MalwareSourceCode/Win32/Proof of Concepts/GetKernel32Addressx64/ReadMe.txt
vxunderground 900263ea6f updates and moves
n/a
2022-04-11 20:00:13 -05:00

15 lines
343 B
Plaintext

in x64
1.get peb from fs:[0x60] by asm file
2.get Ldr by peb
3.get kernel32 module in the third module
ntdll->kernelbase->kernel32
in x86
1.get peb from fs:[0x30] by inline asm
2.get Ldr by peb
3.get kernel32 module in the second module
ntdll->kernel32
the offset in the PEB is different from x64 and x86
This demo is only Test on Win7 x64