VB 6.0 -GetProcAddress- ON Vista

[ahmadmansoor]

anybody know why GetProcAddress not work on Vista .

I have write this code :

Dim hand,APIAdd as long
hand=GetModuleHandle ("advapi32.dll")
APIAdd=GetProcAddress(hand, "RegDeleteKeyA")

on windows Xp it work very fine and I got the address of the API .
but on Vista .... I got wrong Value ..
anybody have any explanation .
Thanks ....

[Zipdecode]

hxxp://msdn.microsoft.com/en-us/vbrun/ms788708.aspx

[ahmadmansoor]

Thanks I will check it ....

I have post in other site .. and I was note that it happen just with "advapi32.dll" .

this what happen :

00402870 . E8 BFF4FFFF call Project1.00401D34 here to GetProcAddress
then Eax hold the Correct value
00402875 . FF15 28104000 call near dword ptr [<&MSVBVM60.__vbaSetSystemError>] ; MSVBVM60.__vbaSetSystemError here will
then Eax hold the unCorrect value

I have small example

[IWarez]

You can't be sure that your dll is loaded. You can call loadlibrary and it will always work. If it's already loaded nothing will happen, if not it will be. Can't be better

Edit: I noticed in your source you call loadlibrary and then call GetModuleHandle. That's unnessecary as if I remember correctly you can use the handle from loadlibrary for your call to getprocaddress.

[ahmadmansoor]

yes my friend it is unnessecary ... but I was testting both .
because the probelm make me confuse -so I use the both -

[IWarez]

I see. I tried for myself on Vista and had no problem getting the address of the function you specified. I made my own VB6 test and attached it. Your problem might be in not using 'Option Explicit' and thus using undeclared variables and variants. I highly recommend to enable it.

An additional note: You can use Exit For to exit a For..Next loop. GoTo is forbidden, even in VB6

[ahmadmansoor]

Thanks my friend ....and I am sorry for late in replay ( it's my week end ) .
anyway I couldn't stop my self from laugh ..
I have tested ur Project1.exe file and it work very fine ...and I got the right value .
very good at this point . I start the VB 6.0 load the source code and run it inside ,and Ooops i got the wrong value again ...what happen here !!!???
is there a good logical reason for that pls

My friend the best command in basic was GoTo ....
I used it in many ways ...I like this command ,it is the best .

[IWarez]

Have you tried to step through your code from inside the ide? Are you maybe passing filenames with spaces? I don't use a PC with VB6 at the moment but if I find time tomorrow I'll try to tidy up your code and look for the problem.

[IWarez]

I checked your code and made some modifications. You should check your immediate window after you press the 'Ready' button. You will see your IAT.TXT is badly formatted and sometimes your routines choke at that and try to find the wrong function or dll.

Do you have any way to modify the IAT.txt file? I suggest you use a <tab> to separate fields and use the vb command Split to get the fields. That makes your parsing much more readable and easier to debug.

Ps. I must say that when I checked your original code the address of the RegDeleteKeyA api was correct on my Vista system.

Oh
Sorry.

[ahmadmansoor]

I have installed VB6.0 then I have installed VS2008 ....could this affect ???!!!
my friend the problem that I have tested ur code ..that all .
and I have the same result .I will try to compile ur source code ,and try to see the ruselt.

note : my friend can u help me in something else .
I have got this code form my frind Nieylana in accessroot.com
this is a function to Search Memory ...but it not work with some target:
+++++++++++++++++++++++
Public Function SearchMemory(searchString As String, Address As Long, LengthToSearch As Long) As Long
Dim x As Long
Dim y As Long
Dim SearchPointer As Long
Dim NumRead As Long
Dim nextByte As String
Dim isFound As Boolean
ReDim ByteArray((Len(searchString) / 2) - 1)
ReDim ByteMask((Len(searchString) / 2) - 1)

For x = 0 To UBound(ByteArray)
nextByte = Mid(searchString, (x * 2) + 1, 2)
If nextByte <> "??" Then
ByteArray(x) = Val("&H" & nextByte)
ByteMask(x) = 0
Else
ByteMask(x) = 1
End If
Next x
ReDim MemoryArray(LengthToSearch - 1)

Call ReadProcessMemory(ByVal mvarhProc, ByVal Address, MemoryArray(0), LengthToSearch, NumRead)
If NumRead = 0 Then
Call Err.Raise(7, , "Source memory could not be read!")
End If

For SearchPointer = 0 To LengthToSearch - 1
For x = 0 To UBound(ByteArray)
If SearchPointer + x = LengthToSearch Then
isFound = False
GoTo SearchedALL
End If
If MemoryArray(SearchPointer + x) <> ByteArray(x) And ByteMask(x) <> 1 Then
isFound = False
Exit For
End If
isFound = True
Next x
If isFound = True Then Exit For
Next SearchPointer
SearchedALL:
If isFound = True Then
SearchMemory = Address + SearchPointer
Else
SearchMemory = -1
End If
End Function
++++++++++++++++++++++
can u help me to write a function to search all memory in the target ,
like in olly .
and make it search for a pattern like this
"FF15????????90E9"
the function of Nieylana do this very will ..but cann't search all memory .
I think the problem in the size of the search .
I hope u can help me in this .
Many thanks for u .

[IWarez]

Hi Ahmadmansoor,

Have you read my post?

I think I clearly noted that your IAT.Txt file is not in a valid parseable format. It doesn't contain a clear standard for the separation of fields. I also noted you should check the output in the immediate window from VB6. You will see that the dllname and the functionname sometimes are wrong because of the wrong format of the IAT.txt.

About the memory searching problem:
I'm sorry but I'm not in the position to do the coding for you. I can assist you in the VB language and point at bugs but you have to do the majority of the work. That means you have to be specific on what doesn't work.

Questions:
- What error do you get on the search function?
- Are you aware you can step through the code and look at what the value of the variables are? (F8, F9 for breakpoint)
- Do you have complete sourcecode and a target where the function fails on?

IW

Hi Dear Ahmadmansoor
Please Test This Module
Go0d Luck

i don't think that he still wants it
he wrote about it a year ago, but maybe somebody else will be have similar problem

[ahmadmansoor]

Oooo Thanks Sh4DoVV ..nice
about my problem I have solve it .... anyway many thanks for ur replay .
and I will try it on some targets ....
ps: r u the same guy on unpack and SND ?