pointer to baseAddress through CONTEXT.Ebx+8

Question

I am trying to implement the known method of "Dynamic Forking of Win32 EXE", which is knows as RunPE. My problem is that i am can't get the right result of the "base address" as it mentioned in the 3rd point at http://www.security.org.sg/code/loadexe.html

This is my code:

DWORD* peb;
DWORD* baseAddress;
...snip...

GetThreadContext(hTarget, &contx)

peb = (DWORD *) contx.Ebx;
baseAddress = (DWORD *) contx.Ebx+8;

_tprintf(_T("The EBX [PEB] is: 0x%08X\nThe base address is: 0x%08X\nThe Entry Point is: 0x%08X\n"), peb, baseAddress, contx.Eax);

and the output is as follwos:

The EBX [PEB] is: 0x7FFD4000

The base address is: 0x7FFD4020

The Entry Point is: 0x00401000

I think that my problem is with the implementation of my baseAddress pointer, but i can't figure out exactly what is the issue. Or could be that i havn't understand the above article correctly and baseAddress isn't ImageBase, if so what is baseAddress ?

I have tried to run it under Win 7 64b and Win-XP and on both i am get the same incorrect results.

Answer 1

Note that the instructions say "at [EBX+8]". The brackets mean the value at that address location. There are several problems with

baseAddress = (DWORD *) contx.Ebx+8;

First, the compiler doesn't pay attention spacing, only to parenthesizing, so this means

baseAddress = ((DWORD *)contx.Ebx) + 8;

which is wrong because the 8 is counting DWORDs, rather than bytes. You want

baseAddress = (DWORD *)(contx.Ebx + 8);

but this just gets you the address where the baseAddress is stored, not the value of the baseAddress. For that you need

baseAddress = *(DWORD *)(contx.Ebx + 8);

However, this only works if contx.Ebx refers to an address in your process, but every process has its own address space, and you need to access the address space of the suspended process; for that you need to use ReadProcessMemory ( http://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx ):

ok = ReadProcessMemory(hTarget, (LPCVOID)(contx.Ebx + 8), (LPVOID)&baseAddress, sizeof baseAddress, NULL);