Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Modules loaded by a exe
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-14-2004, 17:35
loman
 
Posts: n/a
thanks for the info man!
Reply With Quote
  #2  
Old 05-14-2004, 22:43
volodya
 
Posts: n/a
Sorry, but the method above is suxx. Too easy to fool. If you want to create sth really useful, you stick to NT+ architecture. Go search for "PEB_LDR_DATA". This is what you need.
Reply With Quote
  #3  
Old 05-14-2004, 22:50
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
VIP
  
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 971
Rept. Given: 70
Rept. Rcvd 431 Times in 101 Posts
Thanks Given: 83
Thanks Rcvd at 405 Times in 127 Posts
Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499
humm..that undocumented things are supported through different OSs (XP,2003)?
It depends on which level you want to be sure of this..the infos obtained are almost the same, isn't it?
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
Reply With Quote
  #4  
Old 05-14-2004, 23:34
volodya
 
Posts: n/a
PEB is present starting from NT+.
The exact implementation of the structure is different. You can extract it from PDB-files using pdb-dump by de Quency.
Reply With Quote
  #5  
Old 05-15-2004, 01:04
JMI JMI is offline
Leader
  
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 98 Times in 96 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
Here's a little searching project for you all. The de Quincy article is available on "Searchlore" and his utility is available on "Sourceforge."

Regards,
__________________
JMI
Reply With Quote
  #6  
Old 05-15-2004, 01:17
phax
 
Posts: n/a
PEB detection
As opposed in a concurrent thread (initial register values), the PEB can easily be retrieved with the following (VC) C++ code:
void *PEB = NULL;
__asm
{
mov eax,fs:[0x30]
mov PEB,eax
}
On windows 2000 it is constantly 0x7ffdf000
regards, PHaX
Reply With Quote
  #7  
Old 05-15-2004, 02:53
volodya
 
Posts: n/a
My dear JMI, no need to go to Sourceforge
http://wasm.ru/tools/21/pdbdump.zip
+ DIA SDK:
http://wasm.ru/tools/4/dia.zip
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to Patch (IL Edit) of Assembles loaded from Resource cracki General Discussion 18 01-14-2024 00:26
Olly Crash when this simple app loaded... kunam General Discussion 6 10-10-2023 21:00
Working with multiple modules when reversing maktm General Discussion 2 04-19-2015 06:46
Runtime Error R6002 - Floating point not loaded MrGneissGuy's General Discussion 1 09-14-2009 03:08
Detection/Signature for Corba/Com/Dcom/Activex Modules nulli General Discussion 2 11-27-2005 18:41


All times are GMT +8. The time now is 02:34.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )