flat assembler
Message board for the users of flat assembler.
Index
> Main > Need structure translation.. |
Author |
|
Overflowz 07 May 2011, 19:50
Hello everyone.. I'm noob about structures and could anybody translate this structure into fasm format for me ? Thanks.
http://msdn.microsoft.com/en-us/library/ms679284(v=vs.85).aspx P.S only for 32bits. Last edited by Overflowz on 10 May 2011, 06:54; edited 2 times in total |
|||
07 May 2011, 19:50 |
|
typedef 08 May 2011, 00:52
fasm will raise an error for using reserved symbols
|
|||
08 May 2011, 00:52 |
|
LocoDelAssembly 08 May 2011, 05:40
No, it won't. In order to be compilable it will need win{32|64}*.inc to be included (or at least macro\struct.inc), though.
|
|||
08 May 2011, 05:40 |
|
Overflowz 08 May 2011, 09:55
cod3b453
Thank you very much. |
|||
08 May 2011, 09:55 |
|
Overflowz 08 May 2011, 14:52
I think it doesn't work.. This structure is not filling
Code: section '.data' data readable writeable nBuffer rb 0x100 sinfo STARTUPINFO pinfo PROCESS_INFORMATION cText CONTEXT section '.text' code readable executable proc main invoke GetModuleFileName,0,nBuffer,0x100 invoke CreateProcess,nBuffer,0,0,0,1,CREATE_SUSPENDED,0,0,sinfo,pinfo ;SUSPENDED invoke GetThreadContext,[pinfo.hThread],cText mov eax,[cText.Ebx] ;EAX should hold EBX address of another created process. But it fails. mov eax,[eax+0x8] ;PEB ret endp But it fails. EAX = 0 and nothing is changing there except ContextFlags.. any help ? |
|||
08 May 2011, 14:52 |
|
ProphetOfDoom 09 May 2011, 01:08
Hi OverFlowz
I *think* you need to set the value of ContextFlags in your context structure to tell it which registers you want (before you pass the structure to GetThreadContext). For example if you set ContextFlags to CONTEXT_INTEGER (which is 0x00010000 | 2) it will return the general purpose registers. I got this from here: http://msdn.microsoft.com/en-us/library/ms679284%28v=vs.85%29.aspx and here: http://source.winehq.org/source/include/winnt.h |
|||
09 May 2011, 01:08 |
|
Overflowz 09 May 2011, 08:11
ProphetOfDoom
Yes, you're right. I found somewhere that information. So, Quote: CONTEXT_X86 equ 0x10000 CONTEXT_INTEGER should be CONTEXT_X86 OR 0x02 right ? and not only 0x02 I'm right ? I wrote like this and let me know if this is true.. Code: CONTEXT_X86 EQU 0x10000 CONTEXT_CONTROL EQU CONTEXT_X86 OR 0x0001 CONTEXT_INTEGER EQU CONTEXT_X86 OR 0x0002 CONTEXT_SEGMENTS EQU CONTEXT_X86 OR 0x0004 CONTEXT_FLOATING_POINT EQU CONTEXT_X86 OR 0x0008 CONTEXT_DEBUG_REGISTERS EQU CONTEXT_X86 OR 0x0010 CONTEXT_EXTENDED_REGISTERS EQU CONTEXT_X86 OR 0x0020 CONTEXT_FULL EQU CONTEXT_CONTROL OR CONTECT_INTEGER OR CONTEXT_SEGMENTS CONTEXT_ALL EQU CONTEXT_CONTROL OR CONTEXT_INTEGER OR CONTEXT_SEGMENTS OR CONTEXT_FLOATING_POINT OR CONTEXT_DEBUG_REGISTERS OR CONTEXT_EXTENDED_REGISTERS |
|||
09 May 2011, 08:11 |
|
ProphetOfDoom 09 May 2011, 08:47
Yes I think that's correct - I can't test it as I don't have a Windows PC in front of me. Why don't you try it?
|
|||
09 May 2011, 08:47 |
|
Overflowz 09 May 2011, 08:57
ProphetOfDoom
Trying but I don't know if I'm getting true result ^^ I'm creating process with CREATE_SUSPENDED flag and EBX should point to PEB structure. After that, I'm trying to get Image Base and it doesn't work. Code: mov ebx,[ctx.Ebx] mov ebx,[ebx+0x08] ;ImageBase but it fails. That's my problem here. |
|||
09 May 2011, 08:57 |
|
ProphetOfDoom 09 May 2011, 09:26
Hi,
The method I've given you should definitely work - I used it in a C program (a debugger I'm writing) with no problems. But my program retrieves the context when the program is suspended due to a debug exception (breakpoint) - I've never tried it with a process that was started suspended. Maybe someone else can help? I'm out of ideas already. |
|||
09 May 2011, 09:26 |
|
Overflowz 09 May 2011, 09:41
I did mistake sorry.. I should call ZwUnmapViewOfSection first and then that code what I wrote below. Solved and thanks
|
|||
09 May 2011, 09:41 |
|
ProphetOfDoom 09 May 2011, 09:45
Actually was just thinking... I've never needed to hack around with PE image bases, but aren't you looking for the data in the parent (creating) process rather than in the child (created) process? If the info you want is in the child process you'll need to use the Windows ReadProcessMemory function to get at it.
|
|||
09 May 2011, 09:45 |
|
ProphetOfDoom 09 May 2011, 09:47
Oh okay lol. As long as you got it working.
|
|||
09 May 2011, 09:47 |
|
Overflowz 09 May 2011, 09:50
Never mind, sometimes it work, sometimes it's not. I'll try to figure out what's going there >.<
|
|||
09 May 2011, 09:50 |
|
Overflowz 10 May 2011, 06:59
Heh, I have question.. Is this bug ?? I've tried to open program in olly and sometimes it works and sometimes it's not. Just need to open several times and this value is confusing me! It's changing every time when I'm opening different time.. Check these pictures. Also, here's source and declaration of context structure:
Source: Code: invoke GetModuleFileName,0,nBuffer,0x100 invoke CreateProcess,nBuffer,0,0,0,0,CREATE_SUSPENDED,0,0,sinfo,pinfo mov [ctx.ContextFlags],CONTEXT_INTEGER invoke GetThreadContext,[pinfo.hThread],ctx invoke GetModuleHandle,0 invoke ZwUnmapViewOfSection,[pinfo.hThread],eax mov ebx,[ctx.Ebx] mov ebx,[ebx+0x08] ;EBX = Base mov eax,[ctx.Eax] ;EAX = EP mov esi,hfile add esi,[esi+0x3c] mov edi,nthdr mov ecx,sizeof.IMAGE_NT_HEADERS32 cld rep movsb mov eax,[nthdr.OptionalHeader.SizeOfImage] ret Context Structure: Code: CONTEXT_X86 EQU 0x10000 CONTEXT_CONTROL EQU CONTEXT_X86 OR 0x0001 CONTEXT_INTEGER EQU CONTEXT_X86 OR 0x0002 CONTEXT_SEGMENTS EQU CONTEXT_X86 OR 0x0004 CONTEXT_FLOATING_POINT EQU CONTEXT_X86 OR 0x0008 CONTEXT_DEBUG_REGISTERS EQU CONTEXT_X86 OR 0x0010 CONTEXT_EXTENDED_REGISTERS EQU CONTEXT_X86 OR 0x0020 CONTEXT_FULL EQU CONTEXT_CONTROL OR CONTEXT_INTEGER OR CONTEXT_SEGMENTS CONTEXT_ALL EQU CONTEXT_CONTROL OR CONTEXT_INTEGER OR CONTEXT_SEGMENTS OR CONTEXT_FLOATING_POINT OR CONTEXT_DEBUG_REGISTERS OR CONTEXT_EXTENDED_REGISTERS MAXIMUM_SUPPORTED_EXTENSION equ 512 struct FLOATING_SAVE_AREA ControlWord dd ? StatusWord dd ? TagWord dd ? ErrorOffset dd ? ErrorSelector dd ? DataOffset dd ? DataSelector dd ? RegisterArea rb 80 Cr0NpxState dd ? ends struct CONTEXT ContextFlags dd ? Dr0 dd ? Dr1 dd ? Dr2 dd ? Dr3 dd ? Dr6 dd ? Dr7 dd ? FloatSave FLOATING_SAVE_AREA SegGs dd ? SegFs dd ? SegEs dd ? SegDs dd ? Edi dd ? Esi dd ? Ebx dd ? Edx dd ? Ecx dd ? Eax dd ? Ebp dd ? Eip dd ? SegCs dd ? EFlags dd ? Esp dd ? SegSs dd ? ExtendedRegisters rb MAXIMUM_SUPPORTED_EXTENSION ends Any help ?
|
|||||||||||||||||||
10 May 2011, 06:59 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.