flat assembler
Message board for the users of flat assembler.

Index > Windows > Strange way of assembling SetUnhandledExceptionFilter

Author
Thread Post new topic Reply to topic
Igor1024



Joined: 12 Dec 2010
Posts: 19
Igor1024 09 Jan 2012, 03:56
Hi.
So, the trick is:
if you import api's like that:

Code:
section '.import' readable writable
data import
 library kernel32,'KERNEL32.DLL'

 import  kernel32,\
  SetUnhandledExceptionFilter,'SetUnhandledExceptionFilter'
    


you don't get to this api, you get somewhere at 0x402068 - that's image's space, really. Anyway, only this api-call is assembled so strange.

But if write like that:

Code:
section '.import' readable writable

data import
    dd $0, $0, $0, rva kernel32_name, rva kernel32_table
    dd $0, $0, $0, $0, $0

kernel32_table:
    SetUnhandledExceptionFilter  dd rva _SetUnhandledExceptionFilter
    dd $0

    _SetUnhandledExceptionFilter dw $0
                               db 'SetUnhandledExceptionFilter', $0

    kernel32_name db 'kernel32.dll', $0
end data
    


it works perfectly. What's the matter?

_________________
The God is real,unless he is declared as integer.
Post 09 Jan 2012, 03:56
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 09 Jan 2012, 07:32
Quote:

you get somewhere at 0x402068
How are you checking this?
Code:
format pe gui 4.0
include 'win32a.inc'

section '.code' code readable executable
mov eax, [SetUnhandledExceptionFilter]
int3

section '.import' readable writable
data import
 library kernel32,'KERNEL32.DLL'

 import  kernel32,\
  SetUnhandledExceptionFilter,'SetUnhandledExceptionFilter'
end data    
When I check EAX with the debugger (which is opened only when I ask Windows to do so when it shows the "... has stopped working" dialog) I don't see a value in EAX inside the process image space.
Post 09 Jan 2012, 07:32
View user's profile Send private message Reply with quote
Igor1024



Joined: 12 Dec 2010
Posts: 19
Igor1024 09 Jan 2012, 08:33
Because SetUnhandledExceptionFilter doesn't launnch at debugger (that's a trick), I just put a couple of MessageBox's before and after calling this api, and when I launched the program I saw only first MB, then (after clicking ok, of course) Olly launched because of unhandled exception.

_________________
The God is real,unless he is declared as integer.
Post 09 Jan 2012, 08:33
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 09 Jan 2012, 14:41
Could you provide the complete code you have used to see that SetUnhandledExceptionFilter is resolved as 0x402068?
Post 09 Jan 2012, 14:41
View user's profile Send private message Reply with quote
Igor1024



Joined: 12 Dec 2010
Posts: 19
Igor1024 10 Jan 2012, 04:35
Ok, i understood the mistake - I got used to use 'invoke' macros and forgot that call apiname gives control to the place where address of these api is putten; should use call [apiname], that's right. /facepalm
Post 10 Jan 2012, 04:35
View user's profile Send private message Send e-mail Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.