p64kill.exe

Index > Windows > p64kill.exe

Author

Thread

semiono

Joined: 31 Aug 2007
Posts: 198
Location: section '.code' executable

semiono 13 Mar 2010, 02:48

Please, guru, help me?! How to rebuild the source for PE64 ?

Code:

include '%fasm%\win32ax.inc'
entry start

section '.rsrc' resource data executable readable writeable
        directory RT_ICON,icons,RT_GROUP_ICON,group_icons,RT_VERSION,versions

        resource icons,\
        1,LANG_NEUTRAL,icon_data1,\
        2,LANG_NEUTRAL,icon_data2,\
        3,LANG_NEUTRAL,icon_data3,\
        4,LANG_NEUTRAL,icon_data4
        resource group_icons,17,LANG_NEUTRAL,main_icon
        resource versions,1,LANG_NEUTRAL,version

        icon main_icon,\
        icon_data1,'%fasm%\exec1.ico',\
        icon_data2,'%fasm%\exec2.ico',\
        icon_data3,'%fasm%\exec3.ico',\
        icon_data4,'%fasm%\exec4.ico'

        versioninfo version,VOS__WINDOWS32,VFT_APP,VFT2_UNKNOWN,LANG_ENGLISH+SUBLANG_DEFAULT,0,\
                    'FileDescription','pkill...',\
                    'LegalCopyright','2001-2005 GmbH',\
                    'FileVersion','1.0.0.0',\
                    'ProductVersion','1.0.0.0',\
                    'OriginalFilename','pkill.exe',\
                    'Company','Semiono'

start:  ; l_inc
        invoke GetCommandLine
        invoke CommandLineToArgv,eax,argsNum
        cmp dword[argsNum],1
        push eax
        jbe @F  ; jump_if_below_or_equal
                push dword[eax+4]
                call AdjustMyToken
                stdcall findProcessID
                test eax,eax
                jz @F
                invoke OpenProcess,PROCESS_TERMINATE,FALSE,eax
                push eax
                invoke TerminateProcess,eax,1
                invoke CloseHandle
                jmp start
        @@:
;       invoke LocalFree
        invoke ExitProcess,0
; ret

        argsNum dd ?

section '.idata' import data executable readable writeable
        library advapi32,'ADVAPI32.dll',kernel32,'KERNEL32.DLL',shell32,'SHELL32.DLL'
        include '%fasm%\api\advapi32.inc'
        import kernel32,OpenProcess,'OpenProcess',\
                        TerminateProcess,'TerminateProcess',\
                        CloseHandle,'CloseHandle',\
                        lstrcmpi,'lstrcmpiW',\
                        CreateToolhelp32Snapshot,'CreateToolhelp32Snapshot',\
                        Process32First,'Process32FirstW',\
                        Process32Next,'Process32NextW',\
                        GetCommandLine,'GetCommandLineW',\
                        LocalFree,'LocalFree',ExitProcess,'ExitProcess'
        import shell32,CommandLineToArgv,'CommandLineToArgvW'

        TOKEN_ADJUST_PRIVILEGES equ 20h
        TOKEN_QUERY             equ 8h
        SE_PRIVILEGE_ENABLED    equ 2h

AdjustMyToken:
        invoke LookupPrivilegeValue,emptyStr,privName,tokenPriv.LUID1
        mov dword[tokenPriv.PrivilegeCount],1h
        mov dword[tokenPriv.Attributes],SE_PRIVILEGE_ENABLED
        invoke OpenProcessToken,-1,TOKEN_ADJUST_PRIVILEGES OR TOKEN_QUERY,hToken
        invoke AdjustTokenPrivileges,[hToken],FALSE,tokenPriv,0,0,0
        invoke CloseHandle,[hToken]
ret

        emptyStr                db '',0
        privName                db 'SeDebugPrivilege',0

struct TOKEN_PRIVILEGES
        PrivilegeCount          dd ?
        LUID1                   dd ?
        LUID2                   dd ?
        Attributes              dd ?
ends

        hToken  dd ?

        TH32CS_SNAPPROCESS      equ 2

findProcessID: ; takes one parameter through stack: pointer to the process name
        push ebp
        invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
        mov ebp,eax
        mov dword[procEntry.dwSize],sizeof.PROCESSENTRY32W
        invoke Process32First,eax,procEntry
        @@:
                invoke Process32Next,ebp,procEntry
                test eax,eax
                jz @F
                invoke lstrcmpi,procEntry.szExeFile,dword[esp+8]
                test eax,eax
        jnz @B
        mov eax,dword[procEntry.th32ProcessID]
        @@:
        pop ebp
retn 4

struct PROCESSENTRY32W
        dwSize                  dd ?
        cntUsage                dd ?
        th32ProcessID           dd ?
        th32DefaultHeapID       dd ?
        th32ModuleID            dd ?
        cntThreads              dd ?
        th32ParentProcessID     dd ?
        pcPriClassBase          dd ?
        dwFlags                 dd ?
        szExeFile               dw MAX_PATH dup (?)
ends

        tokenPriv               TOKEN_PRIVILEGES <>
        procEntry               PROCESSENTRY32W <>

        align 4

What you say about this 32bit binary for WinXP x64 platphorm?
It's work normal, but maybe i not see all hiden problems?
I could wish true PE64 binary as well Confused

The import sections is need to be changed or only to replace registers? Please show! Smile

_________________
Windows 9, FL Studio 19

13 Mar 2010, 02:48

a115433

Joined: 05 Mar 2010
Posts: 144

a115433 13 Mar 2010, 13:47

using global varialbes = lame
there is no pe64. or at least i dont know about it. only pe32 and pe32+.

you dont check for errors.
invoke CloseHandle

no argument?

you imports have wrong name, look into manual for correct ones.
use heap functions instead of Local/Global.

13 Mar 2010, 13:47

semiono

Joined: 31 Aug 2007
Posts: 198
Location: section '.code' executable

semiono 13 Mar 2010, 17:07

a115433 wrote:

using global varialbes = lame

yes! ))

Quote:

invoke CloseHandle
no argument?

Ok, sorry!..

_________________
Windows 9, FL Studio 19

13 Mar 2010, 17:07

semiono

Joined: 31 Aug 2007
Posts: 198
Location: section '.code' executable

semiono 13 Mar 2010, 21:48

PE > PE64
win32a.inc > win64a.inc
dword > qword
dd > dq
eax > rax etc...
align 4 > align 8
retn 4 > retn 8
Compiled with no bugs! Smile

Not work!

13 Mar 2010, 21:48

a115433

Joined: 05 Mar 2010
Posts: 144

a115433 13 Mar 2010, 22:08

format pe64

section '' readable executable
jmp $

does it work?

13 Mar 2010, 22:08

LocoDelAssembly
Your code has a bug

Joined: 06 May 2005
Posts: 4623
Location: Argentina

LocoDelAssembly 13 Mar 2010, 22:40

If this is a question of whether "format pe64" works or not in Windows 64-bit, all examples in the package work and use "format PE64 GUI 5.0" except for WIN64\PE64DEMO

13 Mar 2010, 22:40

semiono

Joined: 31 Aug 2007
Posts: 198
Location: section '.code' executable

semiono 13 Mar 2010, 22:48

Not work it (kill not work)
# pkill.exe calc.exe

Compilation not say a reports of bug

Code:

format PE64
include '%fasm%\win64ax.inc'
entry start

section '.rsrc' resource data executable readable writeable
; ...

start:
        invoke GetCommandLine
        invoke CommandLineToArgv,rax,argsNum
        cmp qword[argsNum],1
        push rax
        jbe @F  ; jump_if_below_or_equal
                push qword[rax+4]
                call AdjustMyToken
                stdcall findProcessID
                test rax,rax
                jz @F
                invoke OpenProcess,PROCESS_TERMINATE,FALSE,rax
                push rax
                invoke TerminateProcess,rax,1
                invoke CloseHandle,[hToken]
                jmp start
        @@:

        invoke ExitProcess,0

        argsNum dq ?

section '.idata' import data executable readable writeable
        library advapi32,'ADVAPI32.dll',kernel32,'KERNEL32.DLL',shell32,'SHELL32.DLL'
        include '%fasm%\api\advapi32.inc'
        import kernel32,OpenProcess,'OpenProcess',\
                        TerminateProcess,'TerminateProcess',\
                        CloseHandle,'CloseHandle',\
                        lstrcmpi,'lstrcmpiW',\
                        CreateToolhelp32Snapshot,'CreateToolhelp32Snapshot',\
                        Process32First,'Process32FirstW',\
                        Process32Next,'Process32NextW',\
                        GetCommandLine,'GetCommandLineW',\
                        LocalFree,'LocalFree',ExitProcess,'ExitProcess'
        import shell32,CommandLineToArgv,'CommandLineToArgvW'

        TOKEN_ADJUST_PRIVILEGES equ 20h
        TOKEN_QUERY             equ 8h
        SE_PRIVILEGE_ENABLED    equ 2h

AdjustMyToken:
        invoke LookupPrivilegeValue,emptyStr,privName,tokenPriv.LUID1
        mov qword[tokenPriv.PrivilegeCount],1h
        mov qword[tokenPriv.Attributes],SE_PRIVILEGE_ENABLED
        invoke OpenProcessToken,-1,TOKEN_ADJUST_PRIVILEGES OR TOKEN_QUERY,hToken
        invoke AdjustTokenPrivileges,[hToken],FALSE,tokenPriv,0,0,0
        invoke CloseHandle,[hToken]
ret

        emptyStr                db '',0
        privName                db 'SeDebugPrivilege',0

struct TOKEN_PRIVILEGES
        PrivilegeCount          dq ?
        LUID1                   dq ?
        LUID2                   dq ?
        Attributes              dq ?
ends

        hToken  dq ?

        TH32CS_SNAPPROCESS      equ 2

findProcessID: ; takes one parameter through stack: pointer to the process name
        push rbp
        invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
        mov rbp,rax
        mov qword[procEntry.dwSize],sizeof.PROCESSENTRY32W
        invoke Process32First,rax,procEntry
        @@:
                invoke Process32Next,ebp,procEntry
                test rax,rax
                jz @F
                invoke lstrcmpi,procEntry.szExeFile,qword[rsp+16]
                test rax,rax
        jnz @B
        mov rax,qword[procEntry.th32ProcessID]
        @@:
        pop rbp
retn 8

struct PROCESSENTRY32W
        dwSize                  dq ?
        cntUsage                dq ?
        th32ProcessID           dq ?
        th32DefaultHeapID       dq ?
        th32ModuleID            dq ?
        cntThreads              dq ?
        th32ParentProcessID     dq ?
        pcPriClassBase          dq ?
        dwFlags                 dq ?
        szExeFile               dd MAX_PATH dup (?)
ends

        tokenPriv               TOKEN_PRIVILEGES <>
        procEntry               PROCESSENTRY32W <>

        align 8

Code:

push qword[rax+8]

not result the same Cool

13 Mar 2010, 22:48

a115433

Joined: 05 Mar 2010
Posts: 144

a115433 13 Mar 2010, 23:03

push qword[rax+8]
you dont have to write operand size.
push is always 64bit in ia32e.

test rax,rax
jnz @B
also, i suggest using cmovcc's. jnz are dead in ia32e.

13 Mar 2010, 23:03

LocoDelAssembly
Your code has a bug

Joined: 06 May 2005
Posts: 4623
Location: Argentina

LocoDelAssembly 13 Mar 2010, 23:05

So, "push [rax+8]" compiles for you? Can you share the "patch"?

13 Mar 2010, 23:05

a115433

Joined: 05 Mar 2010
Posts: 144

a115433 13 Mar 2010, 23:17

hmm, it doesnt.
my mistake, sorry.

but ive read that it can be only 64bit address size, why fasm doesnt compile with qword word? its only possibility, and this is not present in some other instructions.

13 Mar 2010, 23:17

LocoDelAssembly
Your code has a bug

Joined: 06 May 2005
Posts: 4623
Location: Argentina

LocoDelAssembly 13 Mar 2010, 23:28

fasm supports "push word [rax+8]". I though for a moment it was a mistake (I was expecting dword allowed), but it is actually supported:

Intel's PUSH documentation wrote:

IF StackAddrSize = 64
THEN
IF OperandSize = 64
THEN
RSP ← (RSP − 8);
IF (SRC is FS or GS)
THEN
TEMP = ZeroExtend64(SRC);
ELSE IF (SRC is IMMEDIATE)
TEMP = SignExtend64(SRC); FI;
ELSE
TEMP = SRC;
FI
RSP ← TEMP; (* Push quadword *)
ELSE (* OperandSize = 16; 66H used *) <<<< HERE
RSP ← (RSP − 2);
RSP ← SRC; (* Push word *)
FI;
ELSE IF StackAddrSize = 32
.
.
.

13 Mar 2010, 23:28

semiono

Joined: 31 Aug 2007
Posts: 198
Location: section '.code' executable

semiono 14 Mar 2010, 00:18

Code:

Can you share the "patch"?

patch > fasm.exe ))) +1

_________________
Windows 9, FL Studio 19

14 Mar 2010, 00:18

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum