Reputation: 67
How can i dynamically call LoadLibraryA directly form Assembly (x86)?
How can i dynamically call LoadLibraryA directly from assembly (x86)? Currently LoadLibraryA is located at 0x76fc57c0 in my memory. I could statically call LoadLibraryA using:
mov eax, 76fc57c0h
call eax
But then with reboots/ASLR in place this is of course not stable. Is there a dynamic way to determine the memory address from LoadLibraryA?
Upvotes: 0
Views: 420
Answers (1)
Reputation: 23
I'm a bit new into Windows Assembly programming, but this is the steps I follow for finding LoadLibraryA:
1 - Find the base address of kernel32.dll using the PEB
2 - Find the GetProcAddress by looking on the export table
3 - Finally calling GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"LoadLibraryA") .
Find base Address of kernel32.dll
%macro FindKernel32Base 0
mov edi, [fs:ebx+0x30] ; Load PEB into EDI
mov edi, [edi+0x0c] ; Access the loader data
mov edi, [edi+0x1c] ; First module in the module list
%%module_loop:
mov eax, [edi+0x08] ; Get the next module
mov esi, [edi+0x20] ; Module name pointer
mov edi, [edi] ; Move to next module
cmp byte [esi+12], '3' ; Check if this is the kernel32 module
jne %%module_loop ; Loop until kernel32.dll is found
%endmacro
Find GetProcAddress using export table:
xor ebx, ebx ; Zero out EBX
FindKernel32Base ; Execute the macro to find kernel32 base
mov edi, eax ; Store kernel32 base in EDI
add edi, [eax+0x3c] ; PE header offset
mov edx, [edi+0x78] ; Export table offset
add edx, eax ; Adjust EDX to point to the export table
mov edi, [edx+0x20] ; AddressOfNames
add edi, eax ; Adjust EDI to point to names
mov ebp, ebx ; Clear EBP for loop counter
name_loop:
mov esi, [edi+ebp*4] ; Get function name
add esi, eax ; Adjust address
inc ebp
cmp dword [esi], 0x50746547 ; "GetP"
jne name_loop
cmp dword [esi+8], 0x65726464 ; "ddre"
jne name_loop
mov edi, [edx+0x24] ; AddressOfNameOrdinals
add edi, eax
mov bp, [edi+ebp*2] ; Get the ordinal
mov edi, [edx+0x1C] ; AddressOfFunctions
add edi, eax
mov edi, [edi+(ebp-1)*4] ; Subtract ordinal base
add edi, eax
; EDI now contains GetProcAddress address, EAX is kernel32.dll base address
Get LoadLibraryA address:
push 0x00000000
push 0x41797261 ; "Arya"
push 0x7262694C ; "rbiL"
push 0x64616F4C ; "daoL"
push esp ; Push pointer to "LoadLibraryA"
push eax
xchg eax, esi
call edi ; Call GetProcAddress
At the end of execution you should have the address of LoadLibraryA on EAX.
I hope it works for you!
Upvotes: 0
Related Questions
- How to reference a library from execution assembly?
- How to dynamically load an Assembly Into My C# program, .NET Framework 4.7
- How to load a signed assembly dynamically in c#
- Embedding C# class libraries into an assembly and loading them dynamically
- Hooking LoadLibrary API call
- Dynamically loading Assembly
- Initialize library on Assembly load
- Dynamic loading dll that includes references on external libraries
- Load an assembly at run time that references the calling assembly
- Load assembly from memory