From the base of NTDLL - the address that you printed - you are now at the base

Question

From the base of NTDLL - the address that you printed - you are now at the base of the PE file. Use your knowledge of the PE file format to walk the structure and identify the number of exports. For this part, all we want to do is print that value. There are a variety of resources in the project folder. In addition, you can use PE parsing utilities such as PE Studio and the 010 Editor to help understand the data/file format itself.

I am lost with this C program... I need to do something in the bold below

int main(void){

  DWORD numExports = 0;
  DWORD dwNtdllBase = 0;

_asm{
xor ebx, ebx    ;   //clear ebx
mov ebx, fs:[ 0x30 ]  ;   //get a pointer to the PEB

mov ebx, [ebx + 0x0C ]  ;   //get PEB->Ldr
mov ebx, [ebx + 0x1C ]  ;   //get PEB->Ldr InitializationOrder
mov ebx, [ebx + 0x08 ]  ;   //get entries base address

//mov dwNtdllBase, ebx

// find exports via PE file
//xor eax, ebx
//xor eax, ebx //Start with image base

mov eax, [ebx + 0x10 ]
add ebx, edx

mov numExports, esi
    }

printf("NTDLL number of exports: %d/n,. numExports);

  }

Explanation / Answer

i have changed but the code is correct

int main(void){
DWORD numExports = 0;
DWORD dwNtdllBase = 0;
_asm{
xor ebx, ebx ; //clear ebx
mov ebx, fs:[ 0x30 ] ; //get a pointer to the PEB

mov ebx, [ebx + 0x0C ] ; //get PEB->Ldr
mov ebx, [ebx + 0x1C ] ; //get PEB->Ldr InitializationOrder
mov ebx, [ebx + 0x08 ] ; //get entries base address

//mov dwNtdllBase, ebx
// find exports via PE file
//xor eax, ebx
//xor eax, ebx //Start with image base

mov eax, [ebx + 0x10 ]
add ebx, edx

mov numExports, esi
}
printf("NTDLL number of exports: %d/n,. numExports);
}

Related Questions

Navigate

• Browse (All)
• Browse F
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.