Penulis Topik: [Delphi] ExGetmoduleHandle 32-64 bit  (Dibaca 7439 kali)

Offline meong

  • Pro100
  • ****
  • Tulisan: 121
  • Reputation: 203
    • Lihat Profil
[Delphi] ExGetmoduleHandle 32-64 bit
« pada: Oktober 08, 2011, 06:22:04 AM »
just test code a crypter in xe2 (64bit). Bcoz in 64bit peb location moved and sizeof pointer is 8, some walking peb failed and u will get error :D.

Btw here u go alternative getmodulehandle compatible 32 and 64bit pe (xe2)

Kode: [Pilih]
function GetLdr:Pointer; stdcall;
asm
{$IFDEF CPUX86}
  xor   eax, eax
  mov   eax, fs:[eax+$18] //teb
  mov   eax, [eax+$30] //peb
  mov   eax, [eax+$0C] //ldr
{$ELSE}
  xor   rax, rax
  mov   rax, gs:[rax+$30] //teb
  mov   rax, [rax+$60] //peb
  mov   rax, [rax+$18] //ldr
{$ENDIF}
end;

function ExGetmoduleHandle(name: PWideChar): THANDLE;
var
  x, f, cur  : NativeUint;
begin
  result := 0;
  //getLdr
  x := NativeUint(GetLdr); 
{$IFDEF CPUX86}
  //InMemoryOrderModuleList
  f := x+$14; 
  //InMemoryOrderModuleList.Flink
  cur := PNativeUint(f)^;
  while (cur <> f) do begin
    x := cur - $8;
    //BaseDllName
    if (StrComp(PWideChar(PNativeUint(x+$30)^), name) = 0) then begin
      //DllBase
      result := PNativeUint(x+$18)^;
      exit;
    end;
    cur := PNativeUint(cur)^;
  end;
{$ELSE}
  //InMemoryOrderModuleList
  f := x+$20;
  //InMemoryOrderModuleList.Flink
  cur := PNativeUint(f)^;
  while (cur <> f) do begin
    x := cur - $10;
    //BaseDllName
    if (StrComp(PWideChar(PNativeUint(x+$60)^), name) = 0) then begin
      //DllBase
      result := PNativeUint(x+$30)^;
      exit;
    end;
    cur := PNativeUint(cur)^;
  end;
{$ENDIF}
end;

directlink : http://cybercoding.wordpress.com/2011/10/07/delphi-ex-getmodulehandle-32-64-bit/