Get/Set PEB - GetModuleFileName
Post date: Mar 16, 2010 2:46:24 PM
{
Unit: Get/Set PEB - GetModuleFileName
Author: steve10120
Description: Get and/or set the PEB filename value.
Credits: Karcrack
Website: hackhound.org
}
When injected into another process, retreive the correct GetModuleFileName as opposed to the process you are injected to.
function AltGetPEBModuleFileName():WideString;var szBuff: PWideChar;begin asm mov eax, [FS:030h] mov eax, [DS:eax+010h] mov eax, [DS:eax+03Ch] mov szBuff, eax end; Result := szBuff;end;procedure AltSetPEBModuleFileName(szPath:PWideChar);asm mov edx, szPath mov eax, [FS:030h] mov eax, [DS:eax+010h] mov [DS:eax+03Ch], edx;end;Usage:
begin MessageBoxW(0, PWideChar(AltGetPEBModuleFileName), nil, 0); AltSetPEBModuleFileName('C:\test.exe'); MessageBoxW(0, PWideChar(AltGetPEBModuleFileName), nil, 0);end.