module32first/..next don't seem to work on windows7

Technical Discussions not Related Directly to MHS. For Example, Coding, Hex Editing, General Hacking, Etc.

Moderators: g3nuin3, SpeedWing, WhiteHat

module32first/..next don't seem to work on windows7

Postby mikky » Tue Jun 01, 2010 7:06 pm

hi.
i want to make a trainer in masm. i'm stuck retrieving the module base address of a dll. in windows xp all works fine, but in windows7 do not work. i don't know why
here's the routine i use:

GetModuleBaseAddress proc iProcID:DWORD, DLLName:DWORD
LOCAL hSnap:DWORD
LOCAL xModule:MODULEENTRY32
invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, iProcID
mov hSnap,eax
mov xModule.dwSize, sizeof xModule
invoke Module32First, hSnap, addr xModule
test eax, eax
jnz getdll
mov eax, 0
ret
getdll:
invoke Module32Next, hSnap, addr xModule
test eax, eax
jnz checkdll
mov eax, 0
ret
checkdll:
invoke lstrcmpi, DLLName, addr xModule.szModule
test eax, eax
jnz getdll
mov eax, xModule.modBaseAddr
ret
GetModuleBaseAddress endp


i tried to set the SeDebugPrivilege, but still the routine puts 0 in eax(no success). what could be the cause?
mikky
I Have A Few Questions
 
Posts: 2
Joined: Tue Jun 01, 2010 6:59 pm

Re: module32first/..next don't seem to work on windows7

Postby denispn » Wed Jun 09, 2010 8:01 am

Hi, I also need to get the module base address of a dll in memory.

I want to create the pointer bellow, but every time i start the process, Engine.dll is in a different memory address.
[[[[Engine.dll+0x002B1B98]+0xB8]+0x24]+0xDC]+0x3DC

Using (coded in fasm):

Code: Select all
invoke GetModuleHandleA,Name_of_DLL
        mov     [BaseAddress],eax


Does not work. Please, help.

Thanks,
ctl3d32
denispn
Hacker Smacker
 
Posts: 43
Joined: Wed Dec 26, 2007 9:45 am

Re: module32first/..next don't seem to work on windows7

Postby L. Spiro » Wed Jun 09, 2010 1:10 pm

mikky wrote:hi.
i want to make a trainer in masm. i'm stuck retrieving the module base address of a dll. in windows xp all works fine, but in windows7 do not work. i don't know why
here's the routine i use:

GetModuleBaseAddress proc iProcID:DWORD, DLLName:DWORD
LOCAL hSnap:DWORD
LOCAL xModule:MODULEENTRY32
invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, iProcID
mov hSnap,eax
mov xModule.dwSize, sizeof xModule
invoke Module32First, hSnap, addr xModule
test eax, eax
jnz getdll
mov eax, 0
ret
getdll:
invoke Module32Next, hSnap, addr xModule
test eax, eax
jnz checkdll
mov eax, 0
ret
checkdll:
invoke lstrcmpi, DLLName, addr xModule.szModule
test eax, eax
jnz getdll
mov eax, xModule.modBaseAddr
ret
GetModuleBaseAddress endp


i tried to set the SeDebugPrivilege, but still the routine puts 0 in eax(no success). what could be the cause?



#1:
You skipped the very first module, which is always the module of the target process itself. You never compared the string returned by Module32First().

#2:
lstrcmpi() does not accept a DWORD and a TCHAR *. It accepts a TCHAR * and a TCHAR *.
Even if “DWORD” is just to indicate the size of the data, pointers are not sizeof( DWORD ), they are sizeof( UINT_PTR ).
viewtopic.php?f=30&t=5519


denispn, that code would only work if your code is injected into the target process itself.
Assuming it is, there is no problem with the code you posted, except for using GetModuleHandleA() instead of GetModuleHandleW().


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: module32first/..next don't seem to work on windows7

Postby denispn » Wed Jun 09, 2010 11:55 pm

Hi!

Didn't get it.

I'm writting a .dll to inject into a game process, but the .exe of the game calls Engine.dll, and it's address in memory is used in the pointer i wrote before. How do i get the base address of Engine.dll.

When i use "call GetModuleHandle("Engine.dll")", it returns me an address that is not the address of Engine.dll in memory, but of my own .dll.

Thanks
denispn
Hacker Smacker
 
Posts: 43
Joined: Wed Dec 26, 2007 9:45 am

Re: module32first/..next don't seem to work on windows7

Postby L. Spiro » Thu Jun 10, 2010 8:43 am

Walk the modules as shown above in mikky’s code (with corrections).


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan


Return to Technical Unrelated

Who is online

Users browsing this forum: No registered users and 0 guests

cron