flat assembler
Message board for the users of flat assembler.

Index > Heap > [SOLVED] Imports customloads algo [UNSOLVED] last example

Author
Thread Post new topic Reply to topic
ProMiNick



Joined: 24 Mar 2012
Posts: 399
Location: Russian Federation, Sochi
ProMiNick
Task - realize some kind of delay import (absolutely programer customizable) viewable throw PE exploring tools & making valid workable PE ofcourse.
Code:
; Example of making 32-bit PE program as raw code and data

format PE GUI
entry start

section '.text' code readable executable

  start:

        push    0
        push    _caption
        push    _message
        push    0
        call    [MessageBoxA]

        ret
        push    0
        call    [ExitProcess]


section '.data' data readable writeable

  _caption db 'Win32 assembly program',0
  _message db 'Hello World!',0

section '.idata' import data readable writeable

  dd 0,0,0,RVA kernel_name,RVA kernel_table
  dd RVA kernel_delay_lookup,0,0,RVA kernel_name,RVA kernel_delay_IAT
  dd 0,0,0,RVA user_name,RVA user_table
  dd 0,0,0,0,0

  kernel_delay_lookup:
    dd RVA _ExitProcess
    dd 0
  kernel_delay_IAT:
    ExitProcess dd 0
    dd 0
  kernel_table:
    GetProcAddress dd RVA _GetProcAddress
    LoadLibraryA dd RVA _LoadLibraryA
    dd 0
  user_table:
    MessageBoxA dd RVA _MessageBoxA
    dd 0

  kernel_name db 'KERNEL32.DLL',0
  user_name db 'USER32.DLL',0

  _GetProcAddress dw 0
    db 'GetProcAddress',0
  _LoadLibraryA dw 0
    db 'LoadLibraryA',0
  _ExitProcess dw 0
    db 'ExitProcessHAHAHA',0
  _MessageBoxA dw 0
    db 'MessageBoxA',0

section '.reloc' fixups data readable discardable       ; needed for Win32s       


We could see via external tools that produced PE imports function "ExitProcessHAHAHA" and OS no signal errors.

We could assign in code [kernel_delay_lookup+entry_index*4] value with LoadLibraryA GetProcAddress, and in case of fail assignment

Code:
; Example of making 32-bit PE program as raw code and data

format PE GUI
entry start

section '.text' code readable executable

  customloader:
        push    kernel_name
        call    [LoadLibraryA]
        push    eax
        test    eax,eax
        jz      .fail

        mov     edx,[ExitProcess+(kernel_delay_lookup-kernel_delay_IAT)]
        add     edx,2
        push    edx
        push    eax
        call    [GetProcAddress]
        test    eax,eax
        jz      .fail
        mov     [ExitProcess],eax
        pop     eax
        ret
      .fail:
        dec     eax
        mov     [ExitProcess],eax
        ;call    [FreeLibrary]
        ret

  start:

        push    0
        push    _caption
        push    _message
        push    0
        call    [MessageBoxA]

      .testExit:
        cmp     [ExitProcess],0 ; 0 - undefined - needed customloader, -1 - error in loading - use alternative code, any positive - use
        jg      .callExit
        js      .couldntrunExit
        call    customloader
        jmp     .testExit
      .couldntrunExit:
        ret
      .callExit:
        push    0
        call    [ExitProcess]


section '.data' data readable writeable

  _caption db 'Win32 assembly program',0
  _message db 'Hello World!',0

section '.idata' import data readable writeable

  dd 0,0,0,RVA kernel_name,RVA kernel_table
  dd RVA kernel_delay_lookup,0,0,RVA kernel_name,RVA kernel_delay_IAT
  dd 0,0,0,RVA user_name,RVA user_table
  dd 0,0,0,0,0

  kernel_delay_lookup:
    dd RVA _ExitProcess
    dd 0
  kernel_delay_IAT:
    ExitProcess dd 0
    dd 0
  kernel_table:
    GetProcAddress dd RVA _GetProcAddress
    FreeLibrary dd RVA _FreeLibrary
    LoadLibraryA dd RVA _LoadLibraryA
    dd 0
  user_table:
    MessageBoxA dd RVA _MessageBoxA
    dd 0

  kernel_name db 'KERNEL32.DLL',0
  user_name db 'USER32.DLL',0

  _GetProcAddress dw 0
    db 'GetProcAddress',0
  _FreeLibrary dw 0
    db 'FreeLibrary',0
  _LoadLibraryA dw 0
    db 'LoadLibraryA',0
  _ExitProcess dw 0
    db 'ExitProcessHAHAHA',0
  _MessageBoxA dw 0
    db 'MessageBoxA',0

section '.reloc' fixups data readable discardable       ; needed for Win32s     


by unknown reason customloader dont place -1 when failed to load ExitProcessHAHAHA

_________________
I don`t like to refer by "you" to one person.
My soul requires acronim "thou" instead.


Last edited by ProMiNick on 11 Dec 2019, 00:17; edited 2 times in total
Post 09 Dec 2019, 01:32
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16903
Location: In your JS exploiting you and your system
revolution
These kind of "tricks" also trigger AVs to complain and quarantine the files. So if you intend to have others run the code then be prepared to provide support for them when they report the AV decided to prevent it from running.
Post 09 Dec 2019, 02:26
View user's profile Send private message Visit poster's website Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 399
Location: Russian Federation, Sochi
ProMiNick
Avast dont triger that as AV treat, moreover I not going to use such names as ExitProcessHAHAHA, I going to use names from different win32 versions. I will test it later on Dr Web.

In fasmw is checked touchscreen functionality wia LoadLibrary & GetProcAddress of gestures stuff, same way could be achieved functionality of current win32 version - accessibility of some libraries, fubctions, and their outputs and maked alterations of functionality.
But all of these dont present in import data directory. I found way to list them all without causing error that such libraries & functions dosnt exists.

Side effect we could load to process address space library even without needance of use one of its functions (IAT & Lookup are zeroes) - and make this load in OS loader time - and that could be bad from AV.

And more in last OS (win10) most of such function present anyway, so AV shouldn`t detect they as treat in old windowses.
Post 09 Dec 2019, 05:47
View user's profile Send private message Send e-mail Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 399
Location: Russian Federation, Sochi
ProMiNick
patch of import32
Code:
; Macroinstructions for making import section

macro library [name,string]
 { common
    import.data:
   forward
    if defined name#.address
     if name#.address-name#.lookup
      dd RVA name#.lookup,0,0,RVA name#.%name,RVA name#.address
     end if
    end if
    name#.referred = 1
   common
    dd 0,0,0,0,0
   forward
    if defined name#.address
     if name#.address-name#.lookup
      if string eqtype ''
       name#.%name db string,0
             rb RVA $ and 1
      else
       name#.%name = string#.%name
      end if
     end if
    end if }

macro import name,[label,string] {
 common
        rb (- rva $) and 3
        if defined name#.referred
                name#.lookup:
 forward
                if used label
                        if string eqtype ''
 local _label
                                dd RVA _label
                        else
                                dd 80000000h + string
                        end if
                end if
 common
                if $ > name#.lookup
                        dd 0
                end if
                name#.address:
 forward
                if used label
                        if string eqtype ''
                                label dd RVA _label
                        else
                                label dd 80000000h + string
                        end if
                end if
 common
                if $ > name#.address
                        dd 0
                end if
 forward
                if used label & string eqtype ''
                        _label dw 0
                        db string,0
                        rb RVA $ and 1
                end if
 common
        end if }

macro customimport name,[label,string] {
 common
        rb (- rva $) and 3
        if defined name#.referred
                name#.lookup:
 forward
                if used label
                        if string eqtype ''
 local _label
                                dd RVA _label
                        else
                                dd 80000000h + string
                        end if
                end if
 common
                if $ > name#.lookup
                        dd 0
                end if
                name#.address:
 forward
                if used label
                        label dd 0
                end if
 common
                if $ > name#.address
                        dd 0
                end if
 forward
                if used label & string eqtype ''
                        _label dw 0
                        db string,0
                        rb RVA $ and 1
                end if
 common
        end if }

macro api [name] {}    

almost everithing left untouched (complete legacy functionality with additions)

than example with macros usage:
Code:
format PE GUI
entry start

include 'win32a.inc'

section '.text' code readable executable

customloader:
        invoke  LoadLibrary,delaykernel32.%name
        test    eax,eax
        jz      .fail
        mov     edx,[ExitProcess+(delaykernel32.lookup-delaykernel32.address)]
        add     edx,2+$-rva $
        invoke  GetProcAddress,eax,edx
        test    eax,eax
        jnz     .ret
      .fail:
        dec     eax
      .ret:
        mov     [ExitProcess],eax
        ret


  start:
      .testExit:
        cmp     [ExitProcess],0
        jg      .callExit
        js      .couldntrunExit
        call    customloader
        jmp     .testExit
      .couldntrunExit:
        invoke  MessageBox,0,_message1,_caption,0
        ret
      .callExit:
        invoke  MessageBox,0,_message2,_caption,0
        invoke  ExitProcess,0


section '.data' data readable writeable

  _caption db 'Win32 assembly program',0
  _message1 db 'Inalid kernel32 delay lookup',0
  _message2 db 'Valid kernel32 delay lookup',0

section '.idata' import data readable writeable

        library kernel32,'KERNEL32.DLL',\
                delaykernel32,kernel32,\
                user32,'USER32.DLL'

        import kernel32,GetProcAddress,'GetProcAddress',\
                        LoadLibrary,'LoadLibraryA'

        customimport delaykernel32,ExitProcess,'ExitProcessDD';customimport delaykernel32,ExitProcess,'ExitProcess'

        import user32,MessageBox,'MessageBoxA'

section '.reloc' fixups data readable discardable       ; needed for Win32s      


if imports will have ExitProcessDD - programm will go by alternate path, if if imports will have ExitProcess - programm will go by ExitProcess existent path. Only OS resides exist ExitProcessDD( or ExitProcess) or not.


Last edited by ProMiNick on 09 Dec 2019, 15:14; edited 1 time in total
Post 09 Dec 2019, 12:16
View user's profile Send private message Send e-mail Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 399
Location: Russian Federation, Sochi
ProMiNick
macros library & import was improved again:
+ added ability to include predefined imports & customize only needed ones
Code:
; Macroinstructions for making import section

macro library [name,string]
 { common
    import.data:
   forward
    if defined name#.address
     if name#.address-name#.lookup
      dd RVA name#.lookup,0,0,RVA name#.%name,RVA name#.address
     end if
    end if
    name#.referred = 1
   common
    dd 0,0,0,0,0
   forward
    if defined name#.address
     if name#.address-name#.lookup
      if string eqtype ''
       name#.%name db string,0
             rb RVA $ and 1
      else
       name#.%name = string#.%name
      end if
     end if
    end if }

macro import name,[label,string] {
 common
        rb (- rva $) and 3
        if defined name#.referred
                name#.lookup:
 forward
                if (used label)
                        if ~ defined delayed.#label
                        if string eqtype ''
 local _label
                                dd RVA _label
                        else
                                dd 80000000h + string
                        end if
                        end if
                end if
 common
                if $ > name#.lookup
                        dd 0
                end if
                name#.address:
 forward
                if used label
                        if ~ defined delayed.#label
                        if string eqtype ''
                                label dd RVA _label
                        else
                                label dd 80000000h + string
                        end if
                        end if
                end if
 common
                if $ > name#.address
                        dd 0
                end if
 forward
                if used label & string eqtype ''
                        _label dw 0
                        db string,0
                        rb RVA $ and 1
                end if
 common
        end if }

macro customimport name,[label,string] {
 common
        rb (- rva $) and 3
        if defined name#.referred
                name#.lookup:
 forward
                if used label
                        if string eqtype ''
 local _label
                                dd RVA _label
                        else
                                dd 80000000h + string
                        end if
                end if
 common
                if $ > name#.lookup
                        dd 0
                end if
                name#.address:
 forward
                if used label
                        delayed.#label:
                        if ~definite label
                                label dd 0
                        end if
                end if
 common
                if $ > name#.address
                        dd 0
                end if
 forward
                if used label & string eqtype ''
                        _label dw 0
                        db string,0
                        rb RVA $ and 1
                end if
 common
        end if }

macro api [name] {}    


logic of improvement is in https://board.flatassembler.net/topic.php?t=21308
Post 09 Dec 2019, 13:12
View user's profile Send private message Send e-mail Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 399
Location: Russian Federation, Sochi
ProMiNick
that is one more interesting example in continuation of playing with imports:
Code:
format PE GUI
entry start

include 'win32a.inc'

section '.text' code readable executable

virtual at 0
        dd custldr
end virtual

customloader:
        invoke  LoadLibrary,delaykernel32.%name
        test    eax,eax
        jz      .fail
        mov     edx,[ExitProcess+(delaykernel32.lookup-delaykernel32.address)]
        add     edx,2+$-rva $
        ;mov     edx,_test
        invoke  GetProcAddress,eax,edx
        test    eax,eax
        jnz     .ret
      .fail:
        dec     eax
      .ret:
        mov     [ExitProcess],eax
        ret


  start:
      .testExit:
        cmp     [ExitProcess],0
        jg      .callExit
        js      .couldntrunExit
        call    customloader
        jmp     .testExit
      .couldntrunExit:
        invoke  MessageBox,0,_message1,_caption,0
        ret
      .callExit:
        invoke  MessageBox,0,_message2,_caption,0
        invoke  ExitProcess,0


section '.data' data readable writeable

  _caption db 'Win32 assembly program',0
  _message1 db 'Inalid kernel32 delay lookup',0
  _message2 db 'Valid kernel32 delay lookup',0

section '.idata' import data readable writeable

        library kernel32,'KERNEL32.DLL',\
                delaykernel32,kernel32,\
                user32,'USER32.DLL',\
                pedemo,''


  include 'os specific/windows/api/x86/kernel32.inc'
  include 'os specific/windows/api/x86/user32.inc'

        customimport delaykernel32,ExitProcess,'ExitProcessDD';customimport delaykernel32,ExitProcess,'ExitProcess'

        customimport  pedemo,custldr,'customloader'

section '.reloc' fixups data readable discardable       ; needed for Win32s    


And what thought about it kasperky AV https://virusdesk.kaspersky.ru/#scanresults:
Результат проверки угрозы не обнаружены
Размер файла 3,00 КБ
Тип файла PE32/EXE
Дата проверки 10 декабря 2019 14:23:46
Дата выпуска баз 10 декабря 2019 10:36:01 UTC
MD5 d80273043eeb93de34ed981e2ed929d6
SHA1 70c02fbfc35898acd81b0deb3abd18b15bc990cb
SHA256 f1349590eeb1e14273699fb611c2bf77f835ea2f64d92e7f0d03f7074c728b9f
shortly in english: "It says all ok".

I am shured that others AV respect such kind of imports too


Description: how looks like import directory via external tools
Filesize: 90.92 KB
Viewed: 86 Time(s)

unnamed import.png



_________________
I don`t like to refer by "you" to one person.
My soul requires acronim "thou" instead.
Post 10 Dec 2019, 11:49
View user's profile Send private message Send e-mail Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 399
Location: Russian Federation, Sochi
ProMiNick
What gain last one example - It is some semistate between opensource & closesource.
these unnamed imports could be used in program internaly and could be changed by injected, so behavior of program internals could be changed same way as could be changed its interaction with OS apis.
Post 10 Dec 2019, 12:06
View user's profile Send private message Send e-mail Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 399
Location: Russian Federation, Sochi
ProMiNick
tryed to adapt calendar example from masm32 (it of course already was ported to fasm in FASMW64_4-22-2013.rar that shared somewhere on this forum). but I wish to use features described in this topic and apply them to that example. It is very convinient for such task.

import macros are definitely whithout bugs. tested on launching test.exe from previous post.

but bug is somewhere...
(locals in xproc are buggy so they completely realized manualy) - all the rest (how source looks like) I like.


Description: minimal context to reproduce problemOitput calendar planned to be shorter (in size of executed code) and faster than both realizations before
Download
Filename: fasmw17321.zip
Filesize: 162 KB
Downloaded: 6 Time(s)


_________________
I don`t like to refer by "you" to one person.
My soul requires acronim "thou" instead.
Post 11 Dec 2019, 00:14
View user's profile Send private message Send e-mail Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2019, Tomasz Grysztar.

Powered by rwasa.