_ : Some Example Code .
. .
. _5_ : The End .
. .
.............................................
*** _1_ : What the fuck is Hardcoded ***
Hardcoding is da simplest way to get da Kernel Base! All WindowZ Versions (9x, ME, ...)
has another Kernel Base in Memory. So we check all known Bases and when we get it we have da
Kernel! Simply...
*** _2_ : Some Kernel Bases ***
See up, I describe that all WindowZ Versions had another Kernel Base. So here are are
the Bases for Win9x (Win95 & Win98), WinME (MelleniumEdition):
Win9x : 0BFF70000h
WinME : 0BFF60000h (in Memory)
*** _3_ : How to check Kernel Bases ***
- mov da Base in ESI (or what you want)
- First we must check 'MZ' sign at first on the Base (if not check next Base oe exit)
- at address 3Ch in Kernel (memory) we must check 'PE' sign (if not check next Base or exit)
- save da Base in a Variable or Register
*** _4_ : Some Example Code ***
;-----Example Code-----Cut------------------------------------------------------------------
;-----------------------------------------------------------------hard.asm------------------
;by DiA /auXnet (c)02
.386 ;386ers +
.model flat
jumps
;-----Needed API's--------------------------------------------------------------------------
extrn MessageBoxA:PROC ;needed API's to show that we have a Kernel (or not)
extrn ExitProcess:PROC ;to return
;-------------------------------------------------------------------------------------------
;-----Define some Kernel Bases--------------------------------------------------------------
Win9x equ 0BFF70000h ;better to understand
WinME equ 0BFF60000h
;-------------------------------------------------------------------------------------------
;-----Some Data's---------------------------------------------------------------------------
.data ;needed by TASM
oTitle db 'Get Kernel Base by DiA /auXnet',0
oMsgGood db 'We got the Kernel Base',0
oMsgBad db 'No Kernel Found',0
Kernel dd 0 ;here we save da Kernel Base
;-------------------------------------------------------------------------------------------
;-----Here Startz the Code------------------------------------------------------------------
.code
start: ;Rock 'n Roll
;-------------------------------------------------------------------------------------------
;-----Check Win95 & Win98 Base--------------------------------------------------------------
mov esi,Win9x ;define, see up
call CheckBase ;call the procedure
;-------------------------------------------------------------------------------------------
;-----Check WinME Base----------------------------------------------------------------------
mov esi,WinME
call CheckBase
;-------------------------------------------------------------------------------------------
;-----Show a BAD Message--------------------------------------------------------------------
mov edx,offset oMsgBad ;if we are here we have no kernel (BAD!)
call Message
jmp exit ;go home
;-------------------------------------------------------------------------------------------
;-----Save Base and Show a GOOD Message-----------------------------------------------------
GoodMessage:
mov dword ptr [Kernel],esi ;save da kernel
mov edx,offset oMsgGood ;good msg
call Message ;show
;-------------------------------------------------------------------------------------------
;-----Exit----------------------------------------------------------------------------------
exit:
xor eax,eax
push eax ;null
call ExitProcess ;exit
;-------------------------------------------------------------------------------------------
;-----CheckBase Procedure-------------------------------------------------------------------
CheckBase: ;procedure
cmp word ptr [esi],'ZM' ;check for MZ sign
jnz NotFound ;if not return and search next
mov edi,[esi+3Ch] ;PE
add edi,esi ;real address
cmp dword ptr [edi],'EP' ;check for PE sign
jz GoodMessage ;found!
NotFound:
ret ;search next
;-------------------------------------------------------------------------------------------
;-----Message Procedure---------------------------------------------------------------------
Message: ;procedure
mov eax,offset oTitle
xor ebx,ebx ;null
push ebx
push eax ;title
push edx ;msg
push ebx
call MessageBoxA
ret ;return
;-------------------------------------------------------------------------------------------
;-----Here it End---------------------------------------------------------------------------
end start
;-------------------------------------------------------------------------------------------
;----------------------Cut------------------------------------------------------------------
To compile it:
TASM32 /z /ml /m3 hard,,;
TLINK32 -Tpe -c hard,hard,, import.lib
Run it, and when you see the Message 'We got the Kernel Base' the Base is saved in da
Variable 'Kernel' (to use: eg mov esi,dword ptr [Kernel] )
When you see the Message 'No Kernel Found', that is not good ;) When you don't have a Base
you can't search API's (No Kernel -> No API's -> No Virus -> Fuck), but that's another story
...
*** _5_ : The End ***
I hope you understand this shit! Another way (better) to get da Kernel Base is via return
address from API 'CreateProcessA'. Maybe I describe this Method in another tuturial...
If you had any questionz or commentz FEEL FREE to send me a mail:
DiA_hates_machine@gmx.de
That's it...
cya -DiA-