[solved] proc endp bug

Index > Macroinstructions > [solved] proc endp bug

Author

Thread

Ali.Z

Joined: 08 Jan 2018
Posts: 762

Ali.Z 14 May 2020, 04:01

what does this bug do?
- does not construct import table
- completely forget about constants (TH32CS_..... are not defined in kernel32.inc) so no checking is performed by fasm
- ignores invalid win32 apis names

how to reproduce:

Code:

  include 'win32a.inc'
  format pe gui 4.0

section '.text' code readable executable

  proc GetProcessInfo
    invoke    CreateToolhelp32Snapshot-this_is(an#appendedCRAP~135790yay2468,TH32CS_SNAPPROCESS or TH32CS_SNAPMODULE,0
    ret
  endp

section '.data' data readable writeable

  temp dd 0

section '.idata' import data readable writeable

  library kernel32,'kernel32.dll'

  include 'api\kernel32.inc'

compiles successfully, with no issues; however you wont be able to run it as it dont have the import table constructed.

as you may try to run the above code, windows will say its an invalid win32 application; so in order to validate and open it using ollydbg to really see this as an empty executable, then lets add few lines:

Code:

  include 'win32a.inc'
  format pe gui 4.0

section '.text' code readable executable

    invoke    ExitProcess,0
    ret

  proc GetProcessInfo
    invoke    CreateToolhelp32Snapshot-this_is(an#appendedCRAP~135790yay2468,TH32CS_SNAPPROCESS or TH32CS_SNAPMODULE,0
    adc       eax,ecx
    and       edx,ebx
    cmp       ebp,esp
    xor       esi,edi
    ret
  endp

section '.data' data readable writeable

  temp dd 0

section '.idata' import data readable writeable

  library kernel32,'kernel32.dll'

  include 'api\kernel32.inc'

open with ollydbg, and ... at this point we can see the complete PROC ENDP is ignored by fasm even the instructions after the invoke are ignored!

okay, how to compile successfully and run with no issues:

Code:

  include 'win32a.inc'
  format pe gui 4.0

  define TH32CS_SNAPPROCESS 2
  define TH32CS_SNAPMODULE 8

section '.text' code readable executable

  ;proc GetProcessInfo
    invoke    CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS or TH32CS_SNAPMODULE,0
    ret
  ;endp

section '.data' data readable writeable

  temp dd 0

section '.idata' import data readable writeable

  library kernel32,'kernel32.dll'

  include 'api\kernel32.inc'

you may ask ok solution was to define the missing constants, well keep them defined and uncomment the proc and endp; it will compile with no issues but it will be invalid as the import table will not be constructed, so fasm 99% ignored whatever content in proc endp pairs.

Code:

  include 'win32a.inc'
  format pe gui 4.0

  define TH32CS_SNAPPROCESS 2
  define TH32CS_SNAPMODULE 8

section '.text' code readable executable

  proc GetProcessInfo
    invoke    CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS or TH32CS_SNAPMODULE,0
    ret
  endp

section '.data' data readable writeable

  temp dd 0

section '.idata' import data readable writeable

  library kernel32,'kernel32.dll'

  include 'api\kernel32.inc'

again complete block is ignored, you can use a program called CFF Explorer to view PE header, sections .. etc.

_________________
Asm For Wise Humans

14 May 2020, 04:01

Ali.Z

Joined: 08 Jan 2018
Posts: 762

Ali.Z 14 May 2020, 04:21

off topic, i accidentally posted in macroinstructions while i meant to post it under compiler internals.

_________________
Asm For Wise Humans

14 May 2020, 04:21

Tomasz Grysztar

Joined: 16 Jun 2003
Posts: 8363
Location: Kraków, Poland

Tomasz Grysztar 14 May 2020, 04:28

No, you actually posted it in Compiler Internals, but I moved it because it concerns the behavior of "proc" macro, not internals of the assembler.

The standard "proc" macro is made in such way that it ignores the procedure definition completely unless you use this procedure somewhere. Because you do not call GetProcessInfo anywhere in your main code, nor export this procedure, fasm simply skips the definition entirely.

And the "invalid application" that you get in the original case is simply an empty section problem. Your '.text' section does not contain anything then, because the procedure is not used and therefore ignored.

Last edited by Tomasz Grysztar on 14 May 2020, 04:46; edited 1 time in total

14 May 2020, 04:28

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20486
Location: In your JS exploiting you and your system

revolution 14 May 2020, 04:44

Ali.Z: If you look into the proc macro there is a line similar to this:

Code:

if used GetProcessInfo
  ;...
end if

So if it isn't used then it doesn't get assembled.

14 May 2020, 04:44

Ali.Z

Joined: 08 Jan 2018
Posts: 762

Ali.Z 14 May 2020, 04:53

oh now it makes sense, as i was writing the function i hit CTRL-F9 to compile just to verify i have no error .. and after debugging some other code that is close to this PROC i noticed that CreateToolHelp32 was not there.

i think its a good feature although i wasted so much time trying to figure out why fasm it dont include this function, thank you so much both of you.

_________________
Asm For Wise Humans

14 May 2020, 04:53

AsmGuru62

Joined: 28 Jan 2004
Posts: 1678
Location: Toronto, Canada

AsmGuru62 14 May 2020, 17:47

Actually, that ability of proc/endp is excellent. If you have a large file with a lot of functions and just use a couple - only these functions are included into EXE.

14 May 2020, 17:47

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum