flat assembler
Message board for the users of flat assembler.

Index > Windows > Working execuable with no imports

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17718
Location: In your JS exploiting you and your system
revolution
As an experiment I have created a binary file that has an empty import section. Check it with a PE viewer for yourself. However it will not run on all versions of Windows. I tested it in Win2K (it doesn't run) and WinXP (it does run). If you have Win95, Win98 or WinME perhaps you would like to try it and post if your results here.

It very simply displays a text message to say it is running and then terminates after an 8 second sleep. Nothing special, just some basic test code.
Post 25 Jul 2005, 09:36
View user's profile Send private message Visit poster's website Reply with quote
decard



Joined: 11 Sep 2003
Posts: 1092
Location: Poland
decard
Under from TotalCommander shows just "0 imported functions" Wink
So how you call API funcions? Can you provide source?
Post 25 Jul 2005, 10:13
View user's profile Send private message Visit poster's website Reply with quote
Spidark



Joined: 11 May 2005
Posts: 39
Spidark
revolution wrote:
As an experiment I have created a binary file that has an empty import section. Check it with a PE viewer for yourself. However it will not run on all versions of Windows. I tested it in Win2K (it doesn't run) and WinXP (it does run). If you have Win95, Win98 or WinME perhaps you would like to try it and post if your results here.

It very simply displays a text message to say it is running and then terminates after an 8 second sleep. Nothing special, just some basic test code.


Errrrrrr what the ^%%$
I tried to run the program on WinXP SP2 and it got intercepted by my virus scanner.
Virus scanner wrote:
A Virus has been Detected and cleaned
the file TestNoImports.zip was infected by the W32/NGVCK.dr.gen virus.
We found no records matching the following criteria:
Virus name containing "W32/NGVCK.dr.gen".


Hmm now that's verry interesting ...... Rolling Eyes
Post 25 Jul 2005, 12:06
View user's profile Send private message Reply with quote
Vasilev Vjacheslav



Joined: 11 Aug 2004
Posts: 392
Vasilev Vjacheslav
your virus scanner isn't smart Smile

Quote:
So how you call API funcions?


it is only one way to call api functions without imports, find in mem kernel32, find in his iat address of GetProcAddress call, and then you call what you want
Post 25 Jul 2005, 12:41
View user's profile Send private message Reply with quote
Vasilev Vjacheslav



Joined: 11 Aug 2004
Posts: 392
Vasilev Vjacheslav
i've already done something similar (old fasm syntax)

Code:
format pe gui 4.0
entry start

include '%fasminc%\win32a.inc'
include '%fasminc%\macros.inc'
include 'imagehdr.inc'

MAX_PATH                        = 260

cGetProcAddress                 = 0C97C1FFFh
cExitProcess                    = 0251097CCh
cGetModuleHandle                = 0B1866570h

section '.data' data readable

  szNTDLL               db "ntdll",0

section '.udata' readable writeable

  hKernelBase           dd ?
  hNTDLLBase            dd ?
  hGetProcAddress       dd ?

section '.code' code readable executable

  start:
        call    _findkernel
        or      eax,eax
        jz      @F
        mov     [hKernelBase],eax

        ;stdcall _getprocaddr,[hKernelBase],cGetProcAddress
        ;jc      @F
        ;mov     [hGetProcAddr],eax
        ;jc      @F
        stdcall _getprocaddr,[hKernelBase],cGetModuleHandle
        jc      @F

        stdcall eax,szNTDLL
        or      eax,eax
        jz      @F

        mov     [hNTDLLBase],eax

        stdcall _getprocaddr,[hKernelBase],cExitProcess
        jc      @F
        stdcall eax,NULL
  @@:
        retn

  proc  _findkernel
        mov     eax,[fs:eax+030h]
        test    eax,eax
        js      .win9x

        mov     eax,[eax+0Ch]
        mov     esi,[eax+01Ch]
        lodsd
        mov     eax,[eax+08h]
        jmp     .found

  .win9x:
        mov     eax,[eax+034h]
        lea     eax,[eax+07Ch]
        mov     eax,[eax+03Ch]

  .found:
        cmp     word [eax],"MZ"
        jz      @F
        xor     eax,eax
  @@:
        return
  endp

  proc  _getprocaddr, lpKernel,lpCRC
        .hDirAddr               dd ?
        .hAddrOfNames           dd ?
        .hAddrOfOrdinals        dd ?
        .hAddrOfFunctions       dd ?
        .iNumberOfNames         dd ?
        .iBase                  dd ?

        enter
        mov     eax,[lpKernel]
        mov     edi,[eax+IMAGE_DOS_HEADER.e_lfanew]

        mov     ecx,dword [eax+edi+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory]
        add     ecx,eax
        mov     [.hDirAddr],ecx

        mov     esi,[ecx+IMAGE_EXPORT_DIRECTORY.AddressOfNames]
        add     esi,eax
        mov     [.hAddrOfNames],esi

        mov     esi,[ecx+IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals]
        add     esi,eax
        mov     [.hAddrOfOrdinals],esi

        mov     esi,[ecx+IMAGE_EXPORT_DIRECTORY.AddressOfFunctions]
        add     esi,eax
        mov     [.hAddrOfFunctions],esi

        mov     esi,[ecx+IMAGE_EXPORT_DIRECTORY.NumberOfNames]
        mov     [.iNumberOfNames],esi

        mov     esi,[ecx+IMAGE_EXPORT_DIRECTORY.nBase]
        mov     [.iBase],esi

        xor     edi,edi
        mov     edx,[.iNumberOfNames]
        mov     esi,[.hAddrOfNames]

  @@:
        lodsd
        xchg    eax,ecx
        add     ecx,[lpKernel]
        stdcall _strlen,ecx
        stdcall _crc32,eax,ecx
        cmp     [lpCRC],eax
        jz      .found
        inc     edi
        cmp     edx,edi
        jnz     @B

        stc
        jmp     .out

  .found:
        mov     edx,[esi-4]
        imul    edi,edi,4
        add     edi,[.hAddrOfFunctions]
        mov     eax,[edi]
        add     eax,[lpKernel]
        clc
  .out:
        return
  endp

  proc  _crc32, _size,_data
        .hcrc   dd ?

        enter
        pushad
        mov     esi,[_data]
        mov     ecx,[_size]
        xor     eax,eax
        cdq
        dec     edx
  .one:
        lodsb
        xor     al,dl
        push    ecx

        movzx   ebx,al
        push    8
        pop     ecx
  .two:
        test    bl,1
        jz      .three
        shr     ebx,1
        xor     ebx,0EDB88320h
        jmp     .four
  .three:
        shr     ebx,1
  .four:
        loop    .two

        pop     ecx
        shr     edx,8
        xor     edx,ebx
        loop    .one
        xchg    eax,edx
        not     eax
        mov     [.hcrc],eax
        popad
        mov     eax,[.hcrc]
        return
  endp

  proc  _strlen, lpString
        .ilen    dd ?

        enter
        pushad
        mov     eax,[lpString]
        lea     ecx,[eax-1]
  .1:
        inc     ecx
        test    ecx,3
        jz      .2
        cmp     byte [ecx],NULL
        jne     .1
        jmp     .6
  .2:
        mov     ebx,[ecx]
        add     ecx,4
        test    bl,bl
        jz      .5
        test    bh,bh
        jz      .4
        test    ebx,00FF0000h
        jz      .3
        test    ebx,0FF000000h
        jnz     .2
        inc     ecx
  .3:
        inc     ecx
  .4:
        inc     ecx
  .5:
        sub     ecx,4
  .6:
        sub     ecx,eax
        mov     [.ilen],ecx
        popad
        mov     eax,[.ilen]
        return
  endp

;section '.idata' import data readable writeable
;
;  library       kernel32,'kernel32.dll',\
;                user32,'user32.dll',\
;                shell32,'shell32.dll',\
;                advapi32,'advapi32.dll'
;
;  include       '%fasminc%\apia\kernel32.inc'
;  include       '%fasminc%\apia\user32.inc'
;  include       '%fasminc%\apia\shell32.inc'
;  include       '%fasminc%\apia\advapi32.inc'
;
; eof
    

_________________
[not enough memory]
Post 25 Jul 2005, 12:44
View user's profile Send private message Reply with quote
Spidark



Joined: 11 May 2005
Posts: 39
Spidark
Vasilev Vjacheslav wrote:
your virus scanner isn't smart Smile

Quote:
So how you call API funcions?


it is only one way to call api functions without imports, find in mem kernel32, find in his iat address of GetProcAddress call, and then you call what you want


Wink Your right i have a stupid virus scanner Laughing Laughing
But i was more interrested in the code, and the how etc etc Wink thanks for the example Wink
Post 25 Jul 2005, 12:55
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17718
Location: In your JS exploiting you and your system
revolution
Hey guys, I promise you there is no virus in the attachement. Besides, there is not enough code in there to do anything more than print a message.

Vasilev Vjacheslav: I like the idea of searching for the CRC. My code is much more basic and searches directly for the text. Does your code run on Win2K? I cannot assemble because I don't have all your includes.

My Win2K system rejects all executables with a blank import table because of a bug in NTDLL.DLL. It tries to call a Kernel32.DLL function when Kernel32.DLL is not even loaded!

Spidark: Interesting that the virus scanner detects some non-existant virus. What scanner program do you use?

Sorry that I didn't post the code but I had quickly put it together and it had many unnecessary bits that are remanants of things I was trying. Anyhow, I am now trying to get an all-windows-compatible version going and promise I will post the source later if I can get it working.

However I actually have no practical purpose for this, just experimenting and trying to learn more about windows internals. Indeed if virus scanners are going to trigger then making any sort of wide release software is not going to be successful if people think it is a virus.
Post 25 Jul 2005, 13:54
View user's profile Send private message Visit poster's website Reply with quote
Vasilev Vjacheslav



Joined: 11 Aug 2004
Posts: 392
Vasilev Vjacheslav
Quote:
I like the idea of searching for the CRC. My code is much more basic and searches directly for the text. Does your code run on Win2K? I cannot assemble because I don't have all your includes.


nop, also doesn't run in win2k, because of bug, but if import contain only one record from kernel32 it works fine

ps. later i post full source
Post 25 Jul 2005, 15:07
View user's profile Send private message Reply with quote
Spidark



Joined: 11 May 2005
Posts: 39
Spidark
revolution wrote:
Hey guys, I promise you there is no virus in the attachement. Besides, there is not enough code in there to do anything more than print a message.
Spidark: Interesting that the virus scanner detects some non-existant virus. What scanner program do you use?

Well Embarassed i'm feeling kinda stupid reporting to you what my virus scanner reported to me,it looks like i'm trying to make you look bad, but that wasn't my intension.
I like an experiment myself IF YOU KNOW WHAT I MEAN. Laughing
I didn't even get to the point where i could run the program it was deleted before i could say dammm.
I just reported what my scanner did with it, as a warning that heavyweight Mc afee sees this file as a virus.
It would be very odd to spread a virus this way i know, and i also know that virus scanners like Bitdefender and McAfee ( wich i use ) does tend to be a little bit nervous.
Again it wasn't my intension to make anybody nervuos about the file
Embarassed MY BAD.
Post 25 Jul 2005, 18:07
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Quote:

My Win2K system rejects all executables with a blank import table because of a bug in NTDLL.DLL. It tries to call a Kernel32.DLL function when Kernel32.DLL is not even loaded!

Dunno if you can classify it as a bug, it's simply the way the loader works. I'd say it's more buggy that no-imports actually work on other versions, by having kernel32.dll forced into your address space even if you don't use it Smile

Quote:

Spidark: Interesting that the virus scanner detects some non-existant virus. What scanner program do you use?

Either it does heuristic scanning, or a simple wildcard pattern match. These no-import executables tend to look alike. I'd say it's a good call for the virus scanner to be suspicious, since you rarely ever see valid executable that are built this way.

Anyway, forget about McAfee. BitDefender is okayish (even if unstable on win9x), the real deal is kaspersky and f-prot. And of course a trusty hex editor and disassembler.
Post 25 Jul 2005, 22:55
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Quote:
Either it does heuristic scanning, or a simple wildcard pattern match. These no-import executables tend to look alike. I'd say it's a good call for the virus scanner to be suspicious, since you rarely ever see valid executable that are built this way.
Anyway, forget about McAfee. BitDefender is okayish (even if unstable on win9x), the real deal is kaspersky and f-prot. And of course a trusty hex editor and disassembler.

or learn about reversing and isntall som good on-run debugger as option while booting (i mean soft-ice Smile ). Then you can make yourself sure if you understand things going on in your computer.... at least it worked great in DOS. And don't forget to install some S-ICE protector.
Post 25 Jul 2005, 23:31
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
A good AV product helps you avoid the everyday traps... I personally prefer hexeditor + disassembler to debugger, "dead" (but interactive) analysis is much safer Smile
Post 25 Jul 2005, 23:47
View user's profile Send private message Visit poster's website Reply with quote
Spidark



Joined: 11 May 2005
Posts: 39
Spidark
f0dder wrote:

Either it does heuristic scanning, or a simple wildcard pattern match. These no-import executables tend to look alike. I'd say it's a good call for the virus scanner to be suspicious, since you rarely ever see valid executable that are built this way.
Anyway, forget about McAfee. BitDefender is okayish (even if unstable on win9x), the real deal is kaspersky and f-prot. And of course a trusty hex editor and disassembler.

Yes it's does heuristic scanning.
I realy like mcafee's firewall i get lot's of info from this firewalll, but i'm gonna check out kaspersky.


vid wrote:

or learn about reversing and isntall som good on-run debugger as option while booting (i mean soft-ice Smile ). Then you can make yourself sure if you understand things going on in your computer.... at least it worked great in DOS. And don't forget to install some S-ICE protector.

I do have a copy of the latest Softice , but i hear that it's a cource on itself to learn how to work with the great ice, it's kinda slow on the tuts when i google out.
There's not much ice tuts for windowsXP out there , or maybe i'm not looking in the right places Laughing
Post 26 Jul 2005, 00:09
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17718
Location: In your JS exploiting you and your system
revolution
Quote:
Dunno if you can classify it as a bug, it's simply the way the loader works. I'd say it's more buggy that no-imports actually work on other versions, by having kernel32.dll forced into your address space even if you don't use it

Definitely a bug, NTDLL.DLL jumps to an unmapped piece of memory where it expects to have Kernel32.DLL present. If it needs it there it should load it there and not rely on the app to put it in it's import section. WinXP does the right thing by loading up Kernel32.DLL before jumping. Win95, 98 and ME don't have NTDLL.DLL so Kernel32.DLL is always there anyway.
Post 26 Jul 2005, 02:35
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17718
Location: In your JS exploiting you and your system
revolution
Quote:
Again it wasn't my intension to make anybody nervuos about the file
I completely understand, no harm done.

But just to be sure here is (almost) the source I was using. This is not the same source to generate the above attachment because since that was made I have edited and cut a few unnecessary things to a kind of bare bones file. Still doesn't work in Win2K of course. Hope this can clear any worries some might still have.
Code:
format PE console at 0400000h
section '.text' code readable writeable executable
entry _start

STD_OUTPUT_HANDLE=-11

macro import [proc,string]
{       common
    macro ImportsA \{
        forward
        db string,0
        common
        db 0
    \}
    macro ImportsB \{
        forward
        proc dd ?
        common
    \}
}

import  ExitProcess,'ExitProcess',\
        GetStdHandle,'GetStdHandle',\
        Sleep,'Sleep',\
        WriteFile,'WriteFile'

macro invoke proc,[arg]
 { common
   if ~ arg eq
     reverse
       push arg
     common
   end if
   call [proc]
}

_start:
;get the return address (in KERNEL32.DLL)
        mov     ebx,[esp]
;find the start of the module
.a:     sub     ebx,1
        xor     bx,bx
        cmp     word[ebx],'MZ'
        jnz     .a
        mov     eax,[ebx+03ch]
        cmp     dword[ebx+eax],'PE'
        jnz     .a
;ebx=handle for kernel32.dll
;eax=PE header offset
;search for GetProcAddress
        mov     ecx,[ebx+eax+078h]      ;get the export table offset
        add     ecx,ebx
        mov     edx,[ecx+6*4]   ;count of exported functions
        mov     edi,[ecx+8*4]   ;offset of address of function names
        mov     esi,[ecx+9*4]   ;offset of ordinals
        add     esi,ebx
        add     edi,ebx
.h:     mov     eax,[edi]
        add     eax,ebx
        cmp     dword[eax],'GetP'
        jz      .i
.j:     add     esi,2
        add     edi,4
        sub     edx,1
        jnz     .h
.cannot_load:
        or      eax,-1
        ret             ;fatal: die
.i:     cmp     dword[eax+4],'rocA'
        jnz     .j
        cmp     dword[eax+8],'ddre'
        jnz     .j
        cmp     word[eax+12],'ss'
        jnz     .j
        test    byte[eax+14],-1
        jnz     .j
        movzx   eax,word[esi]
        mov     esi,[ecx+7*4]   ;offset of address of function offsets
        add     esi,ebx
        mov     eax,[esi+eax*4]
        add     eax,ebx
        mov     [GetProcAddress],eax
;get our imported functions from KERNEL32.DLL
        mov     esi,_import_data
        mov     edi,_import_names
        cld
.e:     invoke  GetProcAddress,ebx,edi
        test    eax,eax
        jz      .cannot_load
        mov     [esi],eax
        add     esi,4
        or      ecx,-1
        xor     eax,eax
        repne   scasb
        test    byte[edi],-1
        jnz     .e
;now our normal code from here on
        invoke  GetStdHandle,STD_OUTPUT_HANDLE
        invoke  WriteFile,eax,intro,intro_length,dummy,0
        invoke  Sleep,8000
        invoke  ExitProcess,0

section '.data' data readable writeable

intro:  db      'This file has no imports, but has successfully run on your system.',13,10,\
                'Check the import section with your favourite PE decoder software',13,10,\
                'This program does not run on Win2K',13,10,\
                'This was written as an experiment just for proof of concept.'
intro_length=$-intro

times ((-(RVA $)) and 3) db 0

virtual
  GetProcAddress        dd      ?
  dummy                 dd      ?
end virtual

data import
  dd    5 dup 0
end data

_import_names:  ImportsA

times ((-(RVA $)) and 3) db 0

_import_data:   ImportsB

data fixups
end data    
Post 26 Jul 2005, 06:28
View user's profile Send private message Visit poster's website Reply with quote
asmdemon



Joined: 18 Jan 2004
Posts: 97
Location: Virginia Beach, VA
asmdemon
if i recall correctly, y0da did this using masm. his proggie is http://scifi.pages.at/yoda9k/snippets/kernel2.zip
Post 26 Jul 2005, 13:16
View user's profile Send private message Visit poster's website Reply with quote
Tyler Durden



Joined: 24 Feb 2004
Posts: 50
Tyler Durden
Cool ! But you can optimize it a lot (mine is 601 bytes in cab droppper VS 850 bytes). And why you need this fixup section ?

P.S. Hmmm... Now need to add other libraries loading...

_________________
Image
Post 29 Jul 2005, 07:02
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17718
Location: In your JS exploiting you and your system
revolution
Quote:
But you can optimize it a lot
Yes, you are right, but it is only an experiment and has no real practical use so I didn't feel I wanted to spend time to save a few bytes.
Post 29 Jul 2005, 23:59
View user's profile Send private message Visit poster's website Reply with quote
AgentX



Joined: 05 Oct 2003
Posts: 1
AgentX
I can't download the attachment!
Post 30 Jul 2005, 15:56
View user's profile Send private message Reply with quote
Frank



Joined: 17 Jun 2003
Posts: 100
Frank
revolution wrote:
Quote:
But you can optimize it a lot
Yes, you are right, but it is only an experiment and has no real practical use so I didn't feel I wanted to spend time to save a few bytes.


That's perfectly okay. But still:

Tyler Durden wrote:
And why you need this fixup section ?
Post 31 Jul 2005, 06:38
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.