Monday, January 15, 2018

GetModuleFileName windows api

Here's how I understand the GetModuleFileName windows api. It takes 3 parameters, the size of the size of the buffer of where to store the filepath, the pointer to a buffer where to store the file path, and a handle to the module that you need the file path of.  In this case 0x104 is the size of the buffer, eax holds the pointer to the buffer, and the <&Ordinal958> is the handle to the module we want the filepath loaded of.


In this case the buffer in eax is 0x0018FB68 which is empty

The <&Ordinal958> was on the stack at 0x0018F858, which before execution contains the value 0x72940000
Which we can confirm/see below contains the actual DLL for which we're getting the filepath for (notice the MZ magic text on the right)
Now after the GetModuleFileName is executed, then the buffer that was in EAX, 0x0018FB68 contains now the full file path of where that DLL was located on the hard drive.

No comments:

Post a Comment