Custom Shellcode x86

Finding Kernel32.dll base address using the PEB method

Attach WinDbg or any other debugger to a running process such as BlazeDVD

Dump the teb structure using

dt nt!_TEB @$teb

For 32 bit processes a pointer to the PEB data structure can be found at offset hex 0x30 of the TEB.

The PEB can be dumped by running the following (Modify it based on the address enumerated above).

dt nt!_PEB 0x0020e000

From here the next most important thing is the pointer to (Ldr) located at offset 0x00c. This points to three doubly-linked list that contains the loaded modules for the process.