Results 1 to 5 of 5
  1. #1
    rac1
    rac1 is offline
    New member rac1's Avatar
    Join Date
    2013 Aug
    Posts
    4
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    1
    Thanked in
    1 Post
    Rep Power
    0

    About Finding & Enumerating the all modules and their adresses.(Qustion)

    Hello friends,

    I would like to do a program that will detect the hooked apis. But i need to find the process addresses of this modules.

    For example this code is useful if i know the module name;
    GetProcAddress(GetModuleHandle('KERNEL32.DLL'), 'LoadLibraryA')
    But i want to search all api's inside the exe and, if the api starting opcodes are changed, (for example it can be hooked by anti cheat with using jmp GameAnticheatadr) i will detect and list them.

    If i write my program with getprocadr api, i need to know all the modules(apis) like 'LoadLibraryA'. There are many modules inside the dll. Cheat engine is automaticly listing this modules and dll's, i can find and list all the dlls but not modules.


    Here is the cheatn engine screenshot. Is there a way to list all the Api like that?

    Please register or login to download attachments.


  2. #2
    Alissa
    Alissa is offline
    Guest
    Join Date
    2013 Dec
    Posts
    2
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    Okay, let's module has been tested for substitution and does not contain 'HiJacks'


    Парсим хидеры

    hModule --- a dll module

    // Просматриваем DOS-заголовок
    PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule;
    if(pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) { return NULL; }

    // Просматриваем NT-заголовок
    PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)((PBYTE)hModule + pDosHeader->e_lfanew);
    if(pNtHeader->Signature != IMAGE_NT_SIGNATURE) { return NULL; }

    PIMAGE_EXPORT_DIRECTORY pExport = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)hModule + pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
    PDWORD FuncNames = (PDWORD)((PBYTE)hModule + pExport->AddressOfNames);
    PDWORD FuncAdr = (PDWORD)((DWORD)hModule + pExport->AddressOfFunctions);
    PWORD FuncOrd = (PWORD) ((DWORD)hModule + pExport->AddressOfNameOrdinals);

    // CurName будет именем функции
    LPSTR CurName = NULL;
    for(DWORD t = 0; t < pExport->NumberOfNames; t++)
    {
    CurName = (LPSTR)((DWORD)hModule + FuncNames[t]);

    }

  3. #3
    Alissa
    Alissa is offline
    Guest
    Join Date
    2013 Dec
    Posts
    2
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    you must read module NT/DOS headers in memory

  4. #4
    xbennY
    xbennY is offline
    Guest
    Join Date
    2014 Jul
    Posts
    1
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    Try this:

    PHP Code:
    #define MAX_MODls 256

    string MODls_name[MAX_MODls][10];
    char MODls_szExePath[MAX_MODls][256];
    DWORD MODls_th32ProcessID[MAX_MODls][10];
    DWORD MODls_GlblcntUsage[MAX_MODls][10];
    DWORD MODls_ProccntUsage[MAX_MODls][10];
    BYTE *MODls_modBaseAddr[MAX_MODls][10];
    DWORD MODls_modBaseSize[MAX_MODls][10];
    int t_MODls 0// TOT

    int DoModules(int PID)
    {
        
    /*string str;
        vector<string> v;*/

        
    HANDLE hModuleSnap INVALID_HANDLE_VALUE;
        
    MODULEENTRY32 me32;
        
    int tot = -1;

        
    hModuleSnap CreateToolhelp32Snapshot(TH32CS_SNAPMODULEPID);
        if(
    hModuleSnap == INVALID_HANDLE_VALUE)
        {
            
    printf("INVALID_HANDLE_VALUE\n");
            return 
    tot;
        }

        
    me32.dwSize sizeof(MODULEENTRY32);
        if(!
    Module32First(hModuleSnap, &me32))
        {
            
    printf("!Module32First(hModuleSnap, &me32");
            
    CloseHandle(hModuleSnap);
            return 
    tot;
        }

        
    tot 0;
        do
        {
            
    tot++;
            
    str me32.szExePath;
            
    explode("\\"str);
            
    MODls_name[tot][0] = v[(v.size()-1)];
            
    strcpy((char*)&MODls_szExePath[tot][0], me32.szExePath);
            
    MODls_th32ProcessID[tot][0] = me32.th32ProcessID;
            
    MODls_GlblcntUsage[tot][0] = me32.GlblcntUsage;
            
    MODls_ProccntUsage[tot][0] = me32.ProccntUsage;
            
    MODls_modBaseAddr[tot][0] = me32.modBaseAddr;
            
    MODls_modBaseSize[tot][0] = me32.modBaseSize;
            
    printf("\n executable          = %s",        (me32.szExePath));
            
    printf("\n process ID          = %u",        (me32.th32ProcessID));
            
    printf("\n ref count (global)  = 0x%04X",    (me32.GlblcntUsage));
            
    printf("\n ref count (process) = 0x%04X",    (me32.ProccntUsage));
            
    printf("\n base address        = 0x%p",        (me32.modBaseAddr));
            
    printf("\n base size           = %d",        (me32.modBaseSize));

            
    //printf("==================================\n");
        
    } while (Module32Next(hModuleSnap, &me32));

        
    CloseHandle(hModuleSnap);
        return 
    tot;


  5. #5
    dude719
    dude719 is offline
    Guest
    Join Date
    2014 Mar
    Posts
    2
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    Yes of course it's possible. Here is how I do it:

    Code:
    HMODULE CRemoteLoader::GetRemoteModuleHandleA(const char* Module)
    {
    	void* dwModuleHandle = 0;
    
    	PPROCESS_BASIC_INFORMATION pbi = NULL;
    	PEB peb;
    	PEB_LDR_DATA peb_ldr;
    
    	// Try to allocate buffer 
    	HANDLE	hHeap = GetProcessHeap();
    	DWORD dwSize = sizeof(PROCESS_BASIC_INFORMATION);
    	pbi = (PPROCESS_BASIC_INFORMATION)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, dwSize);
    
    	ULONG dwSizeNeeded = 0;
    	NTSTATUS dwStatus = fnNTQIP(m_hProcess, ProcessBasicInformation, pbi, dwSize, &dwSizeNeeded);
    	if (dwStatus >= 0 && dwSize < dwSizeNeeded)
    	{
    		if (pbi)
    			HeapFree(hHeap, 0, pbi);
    
    		pbi = (PPROCESS_BASIC_INFORMATION)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, dwSizeNeeded);
    		if (!pbi)
    		{
    			#ifdef _DEBUG
    			printf("Couldn't allocate heap buffer!\n");
    			#endif
    			return NULL;
    		}
    
    		dwStatus = fnNTQIP(m_hProcess, ProcessBasicInformation, pbi, dwSizeNeeded, &dwSizeNeeded);
    	}
    
    	// Did we successfully get basic info on process
    	if (dwStatus >= 0)
    	{
    		// Read Process Environment Block (PEB)
    		if (pbi->PebBaseAddress)
    		{
    			SIZE_T dwBytesRead = 0;
    			if (ReadProcessMemory(m_hProcess, pbi->PebBaseAddress, &peb, sizeof(peb), &dwBytesRead))
    			{
    				dwBytesRead = 0;
    				if (ReadProcessMemory(m_hProcess, peb.Ldr, &peb_ldr, sizeof(peb_ldr), &dwBytesRead))
    				{
    					LIST_ENTRY *pLdrListHead = (LIST_ENTRY *)peb_ldr.InLoadOrderModuleList.Flink;
    					LIST_ENTRY *pLdrCurrentNode = peb_ldr.InLoadOrderModuleList.Flink;
    					do
    					{
    						LDR_DATA_TABLE_ENTRY lstEntry = { 0 };
    						dwBytesRead = 0;
    						if (!ReadProcessMemory(m_hProcess, (void*)pLdrCurrentNode, &lstEntry, sizeof(LDR_DATA_TABLE_ENTRY), &dwBytesRead))
    						{
    							#ifdef _DEBUG
    							char dbgOut[1024];
    							sprintf_s(dbgOut, "CRemoteLoader[GetRemoteModuleHandleA] Could not read list entry from LDR list. Error = %X", GetLastError());
    							MessageBox(0, dbgOut, "Injectora", MB_ICONERROR);
    							#endif
    
    							if (pbi)
    								HeapFree(hHeap, 0, pbi);
    							return NULL;
    						}
    
    						pLdrCurrentNode = lstEntry.InLoadOrderLinks.Flink;
    
    						wchar_t wcsBaseDllName[MAX_PATH] = { 0 };
    						char strBaseDllName[MAX_PATH] = { 0 };
    						if (lstEntry.BaseDllName.Length > 0)
    						{
    							dwBytesRead = 0;
    							if (ReadProcessMemory(m_hProcess, (LPCVOID)lstEntry.BaseDllName.Buffer, &wcsBaseDllName, lstEntry.BaseDllName.Length, &dwBytesRead))
    							{
    								size_t bytesCopied = 0;
    								wcstombs_s(&bytesCopied, strBaseDllName, wcsBaseDllName, MAX_PATH);
    							}
    						}
    
    						//wchar_t wcsFullDllName[MAX_PATH] = { 0 };
    						//char strFullDllName[MAX_PATH] = { 0 };
    						//if (lstEntry.FullDllName.Length > 0)
    						//{
    						//	dwBytesRead = 0;
    						//	if (ReadProcessMemory(m_hProcess, (LPCVOID)lstEntry.FullDllName.Buffer, &wcsFullDllName, lstEntry.FullDllName.Length, &dwBytesRead))
    						//	{
    						//		size_t bytesCopied = 0;
    						//		wcstombs_s(&bytesCopied, strFullDllName, wcsFullDllName, MAX_PATH);
    						//	}
    						//}
    
    						if (lstEntry.DllBase != nullptr && lstEntry.SizeOfImage != 0)
    						{
    							if (_stricmp(strBaseDllName, Module) == 0)
    							{
    								dwModuleHandle = lstEntry.DllBase;
    								break;
    							}
    						}
    
    					} while (pLdrListHead != pLdrCurrentNode);
    
    				} // Get Ldr
    			} // Read PEB 
    		} // Check for PEB
    	}
    
    	if (pbi)
    		HeapFree(hHeap, 0, pbi);
    
    	return (HMODULE)dwModuleHandle;
    }

Similar Threads

  1. [Release] Adresses for DN SEA V.75 Share you findings
    By N3trox in forum Dragon Nest Bots, Hacks, Cheats
    Replies: 0
    Last Post: 2012-10-20, 11:54 PM
  2. [Tutorial] Finding Unfreeze Address
    By hct9galaxy in forum Perfect World Bots, Cheats
    Replies: 0
    Last Post: 2012-05-19, 06:50 AM
  3. I'm having trouble finding coords
    By Surubre in forum General Game Research
    Replies: 2
    Last Post: 2010-12-24, 01:45 AM
  4. GameGuard rev.1512 Unpacked Modules
    By Dwar in forum Anti-Cheat Systems
    Replies: 0
    Last Post: 2010-11-29, 03:58 PM
  5. [Question] Finding a function
    By warbeak1245 in forum General Game Research
    Replies: 0
    Last Post: 2010-11-26, 08:15 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •