How to recover the address of the function that loaded my dll or the PE of the thread where it was loaded

Question

How to recover the address of the function that loaded my dll or the PE of the thread where it was loaded

Asked 5 years, 3 months ago

Viewed 32 times

-2

The thread that loads my DLL uses Loadlibrarya , I would like to recover the address (01145EA7) from the instruction that loads it or the PE (01C5B514) from the thread that loads it.

load dll assm:

01145EA2  PUSH 01FDE6B8                             ; /FileName = "psHook.dll"
01145EA7  CALL DWORD PTR DS:[<&KERNEL32.LoadLibrar> ; \LoadLibraryA
01145EAD  MOV DWORD PTR DS:[230E970],EAX

PE assm:
01C5B514 CALL 01C5BA38



My DLL:

BOOL WINAPI DllMain(HINSTANCE hInstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    (VOID)hInstDLL;
    (VOID)lpvReserved;

    switch(fdwReason)
    {
            case DLL_PROCESS_ATTACH:
            hook_func();
            (CreateThread(0,0,(LPTHREAD_START_ROUTINE)&UsedTimer,0,0,NULL));
            break;

        case DLL_PROCESS_DETACH:
            FreeLibrary(hInstDLL);
            break;
    }

    return TRUE;
}

use Getmainthreadid() to indent the IP of the thread I want to recover the PE or Address base.

DWORD GetMainThreadId() {
    HANDLE  hThreadSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);

    if (hThreadSnapshot == INVALID_HANDLE_VALUE) {
        WriteInConsole("Falha ao criar snapshot");
    }

    THREADENTRY32 tEntry;
    tEntry.dwSize = sizeof(THREADENTRY32);
    DWORD result = 0;
    DWORD currentPID = GetCurrentProcessId();
    for (BOOL success = Thread32First(hThreadSnapshot, &tEntry);
        !result && success && GetLastError() != ERROR_NO_MORE_FILES;
        success = Thread32Next(hThreadSnapshot, &tEntry))
    {
        if (tEntry.th32OwnerProcessID == currentPID) {
            result = tEntry.th32ThreadID;
        }
    }
    return result;
}

This is Assembly?

– Maury Developer

2019/07/26 at 21:12
DLL is in C, the code to which Voce refers yes, the solution is just below.

– Victor Costa

2019/07/26 at 21:56

1 answer

Browser other questions tagged c

You are not signed in. Login or sign up in order to post.

by Victor Costa • 1 point · Answer 1 · 2019-07-26T21:55:32+00:00

I found the solution Getmoduleinformation returns an object with the information(PE, Baseddr, Size) of a module, so just calculate the difference between Address and Addressbase;

#include "wFunc.h"
#include "wAddr.h"
#include "wInline.h"
#include <tlhelp32.h>
#include <psapi.h>

DWORD GetMainThreadId() {
    HANDLE  hThreadSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);

    if (hThreadSnapshot == INVALID_HANDLE_VALUE) {
        WriteInConsole("Falha ao criar snapshot");
    }

    THREADENTRY32 tEntry;
    tEntry.dwSize = sizeof(THREADENTRY32);
    DWORD result = 0;
    DWORD currentPID = GetCurrentProcessId();
    for (BOOL success = Thread32First(hThreadSnapshot, &tEntry);
        !result && success && GetLastError() != ERROR_NO_MORE_FILES;
        success = Thread32Next(hThreadSnapshot, &tEntry))
    {
        if (tEntry.th32OwnerProcessID == currentPID) {
            result = tEntry.th32ThreadID;
        }
    }
    return result;
}
MODULEINFO GetModuleInfo(char* szModule)
{
    MODULEINFO modinfo = { 0 };
    HMODULE hModule = GetModuleHandle(szModule);
    if (hModule == 0) return modinfo;
    GetModuleInformation(GetCurrentProcess() /*Internal*/, hModule, &modinfo, sizeof(MODULEINFO));
    return modinfo;
}



BOOL WINAPI DllMain(HINSTANCE hInstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

    (VOID)hInstDLL;
    (VOID)lpvReserved;
    WriteInConsole("PID: %p \n", GetMainThreadId());

    TCHAR szName[MAX_PATH];
    GetModuleBaseName(GetCurrentProcess(), GetModuleHandle(NULL), szName, MAX_PATH);
    WriteInConsole("Handle Name: %s \n\n", szName);

    MODULEINFO mod_Client = GetModuleInfo(szName);

    MainBaseAddr    = mod_Client.lpBaseOfDll;
    MainSizeAddr    = mod_Client.SizeOfImage;
    MainPE          = mod_Client.EntryPoint;

    WriteInConsole("PE: %p \n", MainPE);
    WriteInConsole("BASE ADDRESS: %p \n", MainBaseAddr);
    WriteInConsole("SIZE: %p \n\n", MainSizeAddr);

    WriteInConsole("Called on BETs: %p \n", (((DWORD)MainBaseAddr) + ((DWORD)0x008E8C40)));

    switch(fdwReason)
    {
            case DLL_PROCESS_ATTACH:
            hook_func();
            //(CreateThread(0,0,(LPTHREAD_START_ROUTINE)&UsedTimer,0,0,NULL));
            break;

        case DLL_PROCESS_DETACH:
            FreeLibrary(hInstDLL);
            break;
    }

    return TRUE;
}