flat assembler
Message board for the users of flat assembler.

Index > Main > Need structure translation..

Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1044
Overflowz 07 May 2011, 19:50
Hello everyone.. Smile I'm noob about structures and could anybody translate this structure into fasm format for me ? Thanks.
http://msdn.microsoft.com/en-us/library/ms679284(v=vs.85).aspx
P.S only for 32bits.


Last edited by Overflowz on 10 May 2011, 06:54; edited 2 times in total
Post 07 May 2011, 19:50
View user's profile Send private message Reply with quote
cod3b453



Joined: 25 Aug 2004
Posts: 618
cod3b453 08 May 2011, 00:30
I think it's this
Code:
CONTEXT_X86                     equ 0x10000

CONTEXT_DEBUG_REGISTERS         equ 0x10
CONTEXT_FLOATING_POINT          equ 0x08
CONTEXT_SEGMENTS                equ 0x04
CONTEXT_INTEGER                 equ 0x02
CONTEXT_CONTROL                 equ 0x01
CONTEXT_EXTENDED_REGISTERS      equ 0x20

MAXIMUM_SUPPORTED_EXTENSION     equ 512


struct FLOATING_SAVE_AREA
        ControlWord             dd ?
        StatusWord              dd ?
        TagWord                 dd ?
        ErrorOffset             dd ?
        ErrorSelector           dd ?
        DataOffset              dd ?
        DataSelector            dd ?
        RegisterArea            rb 80
        Cr0NpxState             dd ?
ends

struct CONTEXT;_X86_

        ContextFlags            dd ?

        Dr0                     dd ?
        Dr1                     dd ?
        Dr2                     dd ?
        Dr3                     dd ?
        Dr6                     dd ?
        Dr7                     dd ?

        FloatSave               FLOATING_SAVE_AREA

        SegGs                   dd ?
        SegFs                   dd ?
        SegEs                   dd ?
        SegDs                   dd ?

        Edi                     dd ?
        Esi                     dd ?
        Ebx                     dd ?
        Edx                     dd ?
        Ecx                     dd ?
        Eax                     dd ?

        Ebp                     dd ?
        Eip                     dd ?
        SegCs                   dd ?
        EFlags                  dd ?
        Esp                     dd ?
        SegSs                   dd ?

        ExtendedRegisters       rb MAXIMUM_SUPPORTED_EXTENSION
ends    
Post 08 May 2011, 00:30
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2893
Location: 0x77760000
typedef 08 May 2011, 00:52
fasm will raise an error for using reserved symbols
Post 08 May 2011, 00:52
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4623
Location: Argentina
LocoDelAssembly 08 May 2011, 05:40
No, it won't. In order to be compilable it will need win{32|64}*.inc to be included (or at least macro\struct.inc), though.
Post 08 May 2011, 05:40
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1044
Overflowz 08 May 2011, 09:55
cod3b453
Thank you very much. Wink
Post 08 May 2011, 09:55
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1044
Overflowz 08 May 2011, 14:52
I think it doesn't work.. This structure is not filling Sad
Code:
section '.data' data readable writeable
nBuffer rb 0x100
sinfo STARTUPINFO
pinfo PROCESS_INFORMATION
cText CONTEXT
section '.text' code readable executable
proc main
     invoke GetModuleFileName,0,nBuffer,0x100
     invoke CreateProcess,nBuffer,0,0,0,1,CREATE_SUSPENDED,0,0,sinfo,pinfo ;SUSPENDED
     invoke GetThreadContext,[pinfo.hThread],cText
     mov eax,[cText.Ebx] ;EAX should hold EBX address of another created process. But it fails.
     mov eax,[eax+0x8] ;PEB
  ret
endp    

But it fails. EAX = 0 and nothing is changing there except ContextFlags.. any help ?
Post 08 May 2011, 14:52
View user's profile Send private message Reply with quote
ProphetOfDoom



Joined: 08 Aug 2008
Posts: 120
Location: UK
ProphetOfDoom 09 May 2011, 01:08
Hi OverFlowz

I *think* you need to set the value of ContextFlags in your context structure to tell it which registers you want (before you pass the structure to GetThreadContext). For example if you set ContextFlags to CONTEXT_INTEGER (which is 0x00010000 | 2) it will return the general purpose registers. I got this from here:

http://msdn.microsoft.com/en-us/library/ms679284%28v=vs.85%29.aspx

and here:

http://source.winehq.org/source/include/winnt.h
Post 09 May 2011, 01:08
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1044
Overflowz 09 May 2011, 08:11
ProphetOfDoom
Yes, you're right. I found somewhere that information. So,
Quote:
CONTEXT_X86 equ 0x10000

CONTEXT_DEBUG_REGISTERS equ 0x10
CONTEXT_FLOATING_POINT equ 0x08
CONTEXT_SEGMENTS equ 0x04
CONTEXT_INTEGER equ 0x02
CONTEXT_CONTROL equ 0x01
CONTEXT_EXTENDED_REGISTERS equ 0x20

MAXIMUM_SUPPORTED_EXTENSION equ 512

CONTEXT_INTEGER should be CONTEXT_X86 OR 0x02 right ? and not only 0x02 I'm right ?
I wrote like this and let me know if this is true.. Smile
Code:
CONTEXT_X86                     EQU 0x10000 

CONTEXT_CONTROL           EQU CONTEXT_X86 OR 0x0001
CONTEXT_INTEGER            EQU CONTEXT_X86 OR 0x0002
CONTEXT_SEGMENTS           EQU CONTEXT_X86 OR 0x0004
CONTEXT_FLOATING_POINT             EQU CONTEXT_X86 OR 0x0008
CONTEXT_DEBUG_REGISTERS    EQU CONTEXT_X86 OR 0x0010
CONTEXT_EXTENDED_REGISTERS         EQU CONTEXT_X86 OR 0x0020
CONTEXT_FULL                       EQU CONTEXT_CONTROL OR CONTECT_INTEGER OR CONTEXT_SEGMENTS
CONTEXT_ALL                       EQU CONTEXT_CONTROL OR CONTEXT_INTEGER OR CONTEXT_SEGMENTS OR CONTEXT_FLOATING_POINT OR CONTEXT_DEBUG_REGISTERS OR CONTEXT_EXTENDED_REGISTERS    
Post 09 May 2011, 08:11
View user's profile Send private message Reply with quote
ProphetOfDoom



Joined: 08 Aug 2008
Posts: 120
Location: UK
ProphetOfDoom 09 May 2011, 08:47
Yes I think that's correct - I can't test it as I don't have a Windows PC in front of me. Why don't you try it? Smile
Post 09 May 2011, 08:47
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1044
Overflowz 09 May 2011, 08:57
ProphetOfDoom
Trying but I don't know if I'm getting true result ^^ I'm creating process with CREATE_SUSPENDED flag and EBX should point to PEB structure. After that, I'm trying to get Image Base and it doesn't work.
Code:
mov ebx,[ctx.Ebx]
mov ebx,[ebx+0x08] ;ImageBase but it fails.    

That's my problem here.
Post 09 May 2011, 08:57
View user's profile Send private message Reply with quote
ProphetOfDoom



Joined: 08 Aug 2008
Posts: 120
Location: UK
ProphetOfDoom 09 May 2011, 09:26
Hi,

The method I've given you should definitely work - I used it in a C program (a debugger I'm writing) with no problems. But my program retrieves the context when the program is suspended due to a debug exception (breakpoint) - I've never tried it with a process that was started suspended. Maybe someone else can help? I'm out of ideas already.
Post 09 May 2011, 09:26
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1044
Overflowz 09 May 2011, 09:41
I did mistake sorry.. I should call ZwUnmapViewOfSection first and then that code what I wrote below. Solved and thanks Smile
Post 09 May 2011, 09:41
View user's profile Send private message Reply with quote
ProphetOfDoom



Joined: 08 Aug 2008
Posts: 120
Location: UK
ProphetOfDoom 09 May 2011, 09:45
Actually was just thinking... I've never needed to hack around with PE image bases, but aren't you looking for the data in the parent (creating) process rather than in the child (created) process? If the info you want is in the child process you'll need to use the Windows ReadProcessMemory function to get at it.
Post 09 May 2011, 09:45
View user's profile Send private message Reply with quote
ProphetOfDoom



Joined: 08 Aug 2008
Posts: 120
Location: UK
ProphetOfDoom 09 May 2011, 09:47
Oh okay lol. As long as you got it working.
Post 09 May 2011, 09:47
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1044
Overflowz 09 May 2011, 09:50
Never mind, sometimes it work, sometimes it's not. I'll try to figure out what's going there >.<
Post 09 May 2011, 09:50
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1044
Overflowz 10 May 2011, 06:59
Heh, I have question.. Is this bug ?? I've tried to open program in olly and sometimes it works and sometimes it's not. Just need to open several times and this value is confusing me! It's changing every time when I'm opening different time.. Check these pictures. Also, here's source and declaration of context structure:
Source:
Code:
     invoke GetModuleFileName,0,nBuffer,0x100
     invoke CreateProcess,nBuffer,0,0,0,0,CREATE_SUSPENDED,0,0,sinfo,pinfo
     mov [ctx.ContextFlags],CONTEXT_INTEGER
     invoke GetThreadContext,[pinfo.hThread],ctx
     invoke GetModuleHandle,0
     invoke ZwUnmapViewOfSection,[pinfo.hThread],eax
     mov ebx,[ctx.Ebx]
     mov ebx,[ebx+0x08]  ;EBX = Base
     mov eax,[ctx.Eax]   ;EAX = EP
     mov esi,hfile
     add esi,[esi+0x3c]
     mov edi,nthdr
     mov ecx,sizeof.IMAGE_NT_HEADERS32
     cld
     rep movsb
     mov eax,[nthdr.OptionalHeader.SizeOfImage]
  ret    

Context Structure:
Code:
CONTEXT_X86                     EQU 0x10000 

CONTEXT_CONTROL           EQU CONTEXT_X86 OR 0x0001
CONTEXT_INTEGER            EQU CONTEXT_X86 OR 0x0002
CONTEXT_SEGMENTS           EQU CONTEXT_X86 OR 0x0004
CONTEXT_FLOATING_POINT             EQU CONTEXT_X86 OR 0x0008
CONTEXT_DEBUG_REGISTERS    EQU CONTEXT_X86 OR 0x0010
CONTEXT_EXTENDED_REGISTERS         EQU CONTEXT_X86 OR 0x0020
CONTEXT_FULL                       EQU CONTEXT_CONTROL OR CONTEXT_INTEGER OR CONTEXT_SEGMENTS
CONTEXT_ALL                       EQU CONTEXT_CONTROL OR CONTEXT_INTEGER OR CONTEXT_SEGMENTS OR CONTEXT_FLOATING_POINT OR CONTEXT_DEBUG_REGISTERS OR CONTEXT_EXTENDED_REGISTERS

MAXIMUM_SUPPORTED_EXTENSION     equ 512

struct FLOATING_SAVE_AREA 
        ControlWord             dd ? 
        StatusWord              dd ? 
        TagWord                 dd ? 
        ErrorOffset             dd ? 
        ErrorSelector           dd ? 
        DataOffset              dd ? 
        DataSelector            dd ? 
        RegisterArea            rb 80 
        Cr0NpxState             dd ? 
ends 

struct CONTEXT
        ContextFlags            dd ? 
        Dr0                     dd ? 
        Dr1                     dd ? 
        Dr2                     dd ? 
        Dr3                     dd ? 
        Dr6                     dd ? 
        Dr7                     dd ? 
        FloatSave               FLOATING_SAVE_AREA 
        SegGs                   dd ? 
        SegFs                   dd ? 
        SegEs                   dd ? 
        SegDs                   dd ? 
        Edi                     dd ? 
        Esi                     dd ? 
        Ebx                     dd ? 
        Edx                     dd ? 
        Ecx                     dd ? 
        Eax                     dd ? 
        Ebp                     dd ? 
        Eip                     dd ? 
        SegCs                   dd ? 
        EFlags                  dd ? 
        Esp                     dd ? 
        SegSs                   dd ? 
        ExtendedRegisters       rb MAXIMUM_SUPPORTED_EXTENSION 
ends    

Any help ? Smile


Description:
Filesize: 478.55 KB
Viewed: 11308 Time(s)

olly2.jpg


Description:
Filesize: 498.45 KB
Viewed: 11308 Time(s)

olly1.jpg


Post 10 May 2011, 06:59
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.