Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 11:53

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 2 posts ] 
Author Message
 Post subject: Geting the calling modules names
PostPosted: 14 Apr 2010 02:46 

Joined: 03 May 2009 04:22
Posts: 33
I'am hooking the sendto function and i would like to log names of every DLL/prog which call it.

How can i retrieve the names of the DLLs which call to the sendto hooked function ?


Top
 Profile  
 
 
 Post subject: Re: Geting the calling modules names
PostPosted: 14 Apr 2010 10:20 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
first you should get the return address that obviously points to the calling dll/exe.
you can do it by getting the 32bit value pointed by [esp+4] at the beginning of the hook (first operation) because when you use the inline assembly it's executed after the usual "push ebp; mov ebp,esp" sequence.

then you must obtain the "module" value which is nothing else than the starting address of the one you got (because I guess that you can't use directly the retrieved one, maybe try) and sincerely at the moment I don't know if exists an api to do it or if you must do a math calculation or a work-around.
for example the return address is 00b198fc while the module is 00400000

now get the process handle.

and finally call GetModuleFileNameEx:
http://msdn.microsoft.com/en-us/library ... 85%29.aspx

note that I have not tested this steps and so I don't have a working example code, do it by yourself


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 2 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: