flat assembler
Message board for the users of flat assembler.

Index > Windows > absolute jmp to X:any (allowed X in Windows)

Author
Thread Post new topic Reply to topic
ProMiNick



Joined: 24 Mar 2012
Posts: 816
Location: Russian Federation, Sochi
ProMiNick 21 Jan 2025, 12:25
This is a demonstration of looped compilation parametrized via command prompt with checking results of work of compiled executables.
test what segment value could be passed into absolute far jump in 32bit mode of windows environment.
jmp X:any
for x=$20..$23 success in 32 bit mode(at least in WoW64)
for x=$6E4C..$6E5A printed to parent terminal process "Отказано в доступе."
for x=$6EB8..$6EDA printed to parent terminal process "Отказано в доступе."
for x=$6F13..$6F1A printed to parent terminal process "Отказано в доступе."
for x=$6F22..$6F43 printed to parent terminal process "Отказано в доступе."
for x=$6F58..$6F78 printed to parent terminal process "Отказано в доступе."
for x=$6F7C..$6FB7 printed to parent terminal process "Отказано в доступе."
tested on Win10x64 on X=0..$8000
test.asm
Code:
format PE
jmp sgmnt:n
n: xor     eax,eax
ret    
placed with fasm.exe to same directory
this directory set as current directory in Command Prompt and than started this script:
Code:
FOR /L %f IN (-1,1,65536) DO (start /wait fasm -d sgmnt=%f test.asm & test.exe&&echo %f)    
I boired to test after %f=32768($8000).
Is someone else wish to test found ranges - you`re welcome (at least on 32bit windows or on other Windows versions than win10x64). or test range from $8000 to $FFFF?


Description:
Filesize: 68.53 KB
Viewed: 332 Time(s)

scan for valid.png



_________________
I don`t like to refer by "you" to one person.
My soul requires acronim "thou" instead.
Post 21 Jan 2025, 12:25
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20489
Location: In your JS exploiting you and your system
revolution 21 Jan 2025, 12:41
You only have to test up to the segment limit, after that the CPU will emit a fault.

Windows only uses a few of the segment slots (less than 10 IIRC (each slot is 4 values for the lower two bits)), after that the others will never resolve to anything. So you can check from 0 to 31*4, and there are no others to check.
Post 21 Jan 2025, 12:41
View user's profile Send private message Visit poster's website Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 816
Location: Russian Federation, Sochi
ProMiNick 23 Jan 2025, 15:13
Code:
format PE GUI 4.0
entry start

include 'win32a.inc'

section '.data' data readable writeable
        native32 dd 0
        aMsg2    db '64bitOS',0
        aMsg1    db '32bitOS',0
        aTitle  db 'Environment',0

section '.text' code readable executable

  start:
        call    stack_TestGS_SEH_Handler
  TestGS_SEH_Handler:
  match ContextRecord, esp+$C {
        mov     eax, [ContextRecord] }
  match CONTEXT.Eip, eax+$B8 {
        mov     dword[CONTEXT.Eip], SEH_finaly }
        or     [native32],1
        xor     eax, eax ;ExceptionContinueExecution
        ret
  stack_TestGS_SEH_Handler:
        push    dword[fs:0]
        mov     dword[fs:0],esp
        ;mov     eax,[gs:0] some win64 OS on AMD not pass this test
        jmp     $23:SEH_finaly ; all win64 OSes passed(different win10,winxp64), fail tested only in win32 XP. assume fail on all x32 and pass on all x64
  SEH_finaly:
        pop     dword[fs:0]
        pop     eax
        mov     eax,[native32]
        lea     eax,[aMsg2+eax*8]
        invoke  MessageBox,0,eax,aTitle,0
        invoke  ExitProcess,0

section '.idata' import data readable writeable

  library kernel,'KERNEL32.DLL',\
          user,'USER32.DLL'

  import kernel,\
         ExitProcess,'ExitProcess'

  import user,\
         MessageBox,'MessageBoxA'      

functionality of 32 bit process could be extended to 64 bit things (If they present - environment is x64) via Heavengate (for example)
Code:
macro asmflow [arg] {arg}
macro X64_ENTER_CS _CS { asmflow use32,push _CS, call $+5,<add dword[esp],5>,retf }
macro X64_EXIT_CS _CS { asmflow use64,call $+5,<mov dword[rsp+4],_CS>,<add dword[rsp],13>,use32,retf }
X64_ENTER_CS $33
X64_EXIT_CS $23    
limit of asmflow - no preprocessor sintax related stuff (such as {,},common,forward,reverse), only asm commands or asmlike commands allowed to be sequenced.
[EDIT 24.01.2025] not all x64 windows guaranteed that from compatibility mode [gs:0] is accessible, but far jump to $23:any is related only to WoW64 mechanic and 32 bit windows not support it. so, ability to jmp $23:any wrapped in SEH is fastest & smallest way to test weather compatibility mode or 32bit native.
Post 23 Jan 2025, 15:13
View user's profile Send private message Send e-mail Reply with quote
Hrstka



Joined: 05 May 2008
Posts: 62
Location: Czech republic
Hrstka 28 Jan 2025, 12:12
I have modified the code to scan all segments $0000 - $FFFF in a loop. It checks whether an exception occured and displays either 'OK' or 'ERR'. Instead of far jump I'm using far call + retf.

In Windows 10 64-bit, there are two usable ranges:
x = $20 .. $23 (normal 32-bit code in WoW64)
x = $30 .. $33 (Heavensgate)
Code:
format PE console
entry start

include 'include\win32a.inc'

macro nalign value
{
  rb (value-1) - (RVA $ + value-1) mod value
}

macro calign value
{
  times ((value-1) - (RVA $ + value-1) mod value) db 0x90
}


section '.code' code readable executable

  start:
        invoke  GetStdHandle, STD_OUTPUT_HANDLE
        mov     [hStdOut], eax

        xor     eax, eax
        pushd   SEH
        pushd   [fs:eax]
        mov     [fs:eax], esp

  test_start:
        mov     ecx, [counter]
        cmp     ecx, 0xFFFF
        ja      test_exit

        mov     dword [msg3], 'OK'
        mov     [dest_seg], cx
        call    far fword [dest_addr]


  calign 16
  test_cont:
        push    ebx
        xor     edx, edx
        mov     ecx, [counter]
        mov     ebx, msg2-1
        mov     dh, 4
       @@:
        mov     eax, ecx
        and     eax, 0xF
        mov     dl, byte [shex+eax]
        mov     byte [ebx], dl
        shr     ecx, 4
        dec     ebx
        dec     dh
        jnz     @b

        pop     ebx
        or      edx, -1
        mov     eax, msg3
      @@:
        inc     edx     
        cmp     byte [eax+edx], 0
        jnz     @b

        mov     word [eax+edx], 0x0A0D
        add     edx, 7
        mov     eax, [hStdOut]
        sub     esp, 4
        lea     ecx, [esp]
        invoke  WriteFile,eax,msg1,edx,ecx,0
        add     esp, 4

        inc     [counter]
        jmp     test_start

  calign 16
  test_exit:
        invoke  ExitProcess,0

  calign 16
  SEH:
        mov     edx, [esp+12]
        add     edx, 184
        mov     dword [msg3], 'ERR'
        mov     dword [edx], test_cont          ; overwrite eip
        xor     eax, eax
        ret     16

  calign 16
  n:
        nop
        nop
        retf


section '.data' data readable writeable

  dest_addr dd n
  dest_seg  dw 0

  nalign 8
  shex      db '0123456789ABCDEF',0

  nalign 8
  counter   dd 0
  hStdOut   dd 0
  msg1      dd 0
  msg2      db ' '
  msg3:     times 32 db 0

section '.idata' import data readable writeable

  library kernel,'KERNEL32.DLL'

  import kernel,\
         ExitProcess,'ExitProcess',\
         GetStdHandle,'GetStdHandle',\
         WriteFile,'WriteFile'
    
Post 28 Jan 2025, 12:12
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.