How to dynamically load address of USER32.DLL in shellcode?

Question

Assuming I'm injecting a shellcode into a Windows GUI application, I know I could:

Gets kernel32.dll base address through the PEB (Process Environment Block);
Finds address of LoadLibrary;
Call LoadLibrary("user32.dll");
Finally call GetProcAddress.

This is the classic way and that's what I would do, however I'd like to know if there's a better/improved/faster/clever/different/smaller or simpler way to do this.

Any ideas?

score 3 · Accepted Answer · edited Apr 13 '17 at 12:49

3

If user32.dll is already loaded in the process's address space (and I assume it is given that you said it's a Windows GUI application), you can walk the PEB_LDR_DATA structure in order to find the base address of user32.dll:

edited Apr 13 '17 at 12:49

Community

1

answered Oct 12 '15 at 16:54

Jason Geffner

20,681
1
36
75

Do you have sample code? I'm not sure I understood know to identify user32.dll base address – jyz Oct 12 '15 at 17:29
http://masm32.com/board/index.php?topic=4479.msg47967#msg47967 – Jason Geffner Oct 12 '15 at 17:46
Excelent code, well documented. Thank you – jyz Oct 12 '15 at 18:36

How to dynamically load address of USER32.DLL in shellcode?

1 Answers1