flat assembler
Message board for the users of flat assembler.
Index
> Windows > Crypto APIs |
Author |
|
revolution 23 Apr 2016, 05:20
The include file "ADVAPI32.INC" has all the crypto APIs. It works with both 32bit and 64bit.
|
|||
23 Apr 2016, 05:20 |
|
StakFallT 23 Apr 2016, 05:25
Really? So if someone were using, for example, Visual Studio and built an exe under the 64-bit arch config, making it a native 64-bit program (not a 32-bit program running on a 64-bit platform), I could hook those 32-bit function calls and it would hook the very same routines that native 64-bit program were using?
EDIT: Fixed a typo (and -> an) |
|||
23 Apr 2016, 05:25 |
|
revolution 23 Apr 2016, 05:26
StakFallT wrote: Really? So if someone were using, for example, Visual Studio and built and exe under the 64-bit arch config, making it a native 64-bit program (not a 32-bit program running on a 64-bit platform), I could hook those 32-bit function calls and it would hook the very same routines that native 64-bit program were using? |
|||
23 Apr 2016, 05:26 |
|
StakFallT 23 Apr 2016, 05:27
gotcha, thanks!
|
|||
23 Apr 2016, 05:27 |
|
revolution 23 Apr 2016, 05:29
In case you are not aware, Windows loads different DLLs (with the same names) for different programs to support things like 32/64 bitness and also for supporting run-in-XP-mode and other things like that.
|
|||
23 Apr 2016, 05:29 |
|
StakFallT 23 Apr 2016, 05:33
I'm somewhat familiar with the Windows side-by-side system, but I always thought that was basically so each program can have its own set of libraries it loads. Solving the uninstall-breaking-other-programs'-dependencies issue back before the system was put in place. I didn't think it handled address translation as well.
|
|||
23 Apr 2016, 05:33 |
|
revolution 23 Apr 2016, 06:10
StakFallT wrote: I didn't think it handled address translation as well. |
|||
23 Apr 2016, 06:10 |
|
StakFallT 23 Apr 2016, 15:23
Oh. Then it's exactly what I thought it did
I also realized I think we may discussing two slightly different things -- not sure why I didn't catch it sooner; tired I guess... I'm looking to do a global hook as that's the only way it would work. I'm not sure where Windows SxS fits in. Just to kind've make sure we're on the same page, you're saying that fASM can be used to generate a native 64-bit exe that uses the 64-bit versions of those functions? Let me ask this, maybe it'll help; where is the 64-bit version of, for example, CryptAcquireContextW located? Surely not advapi32.dll? the 32-part indicates those are the 32-bit functions or did they roll the 64-bit stuff in with the 32 bit stuff and leave it as one file for some sort of compatibility? The Microsoft CNG (Cryptographic Next Generation) stuff is mostly implemented in bcrypt.dll and ncrypt.dll since Windows Vista. So I dunno, maybe that's what I should be looking into... ::confused:: I'm not actually looking to side-load DLLs, I'm looking to write a native 64-bit exe that performs a global hook (which also raises the question, does the global hook still work if another application has it's own DLLs packaged with it) on a few of the 64-bit cryptographic functions that are loaded in user mode. What I'm thinking is, if anything, Windows SxS will actually cause me headaches. If an application is allowed to use it's own DLLs, all those functions are loaded into the process's memory (detailed, likely, in the PEB) which is not the same area as where advapi32.dll is loaded globally by Windows when it starts. So if anything, Windows SxS will cause headache more than alleviate them. |
|||
23 Apr 2016, 15:23 |
|
revolution 23 Apr 2016, 15:42
StakFallT wrote: ... you're saying that fASM can be used to generate a native 64-bit exe that uses the 64-bit versions of functions? StakFallT wrote: ... does the global hook still work if another application has it's own DLLs packaged with it) StakFallT wrote: ... on a few of the cryptographic functions that are loaded in user mode.... if anything, Windows SxS will actually cause me headaches. If an application is allowed to use it's own DLLs, all those functions are loaded into the process's memory (detailed, likely, in the PEB) which is not the same area as where advapi32.dll is loaded globally by the Windows when it starts. ETA: A program can also have its own crypto functions in the core exe without needing any DLLs, so there is no guarantee that you could ever use a DLL hook to catch all usage of crypto. |
|||
23 Apr 2016, 15:42 |
|
StakFallT 23 Apr 2016, 15:50
Quote:
See I had always believed they were 64-bit programs, but using 32-bit functions, much in the same way that a full 32-bit through-and-through application can be allowed to run on a 64-bit system. Interesting. I'll have to check them out; thanks! Quote:
Yeah, that's kind've what I thought. Unfortunately, that DEFINITELY throws a serious curveball in how I was hoping to solve the problem. Quote:
Well no. I agree. It's just it sounded like, and maybe I interpreted what you were saying incorrectly, that you were implying Windows SxS s what would make what I wanted work. From my idea's standpoint, it creates problems for it. But I agree, it is operating the way intended. Because, basically, even if I were to set up a global hook, if a program loads it's own version of those DLLs, the hook is completely bypassed. I'm going have to go back to the drawing board a little I'm thinking :/ But I'd rather it now then deep into coding and realize it then. Thanks btw! |
|||
23 Apr 2016, 15:50 |
|
revolution 23 Apr 2016, 18:26
It is an unfortunate naming artefact that the file named "kernel32.dll" is actually a 64-bit DLL when linked by a 64-bit program. And, more sensibly, it is a 32-bit DLL when linked by a 32-bit program. Same name, different bitness.
|
|||
23 Apr 2016, 18:26 |
|
StakFallT 23 Apr 2016, 19:19
... *mind kind've blown*... I mean I guess it makes sense in hindsight now. Because if it weren't that way, then there'd have to be a kernel64.dll or something. I guess I just never really thought much about it. OH. That's where the SysWOW64 folder comes into play huh? They are literally the 64-bit versions of the 32-bit files. I never really noticed it because they also had the 32-bit parts in their names. Which you'd think the 64-bit ones would actually be named with the 64 qualifier in it.
What scenario would require a 64-bit program compiled as 64-bit to look for it's 64-bit DLLs to be named the same as the 32 monikers? The only logical explanation I can come up with is the filenames are hardcoded somewhere in the MSVC Runtime Libraries and they can manipulate what bit DLLs get used outside of the compiled DLL by playing the games MS typically does, softlinks (in the case of My Documents and Documents, the library feature, etc.), moving files around various directories, etc. But if they change the filename in the source code of the runtime library, they would then have to go into the code and add conditionals depending on the architecture. |
|||
23 Apr 2016, 19:19 |
|
revolution 24 Apr 2016, 02:35
StakFallT wrote: That's where the SysWOW64 folder comes into play huh? They are literally the 64-bit versions of the 32-bit files. |
|||
24 Apr 2016, 02:35 |
|
StakFallT 24 Apr 2016, 03:12
lol. Can't make this stuff up
Yeah, it probably made sense to Balmer I almost typed I think it's starting to make sense. What I mean to type is, I think I'm starting to understand it. Thanks! |
|||
24 Apr 2016, 03:12 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.