The operating system allocates a structure for every running process that can always be found at fs:[0x30] from within the process.The PEB structure holds information about the process's heaps,binary image information and ,most importantly,three linked lists regarding loaded modules that have been mapped into process space.The linked lists themseleves differ in purpose from showing the order in which the modules were loaded to the order in which the modules were initialized.The initialization order linked list is of most interest as the order in which kernel32.dll is initialized is always constant as the second module to be initialized.By walking the list to the second entry,one can deterministically extract the base address for kernel32.dll. Declarations for PEB:
PPEB;
The LoaderData member of PEB structure is of type PEB_LDR_DATA,as you can see,it's at the 0x0c offset from the head of PEB,and it is defined as below:
Declaration for LIST_ENTRY:
1 typedef struct _LIST_ENTRY 2PLIST_ENTRY;
All the modules loaded by the process is cascaded by a list member InInitializationOrderModuleList,and "Kernel32.dll" is always the second item. The element type of InInitializationOrderModuleList is defined like this:
PLDR_MODULE;
So,to get the base address of "kernel32.dll",you can try this:
typedef struct _LIST_ENTRY