[ASM] Shellcode retrieve Kernel32 Base Address
Well, i’ve noticed that cInvoke coded by Cobein isn’t working on Windows 7 because W7 load first NTDLL and then KERNEL32 so when we read Peb->InInitOrder[0]->BaseAddress it isnt’ KERNEL32 base address… it’s NTDLL base address….
So i’ve coded that shellcode that retrieves K32 base address in any W$ NT system…
If you want to use that Shellcode in the RunPe/cInvoke/… you just need to replace the const called THUNK_KERNELBASE with these ASM Opcodes:
8B4C2408565531C0648B70308B760C8B761C8B6E088B7E208B3638471875F3803F6B7407803F4B7402EBE789295D5EC3
Categories: Code
Good fix, I didnt try it yet but Im sure it works perfect, no more people complaints for a while. =]
What can I say, :)
Great Work.
Astral.
Great!
No more need to compile in p-code
uh, spent 2 days, just can't get it to work :(
what am i doing wrong?
http://i080.radikal.ru/1003/05/2239ad5cf962.jpg
Thanks,
Astral
You must crypt the OPCODES with the encryption function…
sorry forgot to remove Encryption function for pic, nvm i got it working.
Problem was, it was working fine on computer where you compiled it, but would not on other WinVista/Win7 computer. It was that encrypted strings of APICALL and KERNELBASE, if you put them unencrypted porblem gets solved..
So to get rid of AV detections try some other method of hiding the string, maybe StrReverse….
Thanks again,
Astral.
Yeah you are a Master ! All work good for me :D