Index
> Windows > how do i do that?Goto page 1, 2 Next |
| Author |
|
|
sinsi
25*4
|
|||
19 Jan 2008, 02:25 |
|
|
asmrox
i mean dword starting from 25 byte.
|
|||
|
19 Jan 2008, 02:45 |
|
|
sinsi
What crash? What does a debugger say?
Not enough info. |
|||
|
19 Jan 2008, 03:11 |
|
|
edfed
alignment problem?
|
|||
|
19 Jan 2008, 03:29 |
|
|
asmrox
i need correct syntax for this. it just dont work, debugger say nothing.
|
|||
|
19 Jan 2008, 03:44 |
|
|
LocoDelAssembly
But seems to be correct, but since we have no idea what you want we can't know "the correct syntax" for you. You code pushes onto the stack the C equivalent of *(long)((char *)memory+25) (perhaps this is incorrect C syntax
 ).
Try posting some code with at least the parts related to this problem. |
|||
|
19 Jan 2008, 03:53 |
|
|
ic2
memory dd ?
You are walking through and including other data with a single dword... You need something like what sinsi was indicating ... memory [100] :BYTE Not sure of the syntax for DWORD. This is the only thing I found in the fasm.pdf. I'm new to FASM.. BTW, how would you use DWORD instead of BYTE here? Last edited by ic2 on 19 Jan 2008, 04:34; edited 3 times in total |
|||
|
19 Jan 2008, 04:23 |
|
|
asmrox
@up
not a buffer, just a pointer to it. Thats why are functions to allocate memory - save file size. Code: section '.code' code readable executable push 0x00000004 push 0x00002000 push mem_size push 0 push mem_addr push 0xFFFFFFFF call [NtAllocateVirtualMemory] ;here is a huge function that fills a structure pointed by mem_addr mov eax, [mem_addr] push dword [eax+25] push f call [printf]; i should get 25-28 uninitilized bytes formatted as integer add esp,8 push 0x00008000 push mem_size push mem_addr push 0xFFFFFFFF call [NtFreeVirtualMemory] retn 0 section '.data' data readable writeable mem_addr dd 0 mem_size dd 20480 f db '%i',0 |
|||
|
19 Jan 2008, 04:24 |
|
|
sinsi
Why use NtAllocateVirtualMemory? Undocumented stuff is OK, but it is undocumented for a reason...it can change from SP1 to SP2 for example.
|
|||
|
19 Jan 2008, 04:46 |
|
|
LocoDelAssembly
Quote: not a buffer, just a pointer to it. Thats why are functions to allocate memory - save file size. However if you declare uninitialized vars at the end of a section it does not take any single byte of disk space, the section is simply marked with a virtual size bigger than its raw size. Code: format pe console include 'win32wx.inc' PAGE_READWRITE = 4 section '.code' code readable executable invoke NtAllocateVirtualMemory, -1, mem_addr, 0, mem_size, MEM_COMMIT, PAGE_READWRITE mov eax, [mem_addr] cinvoke printf, f, dword [eax+25] mov eax, [mem_addr] mov dword [eax+25], $DEADBEEF cinvoke printf, f, dword [eax+25] invoke NtFreeVirtualMemory, -1, [mem_addr], mem_size, 0x00008000 retn section '.data' data readable writeable mem_addr dd 0 mem_size dd 20480 f db '%X', 10, 0 data import library ntdll, 'ntdll.dll',\ crtdll, 'crtdll.dll' import ntdll,\ NtAllocateVirtualMemory, "NtAllocateVirtualMemory",\ NtFreeVirtualMemory, "NtFreeVirtualMemory" import crtdll,\ printf, "printf" end data So the program WAS crashing, you have a NULL pointer access because your call to NtAllocateVirtualMemory does not work and GetLastError says ERROR_ACCESS_DENIED. I wonder why you want this particular function, I think that VirtualAllocEx also fits your needs (if you are wanting to allocate memory at arbitrary processes, otherwise more simpler functions can be used) PS: BTW, you was not using heap at all. [edit]Code corrected and simplified[/edit] Last edited by LocoDelAssembly on 19 Jan 2008, 05:42; edited 1 time in total |
|||
|
19 Jan 2008, 05:24 |
|
|
asmrox
Code: because your call to NtAllocateVirtualMemory does not work sorry, but try to push eax instead of [eax+25] . It worked at 100%. Code: invoke NtAllocateVirtualMemory, eax, mem_addr, 0, mem_size, PAGE_READWRITE whers AllocationType? Quote: I wonder why you want this particular function Im trying to learn all about system, not code fast. So native apis are on my way. And i dont care it crash on windows 9X, its a diffrent os. Diffrence between nt-9x is almost like nt-unix. |
|||
|
19 Jan 2008, 05:27 |
|
|
LocoDelAssembly
Quote: whers AllocationType? hehe, I'm blind
I've corrected the code and also removed the kernel32 calls since -1 as process handle is enough. This is the output I get with the new program: Code: C:\Documents and Settings\Hernan\Escritorio>test2.exe 0 DEADBEEF Sorry for my mistake. PS: Just in case it is not obvious, by doing [eax+25] you are not accessing the 25th dword but a dword 25 bytes ahead of the base address ([eax+25..eax+28]). |
|||
|
19 Jan 2008, 05:48 |
|
|
asmrox
i compared codes, and... why MEM_RESERVE cause this error? I was using it for long time, and it was ok.
|
|||
|
19 Jan 2008, 06:26 |
|
|
LocoDelAssembly
Quote:
Oh, I though you was using MEM_COMMIT, the problem with MEM_RESERVE is that it just reserves the address space but the memory is not allocated. With MEM_RESERVE you ensure that any future memory allocation will not use your reserved range but as I've said it is still not allocated (there is no page table entries representing the address range*, nor physical RAM nor swap space occupied by the reservation). *Well, actually a guess from my part, but I think that Windows takes note of reserved ranges elsewhere instead of polluting the memory with many page table entries marked all as invalid. PS: VirtualAlloc documentation (only a part) wrote: flAllocationType |
|||
|
19 Jan 2008, 06:37 |
|
|
asmrox
so if i commit the page, other process/thread/function can overwrite it?
|
|||
|
19 Jan 2008, 07:00 |
|
|
LocoDelAssembly
Yes, though for other process to access it the mecanism is not very direct, you need APIs like WriteProcessMemory to reach them. Threads within the process that commited the pages can access them directly, so no matter the thread that allocated the memory any thread can access it later.
|
|||
|
19 Jan 2008, 14:51 |
|
|
AlexP
Well, I've seen techniques for injecting a DLL inside another process. That could lead normal code to call a presumably legit function in it's process space, and turn command over to the rogue code.
Code: call [NtAllocateVirtualMemory] ;here is a huge function that fills a structure pointed by mem_addr mov eax, [mem_addr] push dword [eax+25] push f call [printf]; i should get 25-28 uninitilized bytes formatted as integer add esp,8 push 0x00008000 push mem_size push mem_addr push 0xFFFFFFFF call [NtFreeVirtualMemory] retn 0 section '.data' data readable writeable mem_addr dd 0 mem_size dd 20480 f db '%i',0 WTF? First of all, you screw up the API call majorly, your instruction mov eax, [mem_addr] seems to be perfectly backwards. Secondly, the %i flag to printf takes a pointer to memory, not an actual value! that could explain an access fault to whatever lives at that address. you should use lea then a push. |
|||
|
19 Jan 2008, 23:38 |
|
|
asmrox
Quote: WTF? First of all, you screw up the API call majorly no, i used MEM_RESERVE instead MEM_COMMIT. Quote: Secondly, the %i flag to printf takes a pointer to memory no, it print what is on stack, and %s take address. |
|||
|
20 Jan 2008, 00:09 |
|
|
AlexP
I've used %d as integer, thought %i takes the same. And I did see the MEM_RESERVE thing, was just wonderin' why you destroyed eax after the call.
|
|||
|
20 Jan 2008, 01:22 |
|
| Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|