Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

[help]Probleme with offset

asembley c++

Best Answer dargueta, 12 April 2015 - 10:16 PM

A boolean is usually typedef'ed as an int for performance reasons.

 

You see, memory hardware doesn't like loading from addresses that are not multiples of four. In fact sometimes they can't do it and the processor has to make two memory accesses and combine the data. If Initialized were one byte, then SsHandle would start on an address that isn't a multiple of four and trigger the above scenario I mentioned.

 

Thus, Initialized is four bytes, not one.

Go to the full post


This topic has been archived. This means that you cannot reply to this topic.
8 replies to this topic

#1 zika

zika

    CC Regular

  • Member
  • PipPipPip
  • 26 posts

Posted 12 April 2015 - 07:02 AM

case 1:
typedef struct _PEB_LDR_DATA
{
ULONG Length; // +0x00 
BOOLEAN Initialized; // +0x04 
PVOID SsHandle; // +0x08 
LIST_ENTRY InLoadOrderModuleList; // +0x0c 
LIST_ENTRY InMemoryOrderModuleList; // +0x14 
LIST_ENTRY InInitializationOrderModuleList;// +0x1c 
} PEB_LDR_DATA,*PPEB_LDR_DATA; // +0x24

case 2:
typedef struct _LDR_MODULE{
LIST_ENTRY InLoadOrderModuleList; +0x00 
LIST_ENTRY InMemoryOrderModuleList; +0x08 
LIST_ENTRY InInitializationOrderModuleList; +0x10 
void* BaseAddress; +0x18 
void* EntryPoint; +0x1c
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
HANDLE SectionHandle;
ULONG CheckSum;
ULONG TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;
case 3:
mov ebx, [FS : 0x30] ; PEB
mov ebx, [ebx + 0x0C] ; PEB->Ldr
mov ebx, [ebx + 0x14] ; PEB->Ldr.InMemoryOrderModuleList.Flink (1st entry)
mov ebx, [ebx] ; 2nd Entry
mov ebx, [ebx] ; 3rd Entry
mov ebx, [ebx + 0x10] ; Third entry's base address (Kernel32.dll)
mov [ebp+dwKernelBase] , ebx

 

look at the  offset of the code I don't understand how he calculate it?

      I've tried to sum them : 

case 1 : it's wrong

sizeof(ULONG)+sizeof(BOOLEAN)+sizeof(PVOID)+sizeof(LIST_ENTRY)

              4        +               1            +             4                       8        =   17 = 0x11h


Edited by zika, 12 April 2015 - 07:13 AM.


#2 dargueta

dargueta

    I chown trolls.

  • Moderator
  • 4854 posts

Posted 12 April 2015 - 07:12 AM

What's your expected sizeof?


sudo rm -rf / && echo $'Sanitize your inputs!'


#3 zika

zika

    CC Regular

  • Member
  • PipPipPip
  • 26 posts

Posted 12 April 2015 - 08:11 AM

hi dargueta

look at case 1 : there are element it's name "LIST_ENTRY InMemoryOrderModuleList" which I need ok 

so in assembley to get that element I need that offset 

look at the code 

mov ebx, [ebx + 0x0C] ; PEB->Ldr ; in c : typedef struct _PEB_LDR_DATA

mov ebx, [ebx + 0x14] ;in c PEB->Ldr.InMemoryOrderModuleList.Flink (1st entry)

Question is : how does he know the offset of Ldr.InMemoryOrderModuleList.Flink = 0x14 ??

I've tried to calculate them and my resault was :

ULONG  = 4 byte 

BOOLEAN =1 byte

PVOID = 4 BYTE

LIST_ENTRY = 8 BYTE 

so to get the 5th element I've to calculate the addition of the 4th elements before and my resault was :

 
1 ULONG Length; // +0x00 
 2 BOOLEAN Initialized; // +0x04 
 3 PVOID SsHandle; // +0x08 
 4 LIST_ENTRY InLoadOrderModuleList; // +0x0c 
5 LIST_ENTRY InMemoryOrderModuleList; // +0x14 
 6 LIST_ENTRY InInitializationOrderModuleList;// +0x1c 

so :

ULONG + BOOLEAN + PVOID + LIST_ENTRY = 17 not 20

my question is how he get  0x14h instead of 17d ??



#4 zika

zika

    CC Regular

  • Member
  • PipPipPip
  • 26 posts

Posted 12 April 2015 - 08:56 AM

but when I assume BOOlEAN =4 everything will be correct I don't know why ??



#5 dargueta

dargueta

    I chown trolls.

  • Moderator
  • 4854 posts

Posted 12 April 2015 - 10:16 PM   Best Answer

A boolean is usually typedef'ed as an int for performance reasons.

 

You see, memory hardware doesn't like loading from addresses that are not multiples of four. In fact sometimes they can't do it and the processor has to make two memory accesses and combine the data. If Initialized were one byte, then SsHandle would start on an address that isn't a multiple of four and trigger the above scenario I mentioned.

 

Thus, Initialized is four bytes, not one.


sudo rm -rf / && echo $'Sanitize your inputs!'


#6 zika

zika

    CC Regular

  • Member
  • PipPipPip
  • 26 posts

Posted 12 April 2015 - 11:23 PM

yeap thats what I'm think too

thanks Mr dargueta ,I've spent whole the day to get it how he did it and I think what did u say is right because int = 4 and when boolean =4 everything will be work  correctly .

Mr  dargueta take this :)  



#7 dargueta

dargueta

    I chown trolls.

  • Moderator
  • 4854 posts

Posted 12 April 2015 - 11:28 PM

Always happy to help.  :)


sudo rm -rf / && echo $'Sanitize your inputs!'


#8 zika

zika

    CC Regular

  • Member
  • PipPipPip
  • 26 posts

Posted 13 April 2015 - 12:13 AM

another prove  U r right Mr dargueta 

I've calculated all size of struction and guess what ?? look at the picture

SAk0Wk9.jpg

 thanks Mr dargueta



#9 dargueta

dargueta

    I chown trolls.

  • Moderator
  • 4854 posts

Posted 14 April 2015 - 08:56 AM

You're most welcome.  :)


sudo rm -rf / && echo $'Sanitize your inputs!'