So I have been working on learning the windows low end side of thing and I created some asm to access the peb without using any library's. This is because my project has /NODEFAULTLIB on and no inputs in Visual Studio
So my project is about using the PEB to import thing dynamically without the need of dependency. thought i needed to get the PEB first without the use of a library but thats were my problem comes in.
this is my code.asm file content
.code
PUBLIC GetPEB
GetPEB PROC
mov rax, gs:[60h]
mov rax, [rax + 60h]
RET
GetPEB ENDP
END
Now i access this function with
extern "C" PPEB GetPEB();
but it just returns null
after debugging for awhile I found that after my asm code gets the TEB address and the next line is run it shows that RAX is null? witch made no sense because the TEB address was in there.
So if you know what could be coursing the problem let me know
this the current project code
Function.h
<pre>#include <Windows.h>
#include <winternl.h>
extern "C" PPEB GetPEB();
namespace Function
{
typedef LPVOID(WINAPI* tVirtualAlloc)(
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flAllocationType,
DWORD flProtect
);
typedef BOOL(WINAPI* tVirtualProtect)(
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flNewProtect,
PDWORD lpflOldProtect
);
typedef BOOL(WINAPI* tBeep)(
DWORD dwFreq,
DWORD dwDuration
);
int _strcmp(const char* str1, const char* str2);
int wstrcmp(const wchar_t* str1, const wchar_t* str2);
void* pGetProcAddress(void* moduleHandle, const char* functionName);
void* pGetModuleHandle(const wchar_t* moduleName);
};
and this is the rest just in case you see if something else would course this error
Function.cpp
#include "Function.h"
int Function::_strcmp(const char* str1, const char* str2)
{
while (*str1 && *str2)
{
if (*str1 != *str2)
{
break
}
str1++
str2++
}
return *str1 - *str2
}
int Function::wstrcmp(const wchar_t* str1, const wchar_t* str2)
{
while (*str1 && *str2)
{
if (*str1 != *str2)
{
break
}
str1++
str2++
}
return *str1 - *str2
}
void* Function::pGetProcAddress(void* moduleHandle, const char* functionName)
{
PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)moduleHandle
PIMAGE_NT_HEADERS nt_header = (PIMAGE_NT_HEADERS)((char*)(moduleHandle) + dos_header->e_lfanew)
if (dos_header->e_magic != IMAGE_DOS_SIGNATURE) {
return 0
}
if (nt_header->Signature != IMAGE_NT_SIGNATURE) {
return 0
}
PIMAGE_DATA_DIRECTORY exports = &nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]
if (exports->Size) {
PIMAGE_EXPORT_DIRECTORY export_dir = (PIMAGE_EXPORT_DIRECTORY)((char*)(moduleHandle) + exports->VirtualAddress)
DWORD* name_rvas = (DWORD*)((char*)(moduleHandle) + export_dir->AddressOfNames)
DWORD* func_addrs = (DWORD*)((char*)(moduleHandle) + export_dir->AddressOfFunctions)
WORD* ordinals = (WORD*)((char*)(moduleHandle) + export_dir->AddressOfNameOrdinals)
for (DWORD i = 0
{
const char* name = (const char*)((char*)(moduleHandle) + name_rvas[i])
if (Function::_strcmp(name, functionName) == 0)
{
DWORD ordinal = ordinals[i]
DWORD func_addr = func_addrs[ordinal]
return (void*)((char*)moduleHandle + func_addr)
}
}
}
return 0
}
void* Function::pGetModuleHandle(const wchar_t* moduleName)
{
PPEB pebPtr = GetPEB()
PPEB_LDR_DATA ldr = (PPEB_LDR_DATA)pebPtr->Ldr
PLIST_ENTRY list_head = &(ldr->InMemoryOrderModuleList)
PLIST_ENTRY list_entry = list_head->Flink;
while (list_entry != list_head) {
LDR_DATA_TABLE_ENTRY* module_entry = CONTAINING_RECORD(list_entry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
if (!Function::wstrcmp(module_entry->FullDllName.Buffer, moduleName)) {
return module_entry->DllBase;
}
list_entry = list_entry->Flink;
}
return nullptr
}
I welcome any help at all with my problem and thanks you for it too
What I have tried:
I have tried making a function return the TEB witch worked but as soon as i try to access the PEB it goes to NULL, I have been searching the internet for sometime looking for an answer but I can't find any reason this should not work. i have also tried with /NODEFAULTLIB off and with default input setting and the same problem happens. I am not new to C++ but this is part of my learning journey.