Index
> Windows > thread in dll? |
| Author |
|
|
MHajduk 24 Jan 2008, 15:31
Code: (...) call [MessageBoxA] ret 
And where is the import section of this DLL? |
|||
24 Jan 2008, 15:31 |
|
|
asmrox 24 Jan 2008, 15:42
ffs
Code: format pe dll entry start section '.code' code readable executable start: push 0 push 0 push 0 push thread push 0 push 0 call [CreateThread] retn thread: push 0 push 0 push 0 push 0 call [MessageBoxA] retn section '.idata' import data readable dd 0,0,0,RVA kernel32_name,RVA kernel32_table dd 0,0,0,RVA user32_name,RVA user32_table dd 5 dup 0 kernel32_table: CreateThread dd RVA _CreateThread dd 0 user32_table: MessageBoxA dd RVA _MessageBoxA dd 0 kernel32_name db 'kernel32.dll',0 user32_name db 'user32.dll',0 _MessageBoxA db 0,0,'MessageBoxA',0 _CreateThread db 0,0,'CreateThread',0 section '.reloc' fixups data readable discardable |
|||
|
24 Jan 2008, 15:42 |
|
|
LocoDelAssembly 24 Jan 2008, 15:47
http://msdn2.microsoft.com/en-us/library/ms682583(VS.85).aspx
That function is the entry point of a DLL and it is stdcall but you implemented it as C (used plain ret instead of ret 12) |
|||
|
24 Jan 2008, 15:47 |
|
|
asmrox 24 Jan 2008, 16:07
okay, ill remember that.
But what i dont know that cause this crash? Thread is creating, but it seems at wrong address. How should i do that? |
|||
|
24 Jan 2008, 16:07 |
|
|
OzzY 24 Jan 2008, 16:25
What is RVA?
|
|||
|
24 Jan 2008, 16:25 |
|
|
LocoDelAssembly 24 Jan 2008, 17:06
Quote:
Relative Virtual Address. Quote:
In fact the fault is at the caller of DllMain since you give to it an unbalanced stack and when it return the return address will be an unpredictable value (can be the saved value of EBX, ESI, EDI, or a parameter, or a local variable, etc). Anyway, have you did the changes already? You have to change: Code: call [CreateThread] retn Code: call [CreateThread] retn 12 |
|||
|
24 Jan 2008, 17:06 |
|
|
asmrox 25 Jan 2008, 07:12
ive changed this retn, and it worked somehow... It create threads untill have memory, i have to reset my pc
 |
|||
|
25 Jan 2008, 07:12 |
|
|
LocoDelAssembly 25 Jan 2008, 14:57
Perhaps the thread is created multiple times because your entry point forgots to process at PROCESS_ATTACH only?
|
|||
|
25 Jan 2008, 14:57 |
|
|
asmrox 25 Jan 2008, 16:01
Code: format pe dll section '.code' code readable executable entry $ push 0 push 0 push 0 push thr push 0 push 0 call [CreateThread] push -1 call [Sleep] thr: ;jmp $ push 0 push 0 push 0 push 0 call [MessageBoxA] section '.idata' import data readable dd 0,0,0,RVA kernel32_name,RVA kernel32_table dd 0,0,0,RVA user32_name,RVA user32_table dd 5 dup 0 kernel32_table: CreateThread dd RVA _CreateThread Sleep dd RVA _Sleep dd 0 user32_table: MessageBoxA dd RVA _MessageBoxA dd 0 kernel32_name db 'kernel32.dll',0 user32_name db 'user32.dll',0 _MessageBoxA db 0,0,'MessageBoxA',0 _Sleep db 0,0,'Sleep',0 _CreateThread db 0,0,'CreateThread',0 section '.reloc' fixups data readable discardable i used jmp $, and checked if it take 50% of my cpu - no. i user process explorer to check if it created a thread - yes So, it created a thread, but in wrong address. I even tried to export it - do effect. |
|||
|
25 Jan 2008, 16:01 |
|
|
LocoDelAssembly 25 Jan 2008, 16:46
The thread cannot start till you return from DllMain because every DLL must be called with DLL_THREAD_ATTACH before the thread can run.
BTW, you forgot ret 4 after call [MessageBoxA] Code: include 'win32a.inc' format pe dll section '.code' code readable executable entry $ cmp dword [esp+8], DLL_PROCESS_ATTACH jne .exit push 0 push 0 push 0 push thr push 0 push 0 call [CreateThread] .exit: mov eax, 1 ret 12 thr: ;jmp $ push 0 call @f db "Important message", 0 @@: call @f db "People can understand things if them begin with simple things first instead of doing unnecesary raw coding", 0 @@: push 0 call [MessageBoxA] ret 4 section '.idata' import data readable dd 0,0,0,RVA kernel32_name,RVA kernel32_table dd 0,0,0,RVA user32_name,RVA user32_table dd 5 dup 0 kernel32_table: CreateThread dd RVA _CreateThread Sleep dd RVA _Sleep dd 0 user32_table: MessageBoxA dd RVA _MessageBoxA dd 0 kernel32_name db 'kernel32.dll',0 user32_name db 'user32.dll',0 _MessageBoxA db 0,0,'MessageBoxA',0 _Sleep db 0,0,'Sleep',0 _CreateThread db 0,0,'CreateThread',0 section '.reloc' fixups data readable discardable (Tested on OllyDbg and WORKS) |
|||
|
25 Jan 2008, 16:46 |
|
|
asmrox 25 Jan 2008, 17:22
nope, createthread is caled, buy messagebox not. I use simple LoadLibrary to load it.
|
|||
|
25 Jan 2008, 17:22 |
|
|
LocoDelAssembly 25 Jan 2008, 17:42
Quote:
Of course it is, but it will remain suspended till all DLLs acknowledge DLL_THREAD_ATTACH, something imposible with your push -1/call [Sleep] at DllMain. Try the code I posted, it works. [edit]And if still not convinced: Code: include 'win32axp.inc' start: invoke LoadLibrary, "test2.dll" ret .end start test2.dll has the code of my post above and that shows the MessageBox. |
|||
|
25 Jan 2008, 17:42 |
|
|
asmrox 25 Jan 2008, 18:08
it works now, thanks!!
|
|||
|
25 Jan 2008, 18:08 |
|
|
eskizo 17 Jun 2009, 21:10
Code: push 0 call @f db "Important message", 0 @@: call @f db "People can understand things if them begin with simple things first instead of doing unnecesary raw coding", 0 @@: push 0 call [MessageBoxA] OK. push 0 call @f ;current address: "Important message" goes to stack call @f ;current address: "People can..." goes to stack push 0 call [MessageBoxA] Nicelly done! |
|||
|
17 Jun 2009, 21:10 |
|
|
LocoDelAssembly 17 Jun 2009, 21:53
Oh, seems I have written that code
Note that it is nice but I have robbed the idea from Tomasz (invoke, cinvoke, ccall and stdcall macros do that trick when the parameter is a literal string provided you have included win32{a|w}x*.inc). |
|||
|
17 Jun 2009, 21:53 |
|
|
asmcoder 17 Jun 2009, 21:53
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:51; edited 1 time in total |
|||
|
17 Jun 2009, 21:53 |
|
|
Borsuc 17 Jun 2009, 22:38
asmcoder wrote: why you bump such idiotic and old thread? _________________ Previously known as The_Grey_Beast |
|||
|
17 Jun 2009, 22:38 |
|
< Last Thread | Next Thread > |
Forum Rules:
|