flat assembler
Message board for the users of flat assembler.

Index > Windows > Native application win32 win64

Author
Thread Post new topic Reply to topic
Feryno



Joined: 23 Mar 2005
Posts: 514
Location: Czech republic, Slovak republic
Feryno 13 Mar 2006, 15:08
Native application.

First of all, warning for all lamaz - at first try to boot from install CD into recovery console and try to delete a file. After you succeede, continue with next experiments ! You will need to delete a file if it cause system reboot cycles. Maybe you can bypass native api with bug causing reboot by booting into safe mode, but I haven't tried it.
If you have 2 or more operating systems in your PC able to access filesystem (the most of you have NTFS as system drive), there is no problem, you boot second OS, replace bad native app with good one (e.g. from this sample) or just delete it.
--end of prologue--

FASM is able to produce various kind of apps:
format PE gui
format PE console
format PE NATIVE

Eveybody knows GUI as well CONSOLE apps. GUI app can have its own window design (main window, buttons, menus...), console app writes some text output to console. NATIVE directive is used for build system drivers, but can be used to produce NATIVE application too.
The kind of app is specified in IMAGE_OPTIONAL_HEADER.Subsystem
IMAGE_SUBSYSTEM_NATIVE = 1 ; Image doesn't require a subsystem.
IMAGE_SUBSYSTEM_WINDOWS_GUI = 2 ; Image runs in the Windows GUI subsystem.
IMAGE_SUBSYSTEM_WINDOWS_CUI = 3 ; Image runs in the Windows character subsystem.

There isn't possible to run native application by simple executing it as gui or console app. System drivers can be loaded and unloaded by Service Control Manager (SCM). Native app can be run by Session Manager before winlogon. An example of native app is autochk.exe - in old NT 4.0 it displayed something like Checking drive... after uncorrect system reboot.
Look into
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute

Although there is impossible to run native app from user mode (and thus it's impossible to debug them as user mode programs), there is a limited way to test some parts and APIs by this way:
change first line of asm source
format PE native at 10000h
to:
format PE
then recompile app and now you are able to debug some parts with user mode debugger.

At conclusion: User mode apps are good gifts to your friends sending you thousands of mails with big attachments who don't stops sending after several warnings from you that his/hers mails exhauste you and your mailbox space. Especially when you add instruction like jmp $ into native app, sending of unwanted mails stops until he/she restore OS.

You use APIs from NTDLL.DLL, the most of them is undocumented (except Rtl apis which are documented in msdn wery well).

some links:
http://www.sysinternals.com/Information/NativeApplications.html
http://undocumented.ntinternals.net/ntundoc.chm
http://undocumented.ntinternals.net/UserMode/
http://msdn.microsoft.com/library/en-us/IFSK_r/hh/IFSK_r/rtlref_852a2232-bc46-42fd-9eb8-3faa018614d2.xml.asp Runtime Library Routines

Sources are for win32 as well win64.
native.exe prints something on the startup screen,
32\native0.exe and 64\native_command_line.exe displays its command line parameter
(HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute).

There is one problem in win64 when copying file by using of 32-bit app (like Total Commander) - you don't see real 64-bit content of system32 directory, but you see shadowed SysWOW64 directory - so use included 64-bit application for copy native.exe into system32.
After you copy it into system32, you won't see it by 32-bit apps (totalcmd) - it's hidden for 32-bit apps. Now I know, why my drivers worked only if copied into SysWOW64 directory - because I used 32-bit totalcmd, that run 32-bit cmd.exe instead of 64-bit cmd.exe and content of system32 is shadow of SysWOW64 (= 32 bit content), not truly directory with 64-bit content.
I got displaying win64 command line by dirty tricks, this is maybe a wrong way, by it works. Most of native apps structures is undocumented.


Description: Samples of native application for win32 and win64
Download
Filename: native.zip
Filesize: 14.19 KB
Downloaded: 1103 Time(s)

Post 13 Mar 2006, 15:08
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 13 Mar 2006, 15:52
really nice Smile


i tested this and it worked:

Code:
format PE native 5.02 at 10000h
entry start

include '%fasminc%\win32a.inc'

section '.text' code readable executable

start:

        push    UNICODE_STRING
        call    dword [NtDisplayString]

        xor     eax,eax
delay_loop:
        dec     eax
        jnz     delay_loop

        push    0
        push    -1
        call    dword [NtTerminateProcess]


align 16
UNICODE_STRING  dw      MsgW_0_size
                dw      MsgW_0_size + 2
                dd      MsgW_0

align 16
MsgW_0          du      'Fatal system error! Cannot continue.',0Ah
                                        du      'formatting system partition... 100%',0
MsgW_0_size     =       $ - MsgW_0

section '.rdata' import readable notpageable
        
        library ntdll,'ntdll.dll'
        
        import  ntdll,\
                                        NtDisplayString,'NtDisplayString',\
                                        NtTerminateProcess,'NtTerminateProcess'

section '.reloc' data fixups readable discardable
    

not sure if reloc is even needed but thats what was in KMD-example i've been playing around with...

i wonder when i did miss the info that library/import works for PE native's as it didnt on older versions of fasm Neutral

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 13 Mar 2006, 15:52
View user's profile Send private message MSN Messenger Reply with quote
RedGhost



Joined: 18 May 2005
Posts: 443
Location: BC, Canada
RedGhost 13 Mar 2006, 16:51
very cool, nice contribution
Post 13 Mar 2006, 16:51
View user's profile Send private message AIM Address MSN Messenger Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 514
Location: Czech republic, Slovak republic
Feryno 14 Mar 2006, 06:27
I'm happy that we can code some funny stuff now !

NtDelayExecution http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Thread/NtDelayExecution.html can be used for delay loop instead of CPU wasting:
xor eax,eax
L0:
dec eax
jnz L0

I forgot to tell you that samples work on NT platform only, but I hope everybody knows that NTDDL.DLL is part of NT OS and isn't in w95 w98 winme.
There is a small mistake that doesn't matter, but please correct string size computation:
Code:
align 16 
UNICODE_STRING  dw      MsgW_0_size     ; unicode string size without zero-terminator
                dw      MsgW_0_size_ZT  ; unicode string size including zero-terminator
                dd      MsgW_0 

align 16 
MsgW_0          du      'Fatal system error! Cannot continue.',0Ah 
                du      'formatting system partition... 100%',0 
MsgW_0_size_ZT  =       $ - MsgW_0_ZT
MsgW_0_size     =       MsgW_0_size_ZT - 2
    
Post 14 Mar 2006, 06:27
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
chris



Joined: 05 Jan 2006
Posts: 62
Location: China->US->China->?
chris 15 Mar 2006, 03:19
Interesting stuff! I have tried your example, and it works well. One thing I want to point out is that native applications are still running in user mode or from the CPU's perspective of view, ring3, as you can attach a kernel debugger like softice and check that the code segment register cs=1b which is the ring3 code segment. So if your native application crashes, Windows terminates it and continues loading, just like when a GUI or console crashes. Smile
Post 15 Mar 2006, 03:19
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 514
Location: Czech republic, Slovak republic
Feryno 16 Mar 2006, 10:08
Here is microsoft's method of get command line parameters, I got it by playing with autochk.exe from winnt_40 and w2k3_x64. Can be simplified, but I hadn't enough time to do it myself (especially unnecessary unicode->ansi->unicode for NtDisplayString). You can optimize it (a lot of code may be removed).
I hadn't a time (coding in a night) to implement Okasvi's optimalization into samples, do it yourself.
Chris, thanx for your help with method of debugging native app. Every exception in native.exe cause system reboot of my PC, maybe because I haven't SoftIce installed, so no debugger catch exception... Fortunately I have 3 OSes on 1 HD (win32, win64, Linux64) so I was able to delete file by using of other OS and then boot.
I'm not any expert, coding is for me only something like playing for children. I just tried to asm port something presented in C by Mark Russinovich, I succeeded because great FASM and then I decided that native apps can be funny stuff for other people so I posted samples here. Enjoy them !


Description: ms method of get command line parameters in native app
Download
Filename: native_command_line.zip
Filesize: 5.46 KB
Downloaded: 711 Time(s)

Post 16 Mar 2006, 10:08
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
questlima



Joined: 27 Aug 2014
Posts: 37
questlima 27 Aug 2014, 10:59
hi i am new to FASM and ASM, i was wondering the *format PE NATIVE*
instruction means that it is a *system file .sys* and can only be executed
at OS boot time, btw if i add the *add.reg* will this be enough to execute
the one i have written or do i need to edit the *add.reg* sorry for my
English its not my native language anyway thank you
Post 27 Aug 2014, 10:59
View user's profile Send private message Reply with quote
l_inc



Joined: 23 Oct 2009
Posts: 881
l_inc 27 Aug 2014, 12:32
questlima
Even though fasm assigns the extension "sys" to the files with the native option, there is no 100% correlation between having the "sys" extension, having the "native" option, and especially not with being loaded at boot time.

The option native merely means, that the produced executable will have IMAGE_NT_HEADERS->OptionalHeader->Subsystem set to 1 (IMAGE_SUBSYSTEM_NATIVE) . This value is set for kernel-mode drivers (mostly having the sys extension), for kernel-mode libraries (hal.dll, kdcom.dll, framebuf.dll) and also for user-mode native applications (csrss.exe, smss.exe) that do not require an initialized Win32 subsystem when they start.

"Native" also does not mean, that the executable should be loaded at boot time. Many drivers are loaded on-demand by the PnP manager during normal OS operation or on request of an application.

If you wrote a driver that is specifically designed to be loaded at boot time, then direct manipulation with the registry is not the proper way to register the driver. A proper way could be to register it as a service using the service control manager API or using the setup API and an inf-file. If you have an inf-file you also could install it using the device manager or the redistributable application drvinst.exe .

_________________
Faith is a superposition of knowledge and fallacy
Post 27 Aug 2014, 12:32
View user's profile Send private message Reply with quote
questlima



Joined: 27 Aug 2014
Posts: 37
questlima 27 Aug 2014, 13:04
Thanks btw i am bit confused this is my first time trying to understand FASM so it is a system file .sys am i right, what i have learned so far on FASM:LOL

format PE GUI 4.0 DLL << this one will produce a DLL file
format PE gui << dialog, menus, list box, etc
format PE console << command line applications
format PE NATIVE << so this one will be a system file, drivers

sorry for my English and being such a noob yes i am:) anyway thank you for your time appreciated
Post 27 Aug 2014, 13:04
View user's profile Send private message Reply with quote
l_inc



Joined: 23 Oct 2009
Posts: 881
l_inc 27 Aug 2014, 13:52
questlima
Quote:
format PE GUI 4.0 DLL << this one will produce a DLL file

Yes, but you don't actually have to specify "GUI 4.0". fasm would then default to subsystem console, but it's actually not that relevant for dlls.
Quote:
format PE gui << dialog, menus, list box, etc

Not necessarily. An application with subsystem gui may or may not have any windows at all. Moreover it could create a console as well and look and behave exactly like a console application.
Quote:
format PE console << command line applications

Yes. The only difference to the format PE GUI is that Windows automatically creates a console window during application initialization or assigns an existing console if it's inherited from the parent application.
Quote:
format PE NATIVE << so this one will be a system file, drivers

As I already said, it's not necessarily drivers. If you read the first post of this topic, you'll find that the topic is actually about user-mode applications having the native subsystem.

Quote:
sorry for my English

Disregard the following suggestion if I'm mistaken, and you don't natively speak Russian. If you're too concerned about your English skills you may wanna visit this forum. I would recommend you to stay at board.flatassembler.net for fasm related questions, but you can get many of them answered on wasm as well.

_________________
Faith is a superposition of knowledge and fallacy
Post 27 Aug 2014, 13:52
View user's profile Send private message Reply with quote
catafest



Joined: 05 Aug 2010
Posts: 129
catafest 26 Aug 2015, 10:36
very useful :
one single question about : format PE native at 10000h

About the rules to set this: at 10000h
can we set any: format PE native at XXXXXh?
Post 26 Aug 2015, 10:36
View user's profile Send private message Visit poster's website Yahoo Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.