Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- DWORD _declspec(naked) PEB_kernel32base()
- {
- __asm
- {
- push ESI
- MOV ESI, [FS:0x30] //PEB base
- MOV ESI, [ESI + 0x0C] //PEB->Ldr
- MOV ESI, [ESI + 0x1C] //PEB->Ldr.InInitOrder
- _kernel32base_next_module:
- CMP [ESI + 0x20 + 0x18], 0 //module_name[12] == 0? (unicode)
- JE _kernel32base_found_module
- MOV ESI, [ESI] //InInitOrder.flink (next module)
- JMP _kernel32base_next_module
- _kernel32base_found_module:
- MOV EAX, [ESI + 0x08] //InInitOrder.base_address
- pop ESI
- RET
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
