Jump to content
Tuts 4 You
h4sh3m

Simple x64 Loader[Delphi SRC]

Recommended Posts

GautamGreat

Hi,

Instead of using this function, we can't grab imagebase from PEB? 

Actually I don't have a x64 system at this time.

 

function GetModuleImageBase(PID : NativeUInt; Module : string):NativeUInt;
var
  ModuleSnap: THandle;
  ModuleEntry32: TModuleEntry32;
  More: Boolean;
  ImageBase: Pointer;
  s : string;
begin
  Result := 0;

  try
    ModuleSnap := CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID);

    if ModuleSnap = NativeUInt(-1) then
    begin
      messagebox(0, 'Can''t Read Process Memory', 'Error', mb_iconerror);
      Exit;
    end;

    ModuleEntry32.dwSize := SizeOf(ModuleEntry32);

    More := Module32First(ModuleSnap, ModuleEntry32);
    while More do
    begin
      ImageBase := ModuleEntry32.modBaseAddr;

      s := extractfilename(StrPas(ModuleEntry32.szExePath));
      s := LowerCase(s);
      if s = LowerCase(Module) then
      begin
        Result := integer(ImageBase);
        break;
      end;

      More := Module32Next(ModuleSnap, ModuleEntry32);
    end;
  finally
    CloseHandle(ModuleSnap);
  end;
end;

Share this post


Link to post
Share on other sites
h4sh3m

Hi

@GautamGreat, As I said this is simple loader, You can do this with PEB bit I'm not tested it !

 

BR,

h4sh3m

Edited by h4sh3m (see edit history)

Share this post


Link to post
Share on other sites
xxx22xxx
Posted (edited)

@h4sh3m by compiling your loader i get error
 

du97fyokr9irmo59t.png

if i comment this i get next error

du97g2ays7mi13e0h.png

Edited by xxx22xxx (see edit history)

Share this post


Link to post
Share on other sites
h4sh3m
Posted (edited)

Hi

Which compiler you're using, with this code you can't patch x64 target via x86 loader?!

After all you can change "CreateProcess" -> "CreateProcessW" and "w : DWORD" -> "w : NativeUInt".

 

 

Best Regards,

h4sh3m

Edited by h4sh3m (see edit history)

Share this post


Link to post
Share on other sites
xxx22xxx

@h4sh3m

Thanks already solved it , i have used Delphi 7 Lite Full Edition

now have installed Rad Studio XE2 and it work !

but have a question , this laoder will be work example to patch Adobe x64 bit soft?
 
or it will not work like say GautamGreat ??

 

Share this post


Link to post
Share on other sites
h4sh3m

If you patch right place it will work :)

It's depends on you (and/or your target), if your target protected maybe it will fail because of several reasons like: detecting debugger(I'm not sure used debug flag or not but some protectors (and some handy way :)) checks parent process to detect !), memory protection(checksum), ...

you can use proxy method too for this purpose .

Share this post


Link to post
Share on other sites
xxx22xxx

thank you !

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×