Nobody Mind wrote: >I basically am wondering if anyone has links or can >post a short explanation of why (not how) using the >SEH method works for getting the base >address of kernel32.dll and others? >Thanks > > Because installing a SEH means that you get execution control when your thread causes an exception. If you want to find the base of kernel32 you just access some pages where you think it is (around 0xBFF70000 on Win9x, around 0x77F0000/0x77E80000 on WinNT/2K/XP). If the kernel isn't there either those pages are not allocated and accessing them will cause a General Protection Fault, either the pages are allocated but there is something else there and you can find that out by verifying some info that is specific for kernel32. So when a GPF is raised the OS will pass the execution control to the SEH handlers. And so you can probe for valid memory pages without terminating the process and having that annoing message box (This application has performed an illegal operation and will be terminated). ico
This archive was generated by hypermail 2b30 : Thu Jun 26 2003 - 08:47:44 PDT