flat assembler
Message board for the users of flat assembler.

Index > Windows > idata section

Author
Thread Post new topic Reply to topic
tthsqe



Joined: 20 May 2009
Posts: 767
tthsqe 10 Aug 2009, 17:55
Why does this work

Code:
format PE64 GUI
entry start

section '.text' code readable executable

  start:
        sub     rsp,8*5         ; reserve stack for API use and make stack dqword aligned

        mov     r9d,0
        lea     r8,[_caption]
        lea     rdx,[_message]
        mov     rcx,0
        call    [myMessageBoxW]

        mov     ecx,eax
        call    [myExitProcess]

section '.data' data readable writeable

  _caption du 'Win64 assembly program',0
  _message du 'Hello World!',0
align 16
  myMessageBoxA dq 0x000000007729E96C
  myMessageBoxW dq 0x000000007729E9C4
  myExitProcess dq 0x0000000077320290



section '.idata' import data readable writeable

  dd 0,0,0,RVA kernel_name,RVA kernel_table
  dd 0,0,0,RVA user_name,RVA user_table
  dd 0,0,0,0,0

  kernel_table:
    ExitProcess dq RVA _ExitProcess
    dq 0
  user_table:
    MessageBoxA dq RVA _MessageBoxA
    dq 0

  kernel_name db 'KERNEL32.DLL',0
  user_name db 'USER32.DLL',0

  _ExitProcess dw 0
    db 'ExitProcess',0
  _MessageBoxA dw 0
    db 'MessageBoxA',0      


but this one does not

Code:
format PE64 GUI
entry start

section '.text' code readable executable

  start:
        sub     rsp,8*5         ; reserve stack for API use and make stack dqword aligned

        mov     r9d,0
        lea     r8,[_caption]
        lea     rdx,[_message]
        mov     rcx,0
        call    [myMessageBoxW]

        mov     ecx,eax
        call    [myExitProcess]

section '.data' data readable writeable

  _caption du 'Win64 assembly program',0
  _message du 'Hello World!',0
align 16
  myMessageBoxA dq 0x000000007729E96C
  myMessageBoxW dq 0x000000007729E9C4
  myExitProcess dq 0x0000000077320290    
[/code]


The idata section is never being referenced in the program. What affect does it have?
Post 10 Aug 2009, 17:55
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 10 Aug 2009, 18:04
The Windows loader must find a valid import section else it will refuse to load the program.

BTW: it is just asking for trouble to hard code import addresses!
Post 10 Aug 2009, 18:04
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 10 Aug 2009, 18:38
But the program does not load or it crash when the call to myMessageBoxW is made?

KERNEL32.DLL is very likely to be loaded but USER32.DLL may not be present if your executable don't ask for it explicitly.
Post 10 Aug 2009, 18:38
View user's profile Send private message Reply with quote
tthsqe



Joined: 20 May 2009
Posts: 767
tthsqe 11 Aug 2009, 02:39
It works only if the hard coded addresses are right.
After a reboot the adress changed to:

Code:
  myMessageBoxA dq 0x00000000770BE96C 
  myMessageBoxW dq 00000000770BE9C4 
  myExitProcess dq 0000000077140290
    


So, why is it moving around, and what exactly does the idata section actually do? Is this how you incoporate api functions, directx, ect...? Is this stuff well documented, or do I just have to copy others' code without a real understanding of what is going on?
Post 11 Aug 2009, 02:39
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 11 Aug 2009, 02:49
The import section is a requirement so that you can find where the locations are of the API entry points. Your hard-coded entry points are doomed to failure because the API entry points are not constants, they change. The loader code in Windows will read the import section and find the API entry point addresses and plug them in the code for you.
Post 11 Aug 2009, 02:49
View user's profile Send private message Visit poster's website Reply with quote
tthsqe



Joined: 20 May 2009
Posts: 767
tthsqe 11 Aug 2009, 03:36
Oh!!! so the addresses that the programs is reading were not made by the compiler, but by some windows 'loader'. Then why exactly are all of these line necessary:

Code:
  dd 0,0,0,RVA kernel_name,RVA kernel_table
  dd 0,0,0,RVA user_name,RVA user_table
  dd 0,0,0,0,0

  kernel_table:
    ExitProcess dq RVA _ExitProcess
    dq 0
  user_table:
    MessageBoxW dq RVA _MessageBoxW
    dq 0

  kernel_name db 'KERNEL32.DLL',0
  user_name db 'USER32.DLL',0

  _ExitProcess dw 0
    db 'ExitProcess',0
  _MessageBoxW dw 0
    db 'MessageBoxW',0    
    


Thanks! I think I actually learned something.
Post 11 Aug 2009, 03:36
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 11 Aug 2009, 03:46
Because, what "call [ExitProcess]" instruction does is read the API function's address from the quad word (defined as RVA _ExitProcess at startup but replaced with actual location at run-time by Windows' loader), and then transfer control to that read address.
Post 11 Aug 2009, 03:46
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 11 Aug 2009, 03:48
That is the import table that the loader needs. The loader will scan the table, find the API address points and put them into the 'ExitProcess' and 'MessageBoxW' variables. So then you can put 'call [MessageBoxW]' and be sure to call to the right place.

[edit]LocoDelAssembly beat me to it.[/edit]
Post 11 Aug 2009, 03:48
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 11 Aug 2009, 04:00
This might be useful info:

Solving the Mysteries of the Loader
Post 11 Aug 2009, 04:00
View user's profile Send private message Visit poster's website Reply with quote
tthsqe



Joined: 20 May 2009
Posts: 767
tthsqe 11 Aug 2009, 05:40
I've got one more mystery. Some source codes run fine with F9 from fasm but produce executables that crash. This happens on the following:

Code:
format PE64 GUI
entry start

include 'win64a.inc'

section '.text' code readable executable

start:
        invoke  MessageBoxA,0,Message,Caption,MB_OK
        invoke  ExitProcess,0

section '.data' data readable writeable

  Caption  db  'Solution Found:',0
  Message  db  'ab',0

section '.idata' import data readable writeable

  library kernel32,'KERNEL32.DLL',\
          user32,'USER32.DLL'

  include 'api\kernel32.inc'
  include 'api\user32.inc'  
    


I know it's got to be something with the idata and include.
Post 11 Aug 2009, 05:40
View user's profile Send private message Reply with quote
tthsqe



Joined: 20 May 2009
Posts: 767
tthsqe 11 Aug 2009, 05:46
but this one is fine:

Code:
format PE64 GUI
entry start

include 'win64a.inc'

section '.text' code readable executable

start:
        invoke CreateFile,FileTitle,GENERIC_WRITE,0,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0
        test   rax,rax
        je     exit
        mov    [FileHandle], rax
        invoke WriteFile,[FileHandle],FileContent,30,BytesWritten,0
exit:   invoke CloseHandle,[FileHandle]
        invoke ExitProcess,0

section '.data' data readable writeable

  FileTitle db 'C:\Users\***\Documents\itworked.txt',0
  FileHandle dq ?
  BytesWritten dq ?
  FileContent  db 'It really worked again!',0

section '.idata' import data readable writeable
  library kernel32,'KERNEL32.DLL',\
          user32,'USER32.DLL'

  include 'api\kernel32.inc'
  include 'api\user32.inc'     
Post 11 Aug 2009, 05:46
View user's profile Send private message Reply with quote
tthsqe



Joined: 20 May 2009
Posts: 767
tthsqe 11 Aug 2009, 05:47
which makes me think it is about the message box
Post 11 Aug 2009, 05:47
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.