flat assembler
Message board for the users of flat assembler.

flat assembler > Projects and Ideas > hash importer

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7108
Location: Slovakia
hidden: noticed another thing... you are forgetting to check return values from API calls. You must check description of every API call you use if it can return error, and check that error. In case error is returned, release all resources you have taken (free memory, close files), write error message and quit.
Post 06 Mar 2007, 15:02
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
hidden



Joined: 14 Feb 2007
Posts: 49
vid wrote:
hidden: so, if once there will be some collision, how will your app beheave?
Even if Microsoft will add so many functions to one module and that will bring up one collision, which probability that will you use that collisioned function? There's dword(2^32) of combinations + it checks length of the function, this makes that probability rush to the 0.

vid wrote:
hidden: noticed another thing... you are forgetting to check return values from API calls. You must check description of every API call you use if it can return error, and check that error.
I don't use any resource, memory allocations or Api calls, only call I use that LoadLibraryA, that can be api or user-specified.

vid wrote:
In case error is returned, release all resources you have taken (free memory, close files), write error message and quit.
You saying that if any library wasn't found or any function haven't imported, I should return error message?
It bring up error message only when program calls to not imported function.

_________________
Image Lang: (eng|рус)
Post 06 Mar 2007, 16:05
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7108
Location: Slovakia
hidden wrote:
vid wrote:
hidden: so, if once there will be some collision, how will your app beheave?
Even if Microsoft will add so many functions to one module and that will bring up one collision, which probability that will you use that collisioned function? There's dword(2^32) of combinations + it checks length of the function, this makes that probability rush to the 0.
you didn't answer the question Smile
what happens in case of collision?

Quote:
It bring up error message only when program calls to not imported function.

I think "importer" should return error in this case, and caller should check this error after calling importer. Also you should error some kind of error code, prefereably Windows error codes. Having single error message for any kind of error is not enough.

Is method used in your "GetKernel" procedure documented? Or at least reliably working on all windowses?

Finally, you should add more error checking during findings procs (is it MZ? is it PE? does it have exports? Is ordinal in range? Does RVAs point into file?), and it will be nice project.

PS:
Code:
      virtual at $ 
       proc dd ? 
      end virtual    

this can be better written as
Code:
label proc dword    


PS2:
You should warn users somewhere in docs, that hashes are overwritten to code, so they must be placed in writeable executable segment.
Post 06 Mar 2007, 16:47
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
hidden



Joined: 14 Feb 2007
Posts: 49
Quote:
you didn't answer the question Smile
what happens in case of collision?
It will chose the last function in export table matched hash and length.

Quote:
Is method used in your "GetKernel" procedure documented? Or at least reliably working on all windowses?
This method is not documented, it's not mine, but it works on 9x, 2k and xp, I didn't try it on vista, but it should work. Anyway you can find kernel on return address by BaseByAddr.

Quote:
Is ordinal in range? Does RVAs point into file?
Why?
If I'll check every RVA and every ordinal, how long will it import all the functions?

Quote:
PS2:
You should warn users somewhere in docs, that hashes are overwritten to code, so they must be placed in writeable executable segment.
I can do this, but I think if anybody programming on assembler, he should know, if it's import - it should be writable and if program calls there it should be executable. Smile
Post 06 Mar 2007, 21:14
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7108
Location: Slovakia
Quote:
It will chose the last function in export table matched hash and length
Don't you feel urge to fix it? Maybe it will never happen, but at least you can say that all known problems are fixed, not ignored because of small chance.

Quote:
Why?
If I'll check every RVA and every ordinal, how long will it import all the functions?

Nobody would ever notice few extra cycles per application run, but surely programmer wouldn't be happy to spend hour looking for bug releated to bad DLL. This also helps yourself to track bug in your code.

Quote:
This method is not documented, it's not mine, but it works on 9x, 2k and xp, I didn't try it on vista, but it should work. Anyway you can find kernel on return address by BaseByAddr.
and what's wrong with proper method (the one that is quaranteed to work even in future)?

Quote:
I can do this, but I think if anybody programming on assembler, he should know, if it's import - it should be writable and if program calls there it should be executable.
just for case someone tries to use without understanding how it works (by copypasting code from examples to his source). Such person could place it into read-only code section and have problem with that.
Post 06 Mar 2007, 21:38
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
hidden



Joined: 14 Feb 2007
Posts: 49
Quote:
and what's wrong with proper method
What's proper method?
I don't know any documented method to get kernel addr except using LoadLibrary from import table.

About checking RVA, if I will add this check, this code will be bigger twice or more, I thick is much easily and fester way to add own exception handler, that will show message with address of exception and current element in import table. Program have to shutdown anyway. What do you thick, is it better?
Post 07 Mar 2007, 03:39
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
As for speed... too bad that hash checking "somewhat complicates" using binary search of exports Smile
Post 07 Mar 2007, 23:26
View user's profile Send private message Visit poster's website Reply with quote
hidden



Joined: 14 Feb 2007
Posts: 49
Updated: Added checking every access to memory, "is it in range of export section?"
Post 08 Mar 2007, 20:43
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7108
Location: Slovakia
f0dder: Laughing
Post 08 Mar 2007, 20:51
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2019, Tomasz Grysztar.

Powered by rwasa.