flat assembler
Message board for the users of flat assembler.

Index > Windows > Simple Winprogram without macros

Author
Thread Post new topic Reply to topic
dstyl



Joined: 23 Jul 2015
Posts: 67
dstyl
Has someone a good templeate of a win pe programm with code and data seg without the use of macros for the purpose of learning?
Thx in advance.
Post 17 Jul 2016, 14:26
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17638
Location: In your JS exploiting you and your system
revolution
The fasm download has exactly that, called PEDEMO.ASM:
Code:
; Example of making 32-bit PE program as raw code and data

format PE GUI
entry start

section '.text' code readable executable

  start:

        push    0
        push    _caption
        push    _message
        push    0
        call    [MessageBoxA]

        push    0
        call    [ExitProcess]

section '.data' data readable writeable

  _caption db 'Win32 assembly program',0
  _message db 'Hello World!',0

section '.idata' import data readable writeable

  dd 0,0,0,RVA kernel_name,RVA kernel_table
  dd 0,0,0,RVA user_name,RVA user_table
  dd 0,0,0,0,0

  kernel_table:
    ExitProcess dd RVA _ExitProcess
    dd 0
  user_table:
    MessageBoxA dd RVA _MessageBoxA
    dd 0

  kernel_name db 'KERNEL32.DLL',0
  user_name db 'USER32.DLL',0

  _ExitProcess dw 0
    db 'ExitProcess',0
  _MessageBoxA dw 0
    db 'MessageBoxA',0

section '.reloc' fixups data readable discardable       ; needed for Win32s    
Post 17 Jul 2016, 23:33
View user's profile Send private message Visit poster's website Reply with quote
patulinu



Joined: 21 Jun 2016
Posts: 15
patulinu
Code:
; Example of making 32-bit PE program as raw code and data
; (no Kernel32.dll)

format PE GUI
entry start

section '.text' code readable executable

  start:

        push    0
        push    _caption
        push    _message
        push    0
        call    [MessageBoxA]

        xor     ax, ax
        ret     ; dismisses Kernel's ExitProcess.

      ; the "ret" above is enough.
      ; push    0
      ; call    [ExitProcess]

section '.data' data readable writeable

  _caption db 'Win32 assembly program',0
  _message db 'Hello World!',0

section '.idata' import data readable writeable

; dd 0,0,0,RVA kernel_name,RVA kernel_table
  dd 0,0,0,RVA user_name,RVA user_table
  dd 0,0,0,0,0

; kernel_table:
;   ExitProcess dd RVA _ExitProcess
;   dd 0
  user_table:
    MessageBoxA dd RVA _MessageBoxA
    dd 0

; kernel_name db 'KERNEL32.DLL',0
  user_name db 'USER32.DLL',0

; _ExitProcess dw 0
;   db 'ExitProcess',0
  _MessageBoxA dw 0
    db 'MessageBoxA',0

; NOTE: I didn't see any errors running the app without this section.
; section '.reloc' fixups data readable discardable    
Post 18 Jul 2016, 00:39
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17638
Location: In your JS exploiting you and your system
revolution
Note that using "ret" to exit the program is not guaranteed to work. It is not a documented method so it may break at any time when a new Windows update or version is released.
Post 18 Jul 2016, 00:54
View user's profile Send private message Visit poster's website Reply with quote
Mikl___



Joined: 30 Dec 2014
Posts: 117
Mikl___
Hi, dstyl!
Different ways of creating MessageBox
It would seem that it may be easier function MessageBox? - only function MessageBeepImage Will try to find out what is inside the MessageBox? Maybe this will help make our programs even less. Run the program where MessageBox displayed in the debugger Ollydbg and the moment when the cursor reaches the line call MessageBoxA not push F8 (Step over), and the key F7 (Step into) and end up inside the function MessageBoxA - is going on here recoding ASCII-header rows and text messages in UNICODE and function call MessageBoxW, again click on F7 - is inside MessageBoxW is function MessageBoxExA which has one parameter more than MessageBoxA and MessageBoxW and this parameter (dwLanguageId) is 0 (LANG_NEUTRAL), the rest are parameters coincide completely. Inside there is a function MessageBoxExA is MessageBoxExW. Inside MessageBoxExW is function MessageBoxTimeoutA in which one parameter is more than this parameter and MessageBoxExW (Timeout) -1. Inside MessageBoxTimeoutA, as you might guess MessageBoxTimeoutW. Inside MessageBoxTimeoutW is MessageBoxIndirectA, this feature allows you to change the icon at MessageBox and may cause the Help, but we leave these parameters to zero. Inside MessageBoxIndirectA is exactly the same but with UNICODE strings function MessageBoxIndirectW is SoftModalMessageBox In programm of Indy/Clerk I found a link to NtRaiseHardError - MessageBox call at the kernel level
Code:
; masm windows gui #
.686P
.model flat
include windows.inc
include w2k\native.inc
include w2k\ntstatus.inc
includelib user32.lib
includelib ntdll.lib
extern _imp__MessageBoxA@16:dword
extern _imp__MessageBoxW@16:dword
extern _imp__MessageBoxExA@20:dword
extern _imp__MessageBoxExW@20:dword
extern _imp__MessageBoxTimeoutA@24:dword
extern _imp__MessageBoxTimeoutW@24:dword
extern _imp__SoftModalMessageBox@4:dword
extern _imp__MessageBoxIndirectA@4:dword
extern _imp__MessageBoxIndirectW@4:dword
extern _imp__NtRaiseHardError@24:dword
;extern _imp__KiFastSystemCall@0:dword
.code
start:  xor ebx,ebx
        mov esi,ebx
        push MB_ICONASTERISK or MB_OK
        push offset MsgCaption
        push [Msg+esi*4]
        push ebx
        call _imp__MessageBoxA@16
;---------------------------------------
        inc esi
        push MB_ICONASTERISK or MB_OK
        push offset TitleText
        push [Msg+esi*4]
        push ebx
        call _imp__MessageBoxW@16
;----------------------------------------
        inc esi
        push ebx
        push MB_ICONASTERISK or MB_OK
        push offset MsgCaption
        push [Msg+esi*4]
        push ebx
        call _imp__MessageBoxExA@20
;-----------------------------------------
        inc esi
        push ebx
        push MB_ICONASTERISK or MB_OK
        push offset TitleText
        push [Msg+esi*4]
        push ebx
        call _imp__MessageBoxExW@20
;-----------------------------------------
        inc esi
        push -1
        push ebx
        push MB_ICONASTERISK or MB_OK
        push offset MsgCaption
        push [Msg+esi*4]
        push ebx
        call _imp__MessageBoxTimeoutA@24
;------------------------------------------
        inc esi
        push -1
        push ebx
        push MB_ICONASTERISK or MB_OK
        push offset TitleText
        push [Msg+esi*4]
        push ebx
        call _imp__MessageBoxTimeoutW@24
;------------------------------------------
        sub esp,sizeof(MSGBOXPARAMSA);40
        mov edi,esp
        assume edi:ptr MSGBOXPARAMSA
        mov dword ptr [edi].cbSize,sizeof(MSGBOXPARAMSA)
        mov dword ptr [edi].hwndOwner,ebx
        mov dword ptr [edi].hInstance,400000h
        mov dword ptr [edi].lpszText,offset Msg8
        mov dword ptr [edi].lpszCaption,offset MsgCaption
        mov dword ptr [edi].dwStyle,MB_ICONASTERISK or MB_OK
        mov dword ptr [edi].lpszIcon,ebx;:= PCHAR('MYICO');
        mov dword ptr [edi].dwContextHelpId,ebx;:= 0;
        mov dword ptr [edi].lpfnMsgBoxCallback,ebx;:= nil;
        mov dword ptr [edi].dwLanguageId,ebx;:= LANG_NEUTRAL;   
        push edi
        call _imp__MessageBoxIndirectA@4
;--------------------------------------------------------
        mov dword ptr [edi].lpszText,offset Msg9
        mov dword ptr [edi].lpszCaption,offset TitleText
        push edi
        call _imp__MessageBoxIndirectW@4
        add esp,sizeof(MSGBOXPARAMSA)
;-------------------------------------------------------------------------
 MSGBOXDATA struct       
     params              MSGBOXPARAMSA <>
     pwndOwner           DWORD ?
     wLanguageId         DWORD ?
     pidButton           DWORD ?         ; // Array of button IDs
     ppszButtonText      DWORD ?         ; // Array of button text strings
     cButtons            DWORD ?
     DefButton           DWORD ?
     CancelId            DWORD ?
     Timeout             DWORD ?
 MSGBOXDATA ends

        sub esp,sizeof MSGBOXDATA+0Ch
;  local mbd:MSGBOXDATA
;  local bufid[1]:DWORD
;  local bufstr[1]:DWORD
        lea eax,[esp+4];bufid
        mov dword ptr[eax],1
        mov [esp],offset _OK
        lea edi,[esp+8]
        mov [edi].cbSize,sizeof MSGBOXPARAMSA
        mov [edi].hwndOwner,ebx
        mov [edi].lpszText,offset Msg7
        mov [edi].lpszCaption,offset TitleText
        mov [edi].dwStyle,MB_ICONASTERISK or MB_OK
        assume edi:ptr MSGBOXDATA
        mov [edi].pwndOwner,ebx;0
        mov [edi].wLanguageId,ebx;0
        mov [edi].pidButton,eax
        mov [edi].ppszButtonText,esp;offset bufstr
        mov [edi].cButtons,1
        mov [edi].DefButton,ebx;0
        mov [edi].CancelId,1
        mov [edi].Timeout,-1
        push edi
        call _imp__SoftModalMessageBox@4
        assume edi:nothing
        add esp,sizeof MSGBOXDATA+0Ch
;------------------------------------------------------------------
ShowMessage proc
Local MessageBuffer[60h]:WCHAR;2 Num+Num1 in words;push ebp
Local Message[2]:UNICODE_STRING;mov ebp,esp
Local HardErrorPointer[3]:PVOID;sub esp,0DCh
;the first parameter
        lea edi,MessageBuffer;lea edi,[ebp-0C0h]
        mov Message.Buffer+sizeof(UNICODE_STRING)*0,edi;mov [ebp-0CCh],edi
        mov Message.MaximumLength+sizeof(UNICODE_STRING)*0,Num;mov word ptr[ebp-0CEh],22h
        mov Message._Length+sizeof(UNICODE_STRING)*0,Num-2;mov word ptr[ebp-0D0h],20h
        lea edx,Message+sizeof(UNICODE_STRING)*0;lea edx,[ebp-0D0h]
        mov HardErrorPointer+sizeof(PVOID)*0,edx;pwText;mov [ebp-0DCh],edx
        mov esi,offset MessageText
        mov ecx,Num+Num1;mov ecx,62h
        rep movsb
;the second parameter
        lea edi,MessageBuffer+Num;lea edi,[ebp-9Eh]
        mov Message.Buffer+sizeof(UNICODE_STRING)*1,edi;mov [ebp-0C4h],edi
        mov Message.MaximumLength+sizeof(UNICODE_STRING)*1,Num1;mov word ptr[ebp-0C6h],40h
        mov Message._Length+sizeof(UNICODE_STRING)*1,Num1-2;mov word ptr[ebp-0C8h],3Eh
        lea edx,Message+sizeof(UNICODE_STRING)*1;lea edx,[ebp-0C8h]
        mov HardErrorPointer+sizeof(PVOID)*1,edx;pwCaption;mov [ebp-0D8h],edx
;the third parameter
        mov HardErrorPointer+sizeof(PVOID)*2,MB_ICONASTERISK or MB_OK;uType;mov dword ptr[ebp-0D4h],40h
        lea edx,HardErrorPointer;lea     edx, [ebp-0DCh]
        push offset x;where this function write the answer selected by the user (if the type passed to the
;next parameter, involves choosing an answer by the user)
        push ebx;0 answers
        push edx;a pointer to an array of parameters
        push 3;the total number of parameters
        push 00000011b;mask bits set which correspond to the
;parameters that are of type PUNICODE_STRING, and zeros - the other parameters
        push STATUS_SERVICE_NOTIFICATION
        call _imp__NtRaiseHardError@24
;--------------------------------------------------
;change the first parameter
        lea edi,MessageBuffer
        mov Message.Buffer+sizeof(UNICODE_STRING)*0,edi
        mov Message.MaximumLength+sizeof(UNICODE_STRING)*0,Num3
        mov Message._Length+sizeof(UNICODE_STRING)*0,Num3-2
        lea edx,Message+sizeof(UNICODE_STRING)*0
        mov HardErrorPointer+sizeof(PVOID)*0,edx;pwText
        mov esi,offset MessageText2
        mov ecx,Num3
        rep movsb
        lea edx,HardErrorPointer
        mov eax,0B6h;ID NtRaiseHardError for WinXP
        push offset x
        push ebx
        push edx
        push 3
        push 00000011b
        push STATUS_SERVICE_NOTIFICATION
        push offset a1
        call dword ptr ds:[7FFE0300h];KiFastSystemCall
a1:
;--------------------------------------------------------
;change the first parameter
        lea edi,MessageBuffer
        mov Message.Buffer+sizeof(UNICODE_STRING)*0,edi
        mov Message.MaximumLength+sizeof(UNICODE_STRING)*0,Num4
        mov Message._Length+sizeof(UNICODE_STRING)*0,Num4-2
        lea edx,Message+sizeof(UNICODE_STRING)*0
        mov HardErrorPointer+sizeof(PVOID)*0,edx;pwText
        mov esi,offset MessageText3
        mov ecx,Num4
        rep movsb
        lea edx,HardErrorPointer
        mov eax,0B6h;ID NtRaiseHardError for WinXP
        push offset x
        push ebx
        push edx
        push 3
        push 00000011b
        push STATUS_SERVICE_NOTIFICATION
        push offset a2
        push offset a2
        mov edx,esp
        db 0Fh,34h;sysenter
a2:
;--------------------------------------------------
        lea edi,MessageBuffer
        mov Message.Buffer+sizeof(UNICODE_STRING)*0,edi
        mov Message.MaximumLength+sizeof(UNICODE_STRING)*0,Num2
        mov Message._Length+sizeof(UNICODE_STRING)*0,Num2-2
        lea edx,Message+sizeof(UNICODE_STRING)*0
        mov HardErrorPointer+sizeof(PVOID)*0,edx;pwText
        mov esi,offset MessageText1
        mov ecx,Num2
        rep movsb
        lea edx,HardErrorPointer
        mov eax,0B6h;ID NtRaiseHardError for WinXP
        push offset x
        push ebx
        push edx
        push 3
        push 00000011b
        push STATUS_SERVICE_NOTIFICATION
        mov edx,esp
        int 2Eh
        leave
        retn
ShowMessage endp
.data
MessageText dw 'N','t','R','a','i','s','e','H','a','r','d','E','r','r','o','r',0
Num equ $-MessageText
TitleText dw 'I','c','z','e','l','i','o','n',' ','T','u','t','o','r'
dw 'i','a','l',' ','#','2',':','M','e','s','s','a','g','e','B','o','x',0
Num1 equ $-TitleText
MessageText1 dw 'i','n','t',' ','2','E','h',0
Num2 equ $-MessageText1
MessageText2 dw 'K','i','F','a','s','t','S','y','s','t','e','m','C','a','l','l',0
Num3 equ $-MessageText2
MessageText3 dw 'S','y','s','e','n','t','e','r',0
Num4 equ $-MessageText3
x dd 0
Msg     dd Msg1,Msg2,Msg3,Msg4,Msg5,Msg6,Msg7,Msg8,Msg9
Msg1    db 'MessageBoxA',0
Msg2    dw 'M','e','s','s','a','g','e','B','o','x','W',0
Msg3    db 'MessageBoxExA',0
Msg4    dw 'M','e','s','s','a','g','e','B','o','x','E','x','W',0
Msg5    db 'MessageBoxTimeoutA',0
Msg6    dw 'M','e','s','s','a','g','e','B','o','x','T','i','m','e','o','u','t','W',0
Msg7    dw 'S','o','f','t','M','o','d','a','l','M','e','s','s','a','g','e','B','o','x',0
Msg8    db 'MessageBoxIndirectA',0
Msg9    dw 'M','e','s','s','a','g','e','B','o','x','I','n','d','i','r','e','c','t','W',0
MsgCaption db "Iczelion Tutorial #2:MessageBox",0
_OK     dw 'O','K',0
end start    
Post 18 Jul 2016, 04:24
View user's profile Send private message Visit poster's website Reply with quote
dstyl



Joined: 23 Jul 2015
Posts: 67
dstyl
Thx for your help Smile it really got me a lot of steps farther on my way to assembler language understanding. @ mike thx its really interesting ill try out as soon as i got my pedemo finished.
Post 18 Jul 2016, 09:07
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 809
Location: Belarus
DimonSoft
revolution wrote:
Note that using "ret" to exit the program is not guaranteed to work. It is not a documented method so it may break at any time when a new Windows update or version is released.

In fact it doesn’t work even in the versions like XP, it’s just that you have to do something interesting in your program. As an example: standard function for showing an Open Dialog creates a few threads internally and doesn’t exit them before returning to the caller. And since ret from WinMain is backed by a simple ExitThread, the process survives and doesn’t terminate.

This school-year a few of my students also mentioned that a simple MessageBox-program terminated with plain ret also stays hanging around in the process list under Win10 and, possibly, Win8.
Post 18 Jul 2016, 19:42
View user's profile Send private message Visit poster's website Reply with quote
dstyl



Joined: 23 Jul 2015
Posts: 67
dstyl
Thx for the info i will use exitprocess.
Post 19 Jul 2016, 14:34
View user's profile Send private message Reply with quote
l_inc



Joined: 23 Oct 2009
Posts: 881
l_inc
DimonSoft
Quote:
In fact it doesn’t work even in the versions like XP

However as long as the entry point is defined to be a function, it is OK to return from it. And one can safely assume that this will terminate the primary thread.
Quote:
And since ret from WinMain is backed by a simple ExitThread, the process survives and doesn’t terminate.

WinMain is not the image entry point. It's called by the C runtime, and returning the control from it to the C runtime results in the ExitProcess.

_________________
Faith is a superposition of knowledge and fallacy
Post 19 Jul 2016, 21:36
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 809
Location: Belarus
DimonSoft
l_inc wrote:
DimonSoft
Quote:
In fact it doesn’t work even in the versions like XP

However as long as the entry point is defined to be a function, it is OK to return from it. And one can safely assume that this will terminate the primary thread.

Yep. Which is still different from terminating a process as a newbie would expect.

l_inc wrote:

Quote:
And since ret from WinMain is backed by a simple ExitThread, the process survives and doesn’t terminate.

WinMain is not the image entry point. It's called by the C runtime, and returning the control from it to the C runtime results in the ExitProcess.

I just got used to mark the entry point with WinMain label. Sorry, this might really be somewhat confusing for other people on the forum.
Post 20 Jul 2016, 08:29
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.