How do I find LoadLibrary and GetProcAddress inside the loaded kernel32.dll?

1
votes

I am trying to make a small win32 "Hello, world!" application in pure assembly. Now after looking around on how to even locate the kernel32.dll, I, after some time, found this: http://skypher.com/wiki/index.php/Hacking/Shellcode/kernel32. This technique returns a pointer to where kernel32.dll is located in memory.

Now on a different website where a similar technique was presented, they wrote

Now all you need to do is locate the "LoadLibrary" and "GetProcAddress" functions in there and you're good to go!

Of course, this is true. I could easily write any win32 application if I only had the exact jump location of these two functions.

Does anyone know how to locate the two (or technically, only "GetProcAddress" would do) in that DLL? Or are there any cheap alternatives (besides using a higher-level language)?

Thanks in advance,

-Kierrow

1
winapimemoryassemblykernel32
Um, why not just import it like a normal program? That way you won't get flagged as malware. Oh wait, the fact that you're looking at shellcode means that you are already writing malware... - Raymond Chen
@RaymondChen True, but how do I do this? - This might sound weird, but I'm not using a compiler/assembler... - Kierrow
You said you're writing it in assembly. So why not use an assembler? Link to the import library. - Raymond Chen
@RaymondChen This is something for my advanced computer sciences class. I don't want to get into detail about the "why", but I have studied and tried to understand machine code instructions and the most basic low-level programming for the past weeks. The main problem I am at right now is this... I have tried to do what some already recommended me to do: Look into a very simple, compiled C/C++ program, but I was not able to find out what I asked about in this question, hence me asking. - Kierrow
Read up on the Portable Executable (PE) file format. - Raymond Chen

1 Answers

4
votes

Since you found how to retrieve a pointer to kernel32.dll, you could just traverse the Export Table of kernel32 and look for "GetProcAddress". Once you get the pointer to the function, just invoke it. As Raymond Chen mentioned, to do this, just have a look at the Portable Executable Format specification.