I was trying to convert this MASM code
.386
.model flat, stdcall
.stack 4096
assume fs:nothing
.code
main proc
mov eax, [fs:30h] ; Pointer to PEB (https://en.wikipedia.org/wiki/Win32_Thread_Information_Block)
mov eax, [eax + 0ch] ; Pointer to Ldr
mov eax, [eax + 14h] ; Pointer to InMemoryOrderModuleList
mov eax, [eax] ; this program's module
mov eax, [eax] ; ntdll module
mov eax, [eax -8h + 18h]; kernel32.DllBase
mov ebx, 0 ; just so we can put a breakpoint on this
int 3
main endp
end main
which finds Kernel32 dll base, into C equivalent. This is my try:
asm("mov %fs:0x30, %eax\n"); // PEB
asm("mov 0x0c(%eax), %eax\n"); // LDR
asm("mov 0x14(%eax), %eax\n"); // InMemoryOrderModuleList
asm("mov %eax, %eax"); // this program's module
asm("mov %eax, %eax"); // ntdll module
asm("mov -0x8(%eax), %eax"); // kernel32.DllBase
asm("mov 0x18(%eax), %eax"); // kernel32.DllBase
asm("mov %%eax, %0 \n" : "=r"(i));
asm("int3");
printf("kernel32.DllBase: %p\n", i);
The compiler I'm using is i686-w64-mingw32-gcc.
For some reason the code I wrote returns wrong address. The address it returns points to ntdll.
