issuhub.com

Reversing : The Hacker's Guide to Reverse Engineering

(ff) #1 
+0x000 InLoadOrderLinks : _LIST_ENTRY

+0x008 InMemoryOrderLinks : _LIST_ENTRY

+0x010 InInitializationOrderLinks : _LIST_ENTRY

+0x018 DllBase : Ptr32 Void

+0x01c EntryPoint : Ptr32 Void

+0x020 SizeOfImage : Uint4B

+0x024 FullDllName : _UNICODE_STRING

+0x02c BaseDllName : _UNICODE_STRING

+0x034 Flags : Uint4B

+0x038 LoadCount : Uint2B

+0x03a TlsIndex : Uint2B

+0x03c HashLinks : _LIST_ENTRY

+0x03c SectionPointer : Ptr32 Void

+0x040 CheckSum : Uint4B

+0x044 TimeDateStamp : Uint4B

+0x044 LoadedImports : Ptr32 Void

+0x048 EntryPointActivationContext : Ptr32 _ACTIVATION_CONTEXT

+0x04c PatchInformation : Ptr32 Void

After getting a pointer to InLoadOrderModuleListthe function appears

to go after offset +0 in the first module. From looking at this structure, it would

seem that offset +0 is part of the LIST_ENTRYdata structure. Let’s dump

LIST_ENTRYand see what offset +0 means.

+0x000 Flink : Ptr32 _LIST_ENTRY

+0x004 Blink : Ptr32 _LIST_ENTRY

Offset +0 is Flink, which probably stands for “forward link”. This means

that the function is hard-coded to skip the first entry, regardless of what it is.

This is quite unusual because with a linked list you would expect to see a

loop—no loop, the function is just hard-coded to skip the first entry. After

doing that, the function simply returns the value from offset +18 at the second

entry. Offset +18 in _LDR_DATA_TABLE_ENTRYis DllBase. So, it would

seem that all this function is doing is looking for the base of some DLL. At this

point it would be wise to load Defender.EXEin WinDbg, just to take a look

at the loader information and see what the second module is. For this, you use

the !dllscommand, which dumps a (relatively) user-friendly view of the

loader data structures. The –loption makes the command dump modules in

their load order, which is essentially the list you traversed by taking

InLoadOrderModuleListfrom PEB_LDR_DATA.

0:000> !dlls -l

0x00241ee0: C:\Documents and Settings\Eldad Eilam\Defender.exe

Base 0x00400000 EntryPoint 0x00404232 Size 0x00008000

Flags 0x00005000 LoadCount 0x0000ffff TlsIndex 0x00000000

LDRP_LOAD_IN_PROGRESS

LDRP_ENTRY_PROCESSED

382 Chapter 11

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.