____________________________________________________________________________________________ ...:: Get da Kernel Base via Hardcodeing in Win32 ::.. - by DiA /auXnet - [GermanY] ____________________________________________________________________________________________ +++++Disclaimer+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +I am NOT responsible for any damage that you do! You can need the code however you want...+ +My motherlanguage is not English, I hope you understand what I mean. + +Feel FREE to write any Comments to + + DiA_hates_machine@gmx.de + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ............................................. . . . Index: _1_ : What the fuck is Hardcoded . . . . _2_ : Some Kernel Bases . . . . _3_ : How to check Kernel Bases . . . . _4_ : Some Example Code . . . . _5_ : The End . . . ............................................. *** _1_ : What the fuck is Hardcoded *** Hardcoding is da simplest way to get da Kernel Base! All WindowZ Versions (9x, ME, ...) has another Kernel Base in Memory. So we check all known Bases and when we get it we have da Kernel! Simply... *** _2_ : Some Kernel Bases *** See up, I describe that all WindowZ Versions had another Kernel Base. So here are are the Bases for Win9x (Win95 & Win98), WinME (MelleniumEdition): Win9x : 0BFF70000h WinME : 0BFF60000h (in Memory) *** _3_ : How to check Kernel Bases *** - mov da Base in ESI (or what you want) - First we must check 'MZ' sign at first on the Base (if not check next Base oe exit) - at address 3Ch in Kernel (memory) we must check 'PE' sign (if not check next Base or exit) - save da Base in a Variable or Register *** _4_ : Some Example Code *** ;-----Example Code-----Cut------------------------------------------------------------------ ;-----------------------------------------------------------------hard.asm------------------ ;by DiA /auXnet (c)02 .386 ;386ers + .model flat jumps ;-----Needed API's-------------------------------------------------------------------------- extrn MessageBoxA:PROC ;needed API's to show that we have a Kernel (or not) extrn ExitProcess:PROC ;to return ;------------------------------------------------------------------------------------------- ;-----Define some Kernel Bases-------------------------------------------------------------- Win9x equ 0BFF70000h ;better to understand WinME equ 0BFF60000h ;------------------------------------------------------------------------------------------- ;-----Some Data's--------------------------------------------------------------------------- .data ;needed by TASM oTitle db 'Get Kernel Base by DiA /auXnet',0 oMsgGood db 'We got the Kernel Base',0 oMsgBad db 'No Kernel Found',0 Kernel dd 0 ;here we save da Kernel Base ;------------------------------------------------------------------------------------------- ;-----Here Startz the Code------------------------------------------------------------------ .code start: ;Rock 'n Roll ;------------------------------------------------------------------------------------------- ;-----Check Win95 & Win98 Base-------------------------------------------------------------- mov esi,Win9x ;define, see up call CheckBase ;call the procedure ;------------------------------------------------------------------------------------------- ;-----Check WinME Base---------------------------------------------------------------------- mov esi,WinME call CheckBase ;------------------------------------------------------------------------------------------- ;-----Show a BAD Message-------------------------------------------------------------------- mov edx,offset oMsgBad ;if we are here we have no kernel (BAD!) call Message jmp exit ;go home ;------------------------------------------------------------------------------------------- ;-----Save Base and Show a GOOD Message----------------------------------------------------- GoodMessage: mov dword ptr [Kernel],esi ;save da kernel mov edx,offset oMsgGood ;good msg call Message ;show ;------------------------------------------------------------------------------------------- ;-----Exit---------------------------------------------------------------------------------- exit: xor eax,eax push eax ;null call ExitProcess ;exit ;------------------------------------------------------------------------------------------- ;-----CheckBase Procedure------------------------------------------------------------------- CheckBase: ;procedure cmp word ptr [esi],'ZM' ;check for MZ sign jnz NotFound ;if not return and search next mov edi,[esi+3Ch] ;PE add edi,esi ;real address cmp dword ptr [edi],'EP' ;check for PE sign jz GoodMessage ;found! NotFound: ret ;search next ;------------------------------------------------------------------------------------------- ;-----Message Procedure--------------------------------------------------------------------- Message: ;procedure mov eax,offset oTitle xor ebx,ebx ;null push ebx push eax ;title push edx ;msg push ebx call MessageBoxA ret ;return ;------------------------------------------------------------------------------------------- ;-----Here it End--------------------------------------------------------------------------- end start ;------------------------------------------------------------------------------------------- ;----------------------Cut------------------------------------------------------------------ To compile it: TASM32 /z /ml /m3 hard,,; TLINK32 -Tpe -c hard,hard,, import.lib Run it, and when you see the Message 'We got the Kernel Base' the Base is saved in da Variable 'Kernel' (to use: eg mov esi,dword ptr [Kernel] ) When you see the Message 'No Kernel Found', that is not good ;) When you don't have a Base you can't search API's (No Kernel -> No API's -> No Virus -> Fuck), but that's another story ... *** _5_ : The End *** I hope you understand this shit! Another way (better) to get da Kernel Base is via return address from API 'CreateProcessA'. Maybe I describe this Method in another tuturial... If you had any questionz or commentz FEEL FREE to send me a mail: DiA_hates_machine@gmx.de That's it... cya -DiA-