| View previous topic :: View next topic |
| Author |
Message |
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
 Posted: Wed Aug 06, 2008 9:13 am Post subject: How do you get the injected dll's processID? |
 |
|
| If you inject a dll into a process how would you get the process's id from inside the dll? is there an eaiser method?
|
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Wed Aug 06, 2008 9:15 am Post subject: |
|
|
| O.o thanks alot.
|
|
| Back to top |
|
|
Cx
Master Cheater
 Reputation: 0
Joined: 27 Jul 2007
Posts: 367
|
| Posted: Wed Aug 06, 2008 11:04 am Post subject: |
|
|
GetCurrentProcessId:
| Code: | 7C809920 >/$ 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
7C809926 |. 8B40 20 MOV EAX,DWORD PTR DS:[EAX+20]
7C809929 \. C3 RETN |
Someone explain to me how the hell that works?
_________________
armed with this small butterfly net
i will face the world alone
& never be lonely. |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Wed Aug 06, 2008 11:10 am Post subject: |
|
|
| Code: | | MOV EAX,DWORD PTR FS:[18] |
Obtains the current process TEB block.
| Code: | | MOV EAX,DWORD PTR DS:[EAX+20] |
Obtains the current process ID from the TEB block and stores it into EAX and returns.
Rough copy of the TEB struct:
http://en.wikipedia.org/wiki/Win32_Thread_Information_Block
0x20 offset in the struct is the current process id.
_________________
- Retired. |
|
| Back to top |
|
|
Cx
Master Cheater
Reputation: 0
Joined: 27 Jul 2007
Posts: 367
|
| Posted: Wed Aug 06, 2008 11:16 am Post subject: |
|
|
Ah, cool.
Thanks!
_________________
armed with this small butterfly net
i will face the world alone
& never be lonely. |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Wed Aug 06, 2008 11:21 am Post subject: |
|
|
Just for shits and giggles, you can do the same thing inline like this:
| Code: | __declspec(naked) DWORD __stdcall GetProcId()
{
_asm mov eax, dword ptr fs:[0x18]
_asm mov eax, dword ptr ds:[eax+0x20]
_asm retn
} |
_________________
- Retired. |
|
| Back to top |
|
|
Cx
Master Cheater
Reputation: 0
Joined: 27 Jul 2007
Posts: 367
|
| Posted: Wed Aug 06, 2008 11:41 am Post subject: |
|
|
Yeah. So I would assume GetCurrentThreadId also uses TIB (TIB+0x24), but does GetLastError also use it (offset 0x34)?
Are there any other blocks with information like this? It's pretty interesting stuff.
_________________
armed with this small butterfly net
i will face the world alone
& never be lonely. |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Wed Aug 06, 2008 5:26 pm Post subject: |
|
|
Another common one would be the PEB block.
| Code: | _asm mov eax, dword ptr fs:[0x18]
_asm mov eax, dword ptr [eax+0x30] |
http://en.wikipedia.org/wiki/Process_Environment_Block
Which also has a fair amount of information. This ones commonly used for unlinking your DLL from a processes linked lists to "hide" it.
_________________
- Retired. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
