|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Getting Base Address using the Structured Exception Handler
From: Costin Ionescu (costin.ionescu
fokus.fraunhofer.de)
Date: Thu Jun 26 2003 - 06:23:31 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Nobody Mind wrote:
>I basically am wondering if anyone has links or can
>post a short explanation of why (not how) using the
>SEH method works for getting the base
>address of kernel32.dll and others?
>Thanks
>
>
Because installing a SEH means that you get execution control when your
thread causes an exception.
If you want to find the base of kernel32 you just access some pages
where you think it is
(around 0xBFF70000 on Win9x, around 0x77F0000/0x77E80000 on
WinNT/2K/XP). If the kernel isn't there
either those pages are not allocated and accessing them will cause a
General Protection Fault, either the
pages are allocated but there is something else there and you can find
that out by verifying some info that
is specific for kernel32.
So when a GPF is raised the OS will pass the execution control to the
SEH handlers. And so you can probe
for valid memory pages without terminating the process and having that
annoing message box
(This application has performed an illegal operation and will be
terminated).
ico
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]