Get/Set PEB - GetModuleFileName

posted 16 Mar 2010, 07:46 by Delphi Basics
{
   Unit: Get/Set PEB - GetModuleFileName
   Author: steve10120
   Description: Get and/or set the PEB filename value.
   Credits: Karcrack
   Website: hackhound.org
}

When injected into another process, retreive the correct GetModuleFileName as opposed to the process you are injected to.

function AltGetPEBModuleFileName():WideString;
var
  szBuff: PWideChar;
begin
  asm
   mov eax, [FS:030h]
   mov eax, [DS:eax+010h]
   mov eax, [DS:eax+03Ch]
   mov szBuff, eax
  end;
  Result := szBuff;
end;

procedure AltSetPEBModuleFileName(szPath:PWideChar);
asm
  mov edx, szPath
  mov eax, [FS:030h]
  mov eax, [DS:eax+010h]
  mov [DS:eax+03Ch], edx;
end;

Usage:
begin
  MessageBoxW(0, PWideChar(AltGetPEBModuleFileName), nil, 0);
  AltSetPEBModuleFileName('C:\test.exe');
  MessageBoxW(0, PWideChar(AltGetPEBModuleFileName), nil, 0);
end.



Comments