flat assembler
Message board for the users of flat assembler.

Index > High Level Languages > Define PE import table in HLL?

Author
Thread Post new topic Reply to topic
FlierMate1



Joined: 31 May 2022
Posts: 58
FlierMate1
I want to generate import table in PE programmatically using Python or other HLL.

This is the part I don't understand:

Code:
section '.idata' import data readable writeable

        dd 0, 0, 0, RVA kernel_name, RVA kernel_table
        dd 0, 0, 0, 0, 0

kernel_table:
        ExitProcess dq rva Exit
        dq 0
kernel_name:
        db 'KERNEL32.DLL',0
Exit    dw 0
        db 'ExitProcess',0     


This is how I encapsulate it in HLL like C#:

Code:
        public struct IMAGE_IMPORT_DESCRIPTOR
        {
            public UInt32 OriginalFirstThunk;
            public UInt32 TimeDateStamp;
            public UInt32 ForwarderChain;
            public UInt32 Name;
            public UInt32 FirstThunk;
        }

        public struct IMAGE_IMPORT_BY_NAME
        {
            public UInt16 Hint;
            public char[] Name;
        }

        public struct IMAGE_THUNK_DATA
        {
            public UInt32 Function;
            public UInt32 AddressOfData; //PIMAGE_IMPORT_BY_NAME
        }    


But I am somewhat lost. Can someone enlighten me how to generate PE import table programmatically using HLL, so that I can insert or remove API function call whenever I see fit?
Post 09 Jun 2022, 09:57
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18612
Location: In your JS exploiting you and your system
revolution
What do you mean by "generate PE import table"?

Do you wan to create the text file for fasm to assemble?
Do you want to create a binary output to attach to some other binary?
Do you want to modify an existing binary file?

Did you know there are Win API calls that can be used to explore and modify PE format files?


Last edited by revolution on 09 Jun 2022, 10:51; edited 1 time in total
Post 09 Jun 2022, 10:24
View user's profile Send private message Visit poster's website Reply with quote
FlierMate1



Joined: 31 May 2022
Posts: 58
FlierMate1
I want to create a binary output directly from HLL.

Just an idea, users can select from GUI dialog, different combinations of icon and button, and customize the caption and message, then have the option to "Compile" or "Run" to show the message box (by generating the PE binary executable).

revolution wrote:

Did you know there are Win API calls that can be used to explore and modify PE format files?


Can you tell me what is it? Last time .NET allows reading from PE, but writing to PE was not supported (I haven't used it anyway).
Post 09 Jun 2022, 10:32
View user's profile Send private message Visit poster's website Reply with quote
FlierMate1



Joined: 31 May 2022
Posts: 58
FlierMate1
This one I did in the past: https://board.flatassembler.net/topic.php?t=21842
But it has import table and DOS header hardcoded.

This time I want to improve, by generating the binary output of entire PE (maybe still except DOS header) dynamically from HLL.
Post 09 Jun 2022, 10:34
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18612
Location: In your JS exploiting you and your system
revolution
You can create a text .asm file and use fasm to construct thebinary as normal. The macros will omit the unused APIs.

This what many HLLs do/did, they create a .asm file for NASM/MASM/GAS to assemble.
Post 09 Jun 2022, 10:50
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18612
Location: In your JS exploiting you and your system
revolution
Post 09 Jun 2022, 10:57
View user's profile Send private message Visit poster's website Reply with quote
FlierMate1



Joined: 31 May 2022
Posts: 58
FlierMate1
revolution wrote:
You can create a text .asm file and use fasm to construct thebinary as normal. The macros will omit the unused APIs.

This what many HLLs do/did, they create a .asm file for NASM/MASM/GAS to assemble.


Umm... let me think about it. I will consider this option.

revolution wrote:

Forgot to link the ImageHLP.


Thanks for it!
Post 09 Jun 2022, 11:13
View user's profile Send private message Visit poster's website Reply with quote
FlierMate1



Joined: 31 May 2022
Posts: 58
FlierMate1
FlierMate1 wrote:
I want to create a binary output directly from HLL.

Just an idea, users can select from GUI dialog, different combinations of icon and button, and customize the caption and message, then have the option to "Compile" or "Run" to show the message box (by generating the PE binary executable).


I end up hardcoding the PE header and import table.

Yes, I have done the PoC in Python, I use the ASM model from my Sambal compiler, which has been whitelisted by Windows Defender. It is safe (no malware detected) to generate the EXE this way.


Description: The generated EXE can be customized
Filesize: 8.35 KB
Viewed: 135 Time(s)

exemaker2.png


Description: EXE maker in Python GUI
Filesize: 40.38 KB
Viewed: 135 Time(s)

exemaker1.png


Description: The Python source code. Rename to .py extension to run
Download
Filename: exemaker.txt
Filesize: 8.97 KB
Downloaded: 7 Time(s)

Post 16 Jun 2022, 07:24
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18612
Location: In your JS exploiting you and your system
revolution
FlierMate1 wrote:
... which has been whitelisted by Windows Defender. It is safe (no malware detected) to generate the EXE this way.
Yeah, I find it a bit sad that we have to go through the process of getting approval from MS for these things.
Post 16 Jun 2022, 07:48
View user's profile Send private message Visit poster's website Reply with quote
FlierMate1



Joined: 31 May 2022
Posts: 58
FlierMate1
revolution wrote:
Yeah, I find it a bit sad that we have to go through the process of getting approval from MS for these things.


So true. When I first created my EXE maker (prototype) in Pascal, the administrator of Free Pascal forum said this to me: (@marcov is also a member of this board)

marcov wrote:
Antivirus authors are lazy and reverse the burden of proof, basically denying everything unless proven otherwise.

So assume they simply block everything, and then only start adding exceptions for well known "EXE" signatures. If you think that through, you actually get pretty close to actual antivirus behaviour. It can't be coincidence Smile

So inventing a new kind of EXE signature only invites trouble.


I was discouraged by his words at first, but now I fully understand his point of view.
Post 16 Jun 2022, 08:18
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18612
Location: In your JS exploiting you and your system
revolution
It is all sold on FUD.

"If you don't have our AV just imagine all the bad things that could happen! OMG, you don't want to be without our stuff. Buy it today. Don't delay. Operators are standing by waiting for your call. Don't disappoint them."

Haha.

It misses the other side of the argument though: "Imagine all the great things that could happen if your AV didn't block all the things that don't follow your exact precise approved 'standard' ways."

Without exploration there is no innovation.
Post 16 Jun 2022, 08:41
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.