flat assembler
Message board for the users of flat assembler.

Index > Windows > PE Native ... extrn ???

Goto page Previous  1, 2, 3  Next
Author
Thread Post new topic Reply to topic
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 30 Dec 2009, 14:27

LocoDelAssembly :

Wink

you probably need to rearrange the paths according to your needs.
Warning ! there is a "int 3" in the driver, you need a kernel debugger in background.
Personally, I use "Syser" .... If you need other files, tell me.
(in my code, I do not use spaces, but the tabs)



Last edited by ouadji on 30 Dec 2009, 19:27; edited 1 time in total
Post 30 Dec 2009, 14:27
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 30 Dec 2009, 18:41
Seems I'm too late...
Quote:
You want to download the following file:

http://rapidshare.com/files/327971549/Minimum_Driver_-_BeaEngine.rar | 119 KB

Unfortunately right now our servers are overloaded and we have no more download slots left for non-members. Of course you can also try again later.
Why don't you upload in this forum?

The people who downloaded earlier than me are now heavily working on the solution?Smile
Post 30 Dec 2009, 18:41
View user's profile Send private message Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 30 Dec 2009, 19:20
ok Razz

_________________
I am not young enough to know everything (Oscar Wilde)- Image


Last edited by ouadji on 21 Sep 2010, 20:26; edited 1 time in total
Post 30 Dec 2009, 19:20
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 30 Dec 2009, 20:13
ouadji, I've been playing with the MASM example but no luck neither. I'm starting to believe this DLL can't be imported in kernel-mode and you'll need the MS COFF + linker approach (in which case you'll use static linking like the MASM example so there will be no DLL).

I'll try more later.
Post 30 Dec 2009, 20:13
View user's profile Send private message Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 30 Dec 2009, 20:30

ok, thank you very much.
I contacted the developer of this dll.
We'll see what can he say about it

Post 30 Dec 2009, 20:30
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 30 Dec 2009, 20:34
And in a second analysis I see that the driver imports nothing from KERNEL32.DLL (only from ntoskrnl.exe) whereas BeaEngine.DLL does.

Perhaps having a DLL is still possible, but you'll need to compile it in such a way that it uses DLLs and services available in kernel-mode (like ntoskrnl.exe, ntdll.dll, etc.).

PS: I've tried importing GetTickCount from KERNEL32.DLL but the driver fails to load with error ERROR_PROC_NOT_FOUND (without BSOD, this error is the LastErr just after StartService call).

PS2: Someone knows if linking using the interpreter layer of fasm is feasable? It would be very hard?

PS3: In case it isn't obvious, it is documented that you can't use user-mode DLLs in drivers (like kernel32, gdi32, user32, etc.), I've tried importing GetTickCount just to see if at least it could be loaded without crashing, but it turned out that it can't even start...
Post 30 Dec 2009, 20:34
View user's profile Send private message Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 30 Dec 2009, 20:49
hummm, i understand.
The driver imports nothing from KERNEL32.DLL ... but BeaEngine, yes !
it would be quite possible that the problem would be in that direction.
this "dll" would be usable only from ring3 ? Crying or Very sad
Nice job LocoDelAssembly, thank you.

Post 30 Dec 2009, 20:49
View user's profile Send private message Send e-mail Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 30 Dec 2009, 20:54

Quote:
PS3

ok ... in this case, if BeaEngine uses functions from user-mode DLLs,
then it's not possible to use BeaEngine from ring0

EDIT :

Do you know the functions that BeaEngine imports from user-mode DLLs ?
just one ... to talk about this with the developer of this dll.

Post 30 Dec 2009, 20:54
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 30 Dec 2009, 21:13
Code:
.idata:1003A1A8 ;
.idata:1003A1A8 ; Imports from KERNEL32.dll
.idata:1003A1A8 ;
.idata:1003A1A8 ; ---------------------------------------------------------------------------
.idata:1003A1A8
.idata:1003A1A8 ; Segment type: Externs
.idata:1003A1A8 ; _idata
.idata:1003A1A8 ; BOOL __stdcall VirtualFree(LPVOID lpAddress,DWORD dwSize,DWORD dwFreeType)
.idata:1003A1A8                 extrn VirtualFree:dword ; DATA XREF: sub_10032400+BFr
.idata:1003A1AC ; HANDLE __stdcall HeapCreate(DWORD flOptions,DWORD dwInitialSize,DWORD dwMaximumSize)
.idata:1003A1AC                 extrn HeapCreate:dword  ; DATA XREF: sub_10032800+9r
.idata:1003A1B0 ; BOOL __stdcall HeapDestroy(HANDLE hHeap)
.idata:1003A1B0                 extrn HeapDestroy:dword ; DATA XREF: sub_10032820+6r
.idata:1003A1B4 ; LPVOID __stdcall HeapAlloc(HANDLE hHeap,DWORD dwFlags,DWORD dwBytes)
.idata:1003A1B4                 extrn HeapAlloc:dword   ; DATA XREF: sub_10032840+Dr
.idata:1003A1B8 ; LPVOID __stdcall HeapReAlloc(HANDLE hHeap,DWORD dwFlags,LPVOID lpMem,DWORD dwBytes)
.idata:1003A1B8                 extrn HeapReAlloc:dword ; DATA XREF: .text:10032873r
.idata:1003A1BC ; BOOL __stdcall HeapFree(HANDLE hHeap,DWORD dwFlags,LPVOID lpMem)
.idata:1003A1BC                 extrn HeapFree:dword    ; DATA XREF: sub_10032880+Dr
.idata:1003A1C0 ; DWORD __stdcall HeapSize(HANDLE hHeap,DWORD dwFlags,LPCVOID lpMem)
.idata:1003A1C0                 extrn HeapSize:dword    ; DATA XREF: .text:100328AFr
.idata:1003A1C4 ; BOOL __stdcall HeapValidate(HANDLE hHeap,DWORD dwFlags,LPCVOID lpMem)
.idata:1003A1C4                 extrn HeapValidate:dword ; DATA XREF: .text:100328DDr
.idata:1003A1C8 ; void __stdcall GetSystemTimeAsFileTime(LPFILETIME lpSystemTimeAsFileTime)
.idata:1003A1C8                 extrn GetSystemTimeAsFileTime:dword
.idata:1003A1C8                                         ; DATA XREF: sub_100328F0+5r
.idata:1003A1C8                                         ; .text:1003290Br
.idata:1003A1CC ; void __stdcall GetStartupInfoA(LPSTARTUPINFOA lpStartupInfo)
.idata:1003A1CC                 extrn GetStartupInfoA:dword ; DATA XREF: sub_10032950+57r
.idata:1003A1D0 ; DWORD __stdcall GetFileType(HANDLE hFile)
.idata:1003A1D0                 extrn GetFileType:dword ; DATA XREF: sub_10032950+122r
.idata:1003A1D0                                         ; sub_10032950+1B1r
.idata:1003A1D4 ; HANDLE __stdcall GetStdHandle(DWORD nStdHandle)
.idata:1003A1D4                 extrn GetStdHandle:dword ; DATA XREF: sub_10032950+19Dr
.idata:1003A1D8 ; HANDLE GetCurrentProcess(void)
.idata:1003A1D8                 extrn GetCurrentProcess:dword ; DATA XREF: sub_10032950+1BEr
.idata:1003A1D8                                         ; sub_10032950+1C7r
.idata:1003A1DC ; BOOL __stdcall DuplicateHandle(HANDLE hSourceProcessHandle,HANDLE hSourceHandle,HANDLE hTargetProcessHandle,LPHANDLE lpTargetHandle,DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwOptions)
.idata:1003A1DC                 extrn DuplicateHandle:dword ; DATA XREF: sub_10032950+1E0r
.idata:1003A1E0 ; UINT __stdcall SetHandleCount(UINT uNumber)
.idata:1003A1E0                 extrn SetHandleCount:dword ; DATA XREF: sub_10032950+235r
.idata:1003A1E4 ; LPSTR GetCommandLineA(void)
.idata:1003A1E4                 extrn GetCommandLineA:dword ; DATA XREF: sub_10032D80+Br
.idata:1003A1E8 ; DWORD __stdcall GetModuleFileNameA(HMODULE hModule,LPSTR lpFilename,DWORD nSize)
.idata:1003A1E8                 extrn GetModuleFileNameA:dword ; DATA XREF: sub_10032D80+26r
.idata:1003A1EC ; LPSTR GetEnvironmentStrings(void)
.idata:1003A1EC                 extrn GetEnvironmentStrings:dword
.idata:1003A1EC                                         ; DATA XREF: sub_10032E20+9r
.idata:1003A1F0 ; BOOL __stdcall FreeEnvironmentStringsA(LPSTR)
.idata:1003A1F0                 extrn FreeEnvironmentStringsA:dword
.idata:1003A1F0                                         ; DATA XREF: sub_10032E20+B0r
.idata:1003A1F4 ; void __stdcall ExitProcess(UINT uExitCode)
.idata:1003A1F4                 extrn ExitProcess:dword ; DATA XREF: sub_10034220+5r
.idata:1003A1F8 ; LPVOID __stdcall VirtualAlloc(LPVOID lpAddress,DWORD dwSize,DWORD flAllocationType,DWORD flProtect)
.idata:1003A1F8                 extrn VirtualAlloc:dword ; DATA XREF: sub_10035010+24r
.idata:1003A1F8                                         ; sub_10035010+8Ar
.idata:1003A1FC ; DWORD __stdcall VirtualQuery(LPCVOID lpAddress,PMEMORY_BASIC_INFORMATION lpBuffer,DWORD dwLength)
.idata:1003A1FC                 extrn VirtualQuery:dword ; DATA XREF: sub_10035010+3Fr
.idata:1003A200
.idata:1003A200    

But please note that the driver example does contain BeaEngine BUT statically linked (i.e. no BeaEngine.dll), and does not import any memory handling routines (this part is odd, perhaps the linking removes unused functions or perhaps the run-time code added by the compiler of the DLL contains calls to those kernel32 functions).

These are the imports from example.sys:
Code:
.idata:00437040 ;
.idata:00437040 ; Imports from ntoskrnl.exe
.idata:00437040 ;
.idata:00437040 ; ---------------------------------------------------------------------------
.idata:00437040
.idata:00437040 ; Segment type: Externs
.idata:00437040 ; _idata
.idata:00437040                 extrn __imp_DbgPrint:dword ; DATA XREF: DbgPrintr
.idata:00437044                 extrn __imp_strcpy:dword ; DATA XREF: strcpyr
.idata:00437048                 extrn __imp_strlen:dword ; DATA XREF: strlenr
.idata:0043704C                 extrn __imp_sprintf:dword ; DATA XREF: sprintfr
.idata:00437050                 extrn __imp_memset:dword ; DATA XREF: memsetr
.idata:00437054
.idata:00437054    
Post 30 Dec 2009, 21:13
View user's profile Send private message Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 30 Dec 2009, 21:53
ok, thank you.

I contacted the developer of BeaEngine.
He already answered ,he will reflect on this problem and then contact me.
I will post on the forum all infos and feedback about this.

(oops, my English ... not easy, i hope you understand me)

Post 30 Dec 2009, 21:53
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 30 Dec 2009, 23:29
Well, I've now edited the DLL to remove all imports and I've also edited the entry point to do just MOV EAX, 1/ RET 12, but it insists with the bad driver thing...

I really don't know what else could be the problem, perhaps DLL for drivers can't have relocations? Maybe them are marked somewhat different?

PS: Tried renaming to beaengine1.dll and now I get ERROR_INVALID_PARAMETER Confused

OK, enough for today.
Post 30 Dec 2009, 23:29
View user's profile Send private message Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 30 Dec 2009, 23:41

thank you for your work and your help ... thank you very much !
I'll wait for the view of the developer of beaEngine
good evening and good night
and ... feliz año nuevo 2010 ! Wink


(LocoDelAssembly ... Wink ... yo también)

Post 30 Dec 2009, 23:41
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 31 Dec 2009, 02:36
Is beaengine.dll tagged as 'native' or 'gui'?
Post 31 Dec 2009, 02:36
View user's profile Send private message Visit poster's website Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 31 Dec 2009, 09:50

i don't understand your question.
"tagged" (??)


(Sorry, my english isn't very good)

Post 31 Dec 2009, 09:50
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 31 Dec 2009, 10:15
format pe native
format pe gui

Different file format is produced. If beaengine.dll is compiled as GUI then perahps it can't be linked in kernel mode?
Post 31 Dec 2009, 10:15
View user's profile Send private message Visit poster's website Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 31 Dec 2009, 11:15

ok, I understand now, thank you.

http://beatrix2004.free.fr/BeaEngine/index1.php

BeaEngine.lib (and ".dll") is a library coded in C .
Look at the link above, it's the website of this DLL.
This is an disassembler engine.

Post 31 Dec 2009, 11:15
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 31 Dec 2009, 20:00
revolution, I've tried with this DLL:
Code:
; DLL creation example

format PE gui 4.0 DLL
entry DllEntryPoint

include 'win32a.inc'

section '.text' code readable executable

proc DllEntryPoint hinstDLL,fdwReason,lpvReserved
        mov     eax,TRUE
        ret
endp

proc Disasm
        xor eax, eax
        ret
endp

section '.data' data readable writable

data export
  export 'BeaEngine.DLL',\
         Disasm,'Disasm'
end data

section '.reloc' data fixups readable writable    
And it worked. Also note that ntdll.dll is "format pe console dll"(I've also tried with console in the code above).

Perhaps I didn't edit the DLL properly or there is something more... In any case, even if I manage to get it work it wouldn't be reliable, the DLL *IS* targeted to user-mode, and perhaps it will never work correctly in "hybrid mode" like ntdll.dll does.

ouadji, I think you will have to better use MS COFF format and use a linker just like the MASM example does (linking statically so the DLL is not used), or try to compile the DLL in such a way that is suitable for kernel-mode use. I have no idea how to do this though, I guess it should be "native" option or something like that in the linker (but it won't be like ntdll.dll in that case, it would be more like HAL.DLL which is native). Also, BeaEngine.dll is pageable, which could give you some BSODs of IRQL_NOT_LESS_OR_EQUAL if you don't call it in the appropriate times (not in the example of course, DriverEntry is called at an IRQL that is suitable for calling pageable code and read/write pageable data)

Quote:
and ... feliz año nuevo 2010 !

You too Wink

PS: Something I've noticed with my test box (and unpatched WinXP SP2), is that once you load the driver and get the ERROR_BAD_DRIVER error is that no matter how many times you replace (or even delete) BeaEngine.dll with a good one, you'll keep getting that error, so when testing I've to change names to avoid rebooting. Seems that WinXP remembers the names of the bad DLLs and refuses to load the driver.

PS2: And replacing the good one with the bad one (or just deleting it) after loading the driver does not make the driver fail, so seems that the old one is still in memory.
Post 31 Dec 2009, 20:00
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 31 Dec 2009, 21:24
LocoDelAssembly wrote:
PS: Something I've noticed with my test box (and unpatched WinXP SP2), is that once you load the driver and get the ERROR_BAD_DRIVER error is that no matter how many times you replace (or even delete) BeaEngine.dll with a good one, you'll keep getting that error, so when testing I've to change names to avoid rebooting. Seems that WinXP remembers the names of the bad DLLs and refuses to load the driver.

PS2: And replacing the good one with the bad one (or just deleting it) after loading the driver does not make the driver fail, so seems that the old one is still in memory.
OMG Shocked So that is why Windows *must* be rebooted when updating things?

But I can load and unload drivers (when logged in as admin) without having to reboot. But now that I think about it, I was never importing a DLL in my driver. Thanks for the useful info.
Post 31 Dec 2009, 21:24
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 31 Dec 2009, 22:03
revolution, I've prepared a test in case you want to do extra checks. This is what I get with dbgview:
Code:
00000000  0.00000000      Number = 1      
00000001    0.08812489      Number = 1      
00000002    0.15256101      Number = 1          
I've also tested in my no-virtualized WinXP SP3 and the results (besides slight variations in the times) were the same.

If possible please check if I'm not unloading the driver correctly (the code isn't mine).


Description:
Download
Filename: revolution.zip
Filesize: 5.38 KB
Downloaded: 434 Time(s)

Post 31 Dec 2009, 22:03
View user's profile Send private message Reply with quote
beatrix



Joined: 30 Dec 2009
Posts: 1
beatrix 01 Jan 2010, 10:01
Hi,

just a message to say that LocoDelAssembly is right when he says it is better to use format MS COFF to build the object file and then link it with the .lib. I have tried that solution (with PellesC linker) and it works fine. Here is a small test about that (see attachement)


Description:
Download
Filename: fasm.zip
Filesize: 377.45 KB
Downloaded: 418 Time(s)

Post 01 Jan 2010, 10:01
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.