Home > Code > Get Kernel Base Address

Get Kernel Base Address

August 11th, 2009 Cobein Leave a comment Go to comments

First off, I would like to thanks batfitch, he handed me the working asm to do this and gave me good feedback.
I have had many problems porting other walking kernel functions to VB but this one works perfect.

Tested on vista and xp sp2.

'---------------------------------------------------------------------------------------
' Module      : cKrnlBase
' DateTime    : 23/04/2009 15:44
' Author      : Cobein
' Mail        : cobein27@hotmail.com
' WebPage     : http://www.advancevb.com.ar
' Purpose     : Get Kernel32 Base Address, Testen on XP and Vista
' Usage       : At your own risk
' Requirements: None
' Distribution: You can freely use this code in your own
'               applications, but you may not reproduce
'               or publish this code on any web site,
'               online service, or distribute as source
'               on any media without express permission.
'
' Credits    :  batfitch send me the ASM to do this, I just ported it to work in VB.
'
' History     : 23/04/2009 First Cut....................................................
'---------------------------------------------------------------------------------------
'  mov ecx, dword [esp+08h]
'  mov eax,30h
'  mov eax, [fs:eax]
'  mov eax, [eax+0Ch]
'  mov eax, [eax+1Ch]
'  mov eax, [eax]
'  mov eax, [eax+08h]
'  mov dword[ecx],eax
'  xor eax,eax
'  ret 16
'---------------------------------------------------------------------------------------
Option Explicit

Private Declare Sub CpyMem Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal dlen As Long)

Private c_lKrnl     As Long

Public Function DoNotCall() As Long
'This function will be replaced with machine code laterz
'Do not add any public procedure on top of it
End Function

Public Function GetBaseAddress() As Long
GetBaseAddress = c_lKrnl
End Function

Private Sub Class_Initialize()
Dim i           As Long
Dim sCode       As String
Dim bvASM(&HFF) As Byte
Dim lVTE        As Long
Dim lOldVTE     As Long

CpyMem lVTE, ByVal ObjPtr(Me), &H4
lVTE = lVTE + &H1C
CpyMem lOldVTE, ByVal lVTE, &H4

sCode = "8B4C2408B830000000648B008B400C8B401C8B008B4008890131C0C21000"

For i = 0 To Len(sCode) - 1 Step 2
bvASM(i / 2) = CByte("&h" & Mid$(sCode, i + 1, 2))
Next

CpyMem ByVal lVTE, VarPtr(bvASM(0)), &H4
c_lKrnl = DoNotCall
CpyMem ByVal lVTE, lOldVTE, &H4
End Sub
Categories: Code
  1. AdvancedVB01
    July 19th, 2010 at 00:46 | #1
    Reply | Quote

    Why is the kernel base important to get? what do you use it for?

  1. No trackbacks yet.
You must be logged in to post a comment.