flat assembler
Message board for the users of flat assembler.
Index
> Windows > Native application win32 win64 |
Author |
|
Feryno 13 Mar 2006, 15:08
Native application.
First of all, warning for all lamaz - at first try to boot from install CD into recovery console and try to delete a file. After you succeede, continue with next experiments ! You will need to delete a file if it cause system reboot cycles. Maybe you can bypass native api with bug causing reboot by booting into safe mode, but I haven't tried it. If you have 2 or more operating systems in your PC able to access filesystem (the most of you have NTFS as system drive), there is no problem, you boot second OS, replace bad native app with good one (e.g. from this sample) or just delete it. --end of prologue-- FASM is able to produce various kind of apps: format PE gui format PE console format PE NATIVE Eveybody knows GUI as well CONSOLE apps. GUI app can have its own window design (main window, buttons, menus...), console app writes some text output to console. NATIVE directive is used for build system drivers, but can be used to produce NATIVE application too. The kind of app is specified in IMAGE_OPTIONAL_HEADER.Subsystem IMAGE_SUBSYSTEM_NATIVE = 1 ; Image doesn't require a subsystem. IMAGE_SUBSYSTEM_WINDOWS_GUI = 2 ; Image runs in the Windows GUI subsystem. IMAGE_SUBSYSTEM_WINDOWS_CUI = 3 ; Image runs in the Windows character subsystem. There isn't possible to run native application by simple executing it as gui or console app. System drivers can be loaded and unloaded by Service Control Manager (SCM). Native app can be run by Session Manager before winlogon. An example of native app is autochk.exe - in old NT 4.0 it displayed something like Checking drive... after uncorrect system reboot. Look into HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute Although there is impossible to run native app from user mode (and thus it's impossible to debug them as user mode programs), there is a limited way to test some parts and APIs by this way: change first line of asm source format PE native at 10000h to: format PE then recompile app and now you are able to debug some parts with user mode debugger. At conclusion: User mode apps are good gifts to your friends sending you thousands of mails with big attachments who don't stops sending after several warnings from you that his/hers mails exhauste you and your mailbox space. Especially when you add instruction like jmp $ into native app, sending of unwanted mails stops until he/she restore OS. You use APIs from NTDLL.DLL, the most of them is undocumented (except Rtl apis which are documented in msdn wery well). some links: http://www.sysinternals.com/Information/NativeApplications.html http://undocumented.ntinternals.net/ntundoc.chm http://undocumented.ntinternals.net/UserMode/ http://msdn.microsoft.com/library/en-us/IFSK_r/hh/IFSK_r/rtlref_852a2232-bc46-42fd-9eb8-3faa018614d2.xml.asp Runtime Library Routines Sources are for win32 as well win64. native.exe prints something on the startup screen, 32\native0.exe and 64\native_command_line.exe displays its command line parameter (HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute). There is one problem in win64 when copying file by using of 32-bit app (like Total Commander) - you don't see real 64-bit content of system32 directory, but you see shadowed SysWOW64 directory - so use included 64-bit application for copy native.exe into system32. After you copy it into system32, you won't see it by 32-bit apps (totalcmd) - it's hidden for 32-bit apps. Now I know, why my drivers worked only if copied into SysWOW64 directory - because I used 32-bit totalcmd, that run 32-bit cmd.exe instead of 64-bit cmd.exe and content of system32 is shadow of SysWOW64 (= 32 bit content), not truly directory with 64-bit content. I got displaying win64 command line by dirty tricks, this is maybe a wrong way, by it works. Most of native apps structures is undocumented.
|
|||||||||||
13 Mar 2006, 15:08 |
|
RedGhost 13 Mar 2006, 16:51
very cool, nice contribution
|
|||
13 Mar 2006, 16:51 |
|
Feryno 14 Mar 2006, 06:27
I'm happy that we can code some funny stuff now !
NtDelayExecution http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Thread/NtDelayExecution.html can be used for delay loop instead of CPU wasting: xor eax,eax L0: dec eax jnz L0 I forgot to tell you that samples work on NT platform only, but I hope everybody knows that NTDDL.DLL is part of NT OS and isn't in w95 w98 winme. There is a small mistake that doesn't matter, but please correct string size computation: Code: align 16 UNICODE_STRING dw MsgW_0_size ; unicode string size without zero-terminator dw MsgW_0_size_ZT ; unicode string size including zero-terminator dd MsgW_0 align 16 MsgW_0 du 'Fatal system error! Cannot continue.',0Ah du 'formatting system partition... 100%',0 MsgW_0_size_ZT = $ - MsgW_0_ZT MsgW_0_size = MsgW_0_size_ZT - 2 |
|||
14 Mar 2006, 06:27 |
|
chris 15 Mar 2006, 03:19
Interesting stuff! I have tried your example, and it works well. One thing I want to point out is that native applications are still running in user mode or from the CPU's perspective of view, ring3, as you can attach a kernel debugger like softice and check that the code segment register cs=1b which is the ring3 code segment. So if your native application crashes, Windows terminates it and continues loading, just like when a GUI or console crashes.
|
|||
15 Mar 2006, 03:19 |
|
Feryno 16 Mar 2006, 10:08
Here is microsoft's method of get command line parameters, I got it by playing with autochk.exe from winnt_40 and w2k3_x64. Can be simplified, but I hadn't enough time to do it myself (especially unnecessary unicode->ansi->unicode for NtDisplayString). You can optimize it (a lot of code may be removed).
I hadn't a time (coding in a night) to implement Okasvi's optimalization into samples, do it yourself. Chris, thanx for your help with method of debugging native app. Every exception in native.exe cause system reboot of my PC, maybe because I haven't SoftIce installed, so no debugger catch exception... Fortunately I have 3 OSes on 1 HD (win32, win64, Linux64) so I was able to delete file by using of other OS and then boot. I'm not any expert, coding is for me only something like playing for children. I just tried to asm port something presented in C by Mark Russinovich, I succeeded because great FASM and then I decided that native apps can be funny stuff for other people so I posted samples here. Enjoy them !
|
|||||||||||
16 Mar 2006, 10:08 |
|
questlima 27 Aug 2014, 10:59
hi i am new to FASM and ASM, i was wondering the *format PE NATIVE*
instruction means that it is a *system file .sys* and can only be executed at OS boot time, btw if i add the *add.reg* will this be enough to execute the one i have written or do i need to edit the *add.reg* sorry for my English its not my native language anyway thank you |
|||
27 Aug 2014, 10:59 |
|
l_inc 27 Aug 2014, 12:32
questlima
Even though fasm assigns the extension "sys" to the files with the native option, there is no 100% correlation between having the "sys" extension, having the "native" option, and especially not with being loaded at boot time. The option native merely means, that the produced executable will have IMAGE_NT_HEADERS->OptionalHeader->Subsystem set to 1 (IMAGE_SUBSYSTEM_NATIVE) . This value is set for kernel-mode drivers (mostly having the sys extension), for kernel-mode libraries (hal.dll, kdcom.dll, framebuf.dll) and also for user-mode native applications (csrss.exe, smss.exe) that do not require an initialized Win32 subsystem when they start. "Native" also does not mean, that the executable should be loaded at boot time. Many drivers are loaded on-demand by the PnP manager during normal OS operation or on request of an application. If you wrote a driver that is specifically designed to be loaded at boot time, then direct manipulation with the registry is not the proper way to register the driver. A proper way could be to register it as a service using the service control manager API or using the setup API and an inf-file. If you have an inf-file you also could install it using the device manager or the redistributable application drvinst.exe . _________________ Faith is a superposition of knowledge and fallacy |
|||
27 Aug 2014, 12:32 |
|
questlima 27 Aug 2014, 13:04
Thanks btw i am bit confused this is my first time trying to understand FASM so it is a system file .sys am i right, what i have learned so far on FASM:LOL
format PE GUI 4.0 DLL << this one will produce a DLL file format PE gui << dialog, menus, list box, etc format PE console << command line applications format PE NATIVE << so this one will be a system file, drivers sorry for my English and being such a noob yes i am:) anyway thank you for your time appreciated |
|||
27 Aug 2014, 13:04 |
|
l_inc 27 Aug 2014, 13:52
questlima
Quote: format PE GUI 4.0 DLL << this one will produce a DLL file Yes, but you don't actually have to specify "GUI 4.0". fasm would then default to subsystem console, but it's actually not that relevant for dlls. Quote: format PE gui << dialog, menus, list box, etc Not necessarily. An application with subsystem gui may or may not have any windows at all. Moreover it could create a console as well and look and behave exactly like a console application. Quote: format PE console << command line applications Yes. The only difference to the format PE GUI is that Windows automatically creates a console window during application initialization or assigns an existing console if it's inherited from the parent application. Quote: format PE NATIVE << so this one will be a system file, drivers As I already said, it's not necessarily drivers. If you read the first post of this topic, you'll find that the topic is actually about user-mode applications having the native subsystem. Quote: sorry for my English Disregard the following suggestion if I'm mistaken, and you don't natively speak Russian. If you're too concerned about your English skills you may wanna visit this forum. I would recommend you to stay at board.flatassembler.net for fasm related questions, but you can get many of them answered on wasm as well. _________________ Faith is a superposition of knowledge and fallacy |
|||
27 Aug 2014, 13:52 |
|
catafest 26 Aug 2015, 10:36
very useful :
one single question about : format PE native at 10000h About the rules to set this: at 10000h can we set any: format PE native at XXXXXh? |
|||
26 Aug 2015, 10:36 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.