flat assembler
Message board for the users of flat assembler.
![]() |
Author |
|
revolution 21 Jan 2025, 12:41
You only have to test up to the segment limit, after that the CPU will emit a fault.
Windows only uses a few of the segment slots (less than 10 IIRC (each slot is 4 values for the lower two bits)), after that the others will never resolve to anything. So you can check from 0 to 31*4, and there are no others to check. |
|||
![]() |
|
ProMiNick 23 Jan 2025, 15:13
Code: format PE GUI 4.0 entry start include 'win32a.inc' section '.data' data readable writeable native32 dd 0 aMsg2 db '64bitOS',0 aMsg1 db '32bitOS',0 aTitle db 'Environment',0 section '.text' code readable executable start: call stack_TestGS_SEH_Handler TestGS_SEH_Handler: match ContextRecord, esp+$C { mov eax, [ContextRecord] } match CONTEXT.Eip, eax+$B8 { mov dword[CONTEXT.Eip], SEH_finaly } or [native32],1 xor eax, eax ;ExceptionContinueExecution ret stack_TestGS_SEH_Handler: push dword[fs:0] mov dword[fs:0],esp ;mov eax,[gs:0] some win64 OS on AMD not pass this test jmp $23:SEH_finaly ; all win64 OSes passed(different win10,winxp64), fail tested only in win32 XP. assume fail on all x32 and pass on all x64 SEH_finaly: pop dword[fs:0] pop eax mov eax,[native32] lea eax,[aMsg2+eax*8] invoke MessageBox,0,eax,aTitle,0 invoke ExitProcess,0 section '.idata' import data readable writeable library kernel,'KERNEL32.DLL',\ user,'USER32.DLL' import kernel,\ ExitProcess,'ExitProcess' import user,\ MessageBox,'MessageBoxA' functionality of 32 bit process could be extended to 64 bit things (If they present - environment is x64) via Heavengate (for example) Code: macro asmflow [arg] {arg} macro X64_ENTER_CS _CS { asmflow use32,push _CS, call $+5,<add dword[esp],5>,retf } macro X64_EXIT_CS _CS { asmflow use64,call $+5,<mov dword[rsp+4],_CS>,<add dword[rsp],13>,use32,retf } X64_ENTER_CS $33 X64_EXIT_CS $23 [EDIT 24.01.2025] not all x64 windows guaranteed that from compatibility mode [gs:0] is accessible, but far jump to $23:any is related only to WoW64 mechanic and 32 bit windows not support it. so, ability to jmp $23:any wrapped in SEH is fastest & smallest way to test weather compatibility mode or 32bit native. |
|||
![]() |
|
Hrstka 28 Jan 2025, 12:12
I have modified the code to scan all segments $0000 - $FFFF in a loop. It checks whether an exception occured and displays either 'OK' or 'ERR'. Instead of far jump I'm using far call + retf.
In Windows 10 64-bit, there are two usable ranges: x = $20 .. $23 (normal 32-bit code in WoW64) x = $30 .. $33 (Heavensgate) Code: format PE console entry start include 'include\win32a.inc' macro nalign value { rb (value-1) - (RVA $ + value-1) mod value } macro calign value { times ((value-1) - (RVA $ + value-1) mod value) db 0x90 } section '.code' code readable executable start: invoke GetStdHandle, STD_OUTPUT_HANDLE mov [hStdOut], eax xor eax, eax pushd SEH pushd [fs:eax] mov [fs:eax], esp test_start: mov ecx, [counter] cmp ecx, 0xFFFF ja test_exit mov dword [msg3], 'OK' mov [dest_seg], cx call far fword [dest_addr] calign 16 test_cont: push ebx xor edx, edx mov ecx, [counter] mov ebx, msg2-1 mov dh, 4 @@: mov eax, ecx and eax, 0xF mov dl, byte [shex+eax] mov byte [ebx], dl shr ecx, 4 dec ebx dec dh jnz @b pop ebx or edx, -1 mov eax, msg3 @@: inc edx cmp byte [eax+edx], 0 jnz @b mov word [eax+edx], 0x0A0D add edx, 7 mov eax, [hStdOut] sub esp, 4 lea ecx, [esp] invoke WriteFile,eax,msg1,edx,ecx,0 add esp, 4 inc [counter] jmp test_start calign 16 test_exit: invoke ExitProcess,0 calign 16 SEH: mov edx, [esp+12] add edx, 184 mov dword [msg3], 'ERR' mov dword [edx], test_cont ; overwrite eip xor eax, eax ret 16 calign 16 n: nop nop retf section '.data' data readable writeable dest_addr dd n dest_seg dw 0 nalign 8 shex db '0123456789ABCDEF',0 nalign 8 counter dd 0 hStdOut dd 0 msg1 dd 0 msg2 db ' ' msg3: times 32 db 0 section '.idata' import data readable writeable library kernel,'KERNEL32.DLL' import kernel,\ ExitProcess,'ExitProcess',\ GetStdHandle,'GetStdHandle',\ WriteFile,'WriteFile' |
|||
![]() |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.