flat assembler
Message board for the users of flat assembler.
Index
> Windows > PE Native ... extrn ??? Goto page Previous 1, 2, 3 Next |
Author |
|
LocoDelAssembly 30 Dec 2009, 18:41
Seems I'm too late...
Quote: You want to download the following file: The people who downloaded earlier than me are now heavily working on the solution? |
|||
30 Dec 2009, 18:41 |
|
ouadji 30 Dec 2009, 19:20
ok
Last edited by ouadji on 21 Sep 2010, 20:26; edited 1 time in total |
|||
30 Dec 2009, 19:20 |
|
LocoDelAssembly 30 Dec 2009, 20:13
ouadji, I've been playing with the MASM example but no luck neither. I'm starting to believe this DLL can't be imported in kernel-mode and you'll need the MS COFF + linker approach (in which case you'll use static linking like the MASM example so there will be no DLL).
I'll try more later. |
|||
30 Dec 2009, 20:13 |
|
ouadji 30 Dec 2009, 20:30
ok, thank you very much. I contacted the developer of this dll. We'll see what can he say about it |
|||
30 Dec 2009, 20:30 |
|
LocoDelAssembly 30 Dec 2009, 20:34
And in a second analysis I see that the driver imports nothing from KERNEL32.DLL (only from ntoskrnl.exe) whereas BeaEngine.DLL does.
Perhaps having a DLL is still possible, but you'll need to compile it in such a way that it uses DLLs and services available in kernel-mode (like ntoskrnl.exe, ntdll.dll, etc.). PS: I've tried importing GetTickCount from KERNEL32.DLL but the driver fails to load with error ERROR_PROC_NOT_FOUND (without BSOD, this error is the LastErr just after StartService call). PS2: Someone knows if linking using the interpreter layer of fasm is feasable? It would be very hard? PS3: In case it isn't obvious, it is documented that you can't use user-mode DLLs in drivers (like kernel32, gdi32, user32, etc.), I've tried importing GetTickCount just to see if at least it could be loaded without crashing, but it turned out that it can't even start... |
|||
30 Dec 2009, 20:34 |
|
ouadji 30 Dec 2009, 20:49
hummm, i understand.
The driver imports nothing from KERNEL32.DLL ... but BeaEngine, yes ! it would be quite possible that the problem would be in that direction. this "dll" would be usable only from ring3 ? Nice job LocoDelAssembly, thank you. |
|||
30 Dec 2009, 20:49 |
|
ouadji 30 Dec 2009, 20:54
Quote: PS3 ok ... in this case, if BeaEngine uses functions from user-mode DLLs, then it's not possible to use BeaEngine from ring0 EDIT : Do you know the functions that BeaEngine imports from user-mode DLLs ? just one ... to talk about this with the developer of this dll. |
|||
30 Dec 2009, 20:54 |
|
LocoDelAssembly 30 Dec 2009, 21:13
Code: .idata:1003A1A8 ; .idata:1003A1A8 ; Imports from KERNEL32.dll .idata:1003A1A8 ; .idata:1003A1A8 ; --------------------------------------------------------------------------- .idata:1003A1A8 .idata:1003A1A8 ; Segment type: Externs .idata:1003A1A8 ; _idata .idata:1003A1A8 ; BOOL __stdcall VirtualFree(LPVOID lpAddress,DWORD dwSize,DWORD dwFreeType) .idata:1003A1A8 extrn VirtualFree:dword ; DATA XREF: sub_10032400+BFr .idata:1003A1AC ; HANDLE __stdcall HeapCreate(DWORD flOptions,DWORD dwInitialSize,DWORD dwMaximumSize) .idata:1003A1AC extrn HeapCreate:dword ; DATA XREF: sub_10032800+9r .idata:1003A1B0 ; BOOL __stdcall HeapDestroy(HANDLE hHeap) .idata:1003A1B0 extrn HeapDestroy:dword ; DATA XREF: sub_10032820+6r .idata:1003A1B4 ; LPVOID __stdcall HeapAlloc(HANDLE hHeap,DWORD dwFlags,DWORD dwBytes) .idata:1003A1B4 extrn HeapAlloc:dword ; DATA XREF: sub_10032840+Dr .idata:1003A1B8 ; LPVOID __stdcall HeapReAlloc(HANDLE hHeap,DWORD dwFlags,LPVOID lpMem,DWORD dwBytes) .idata:1003A1B8 extrn HeapReAlloc:dword ; DATA XREF: .text:10032873r .idata:1003A1BC ; BOOL __stdcall HeapFree(HANDLE hHeap,DWORD dwFlags,LPVOID lpMem) .idata:1003A1BC extrn HeapFree:dword ; DATA XREF: sub_10032880+Dr .idata:1003A1C0 ; DWORD __stdcall HeapSize(HANDLE hHeap,DWORD dwFlags,LPCVOID lpMem) .idata:1003A1C0 extrn HeapSize:dword ; DATA XREF: .text:100328AFr .idata:1003A1C4 ; BOOL __stdcall HeapValidate(HANDLE hHeap,DWORD dwFlags,LPCVOID lpMem) .idata:1003A1C4 extrn HeapValidate:dword ; DATA XREF: .text:100328DDr .idata:1003A1C8 ; void __stdcall GetSystemTimeAsFileTime(LPFILETIME lpSystemTimeAsFileTime) .idata:1003A1C8 extrn GetSystemTimeAsFileTime:dword .idata:1003A1C8 ; DATA XREF: sub_100328F0+5r .idata:1003A1C8 ; .text:1003290Br .idata:1003A1CC ; void __stdcall GetStartupInfoA(LPSTARTUPINFOA lpStartupInfo) .idata:1003A1CC extrn GetStartupInfoA:dword ; DATA XREF: sub_10032950+57r .idata:1003A1D0 ; DWORD __stdcall GetFileType(HANDLE hFile) .idata:1003A1D0 extrn GetFileType:dword ; DATA XREF: sub_10032950+122r .idata:1003A1D0 ; sub_10032950+1B1r .idata:1003A1D4 ; HANDLE __stdcall GetStdHandle(DWORD nStdHandle) .idata:1003A1D4 extrn GetStdHandle:dword ; DATA XREF: sub_10032950+19Dr .idata:1003A1D8 ; HANDLE GetCurrentProcess(void) .idata:1003A1D8 extrn GetCurrentProcess:dword ; DATA XREF: sub_10032950+1BEr .idata:1003A1D8 ; sub_10032950+1C7r .idata:1003A1DC ; BOOL __stdcall DuplicateHandle(HANDLE hSourceProcessHandle,HANDLE hSourceHandle,HANDLE hTargetProcessHandle,LPHANDLE lpTargetHandle,DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwOptions) .idata:1003A1DC extrn DuplicateHandle:dword ; DATA XREF: sub_10032950+1E0r .idata:1003A1E0 ; UINT __stdcall SetHandleCount(UINT uNumber) .idata:1003A1E0 extrn SetHandleCount:dword ; DATA XREF: sub_10032950+235r .idata:1003A1E4 ; LPSTR GetCommandLineA(void) .idata:1003A1E4 extrn GetCommandLineA:dword ; DATA XREF: sub_10032D80+Br .idata:1003A1E8 ; DWORD __stdcall GetModuleFileNameA(HMODULE hModule,LPSTR lpFilename,DWORD nSize) .idata:1003A1E8 extrn GetModuleFileNameA:dword ; DATA XREF: sub_10032D80+26r .idata:1003A1EC ; LPSTR GetEnvironmentStrings(void) .idata:1003A1EC extrn GetEnvironmentStrings:dword .idata:1003A1EC ; DATA XREF: sub_10032E20+9r .idata:1003A1F0 ; BOOL __stdcall FreeEnvironmentStringsA(LPSTR) .idata:1003A1F0 extrn FreeEnvironmentStringsA:dword .idata:1003A1F0 ; DATA XREF: sub_10032E20+B0r .idata:1003A1F4 ; void __stdcall ExitProcess(UINT uExitCode) .idata:1003A1F4 extrn ExitProcess:dword ; DATA XREF: sub_10034220+5r .idata:1003A1F8 ; LPVOID __stdcall VirtualAlloc(LPVOID lpAddress,DWORD dwSize,DWORD flAllocationType,DWORD flProtect) .idata:1003A1F8 extrn VirtualAlloc:dword ; DATA XREF: sub_10035010+24r .idata:1003A1F8 ; sub_10035010+8Ar .idata:1003A1FC ; DWORD __stdcall VirtualQuery(LPCVOID lpAddress,PMEMORY_BASIC_INFORMATION lpBuffer,DWORD dwLength) .idata:1003A1FC extrn VirtualQuery:dword ; DATA XREF: sub_10035010+3Fr .idata:1003A200 .idata:1003A200 But please note that the driver example does contain BeaEngine BUT statically linked (i.e. no BeaEngine.dll), and does not import any memory handling routines (this part is odd, perhaps the linking removes unused functions or perhaps the run-time code added by the compiler of the DLL contains calls to those kernel32 functions). These are the imports from example.sys: Code: .idata:00437040 ; .idata:00437040 ; Imports from ntoskrnl.exe .idata:00437040 ; .idata:00437040 ; --------------------------------------------------------------------------- .idata:00437040 .idata:00437040 ; Segment type: Externs .idata:00437040 ; _idata .idata:00437040 extrn __imp_DbgPrint:dword ; DATA XREF: DbgPrintr .idata:00437044 extrn __imp_strcpy:dword ; DATA XREF: strcpyr .idata:00437048 extrn __imp_strlen:dword ; DATA XREF: strlenr .idata:0043704C extrn __imp_sprintf:dword ; DATA XREF: sprintfr .idata:00437050 extrn __imp_memset:dword ; DATA XREF: memsetr .idata:00437054 .idata:00437054 |
|||
30 Dec 2009, 21:13 |
|
ouadji 30 Dec 2009, 21:53
ok, thank you.
I contacted the developer of BeaEngine. He already answered ,he will reflect on this problem and then contact me. I will post on the forum all infos and feedback about this. (oops, my English ... not easy, i hope you understand me) |
|||
30 Dec 2009, 21:53 |
|
LocoDelAssembly 30 Dec 2009, 23:29
Well, I've now edited the DLL to remove all imports and I've also edited the entry point to do just MOV EAX, 1/ RET 12, but it insists with the bad driver thing...
I really don't know what else could be the problem, perhaps DLL for drivers can't have relocations? Maybe them are marked somewhat different? PS: Tried renaming to beaengine1.dll and now I get ERROR_INVALID_PARAMETER OK, enough for today. |
|||
30 Dec 2009, 23:29 |
|
ouadji 30 Dec 2009, 23:41
thank you for your work and your help ... thank you very much ! I'll wait for the view of the developer of beaEngine good evening and good night and ... feliz año nuevo 2010 ! (LocoDelAssembly ... ... yo también) |
|||
30 Dec 2009, 23:41 |
|
revolution 31 Dec 2009, 02:36
Is beaengine.dll tagged as 'native' or 'gui'?
|
|||
31 Dec 2009, 02:36 |
|
ouadji 31 Dec 2009, 09:50
i don't understand your question. "tagged" (??) (Sorry, my english isn't very good) |
|||
31 Dec 2009, 09:50 |
|
revolution 31 Dec 2009, 10:15
format pe native
format pe gui Different file format is produced. If beaengine.dll is compiled as GUI then perahps it can't be linked in kernel mode? |
|||
31 Dec 2009, 10:15 |
|
ouadji 31 Dec 2009, 11:15
ok, I understand now, thank you. http://beatrix2004.free.fr/BeaEngine/index1.php BeaEngine.lib (and ".dll") is a library coded in C . Look at the link above, it's the website of this DLL. This is an disassembler engine. |
|||
31 Dec 2009, 11:15 |
|
LocoDelAssembly 31 Dec 2009, 20:00
revolution, I've tried with this DLL:
Code: ; DLL creation example format PE gui 4.0 DLL entry DllEntryPoint include 'win32a.inc' section '.text' code readable executable proc DllEntryPoint hinstDLL,fdwReason,lpvReserved mov eax,TRUE ret endp proc Disasm xor eax, eax ret endp section '.data' data readable writable data export export 'BeaEngine.DLL',\ Disasm,'Disasm' end data section '.reloc' data fixups readable writable Perhaps I didn't edit the DLL properly or there is something more... In any case, even if I manage to get it work it wouldn't be reliable, the DLL *IS* targeted to user-mode, and perhaps it will never work correctly in "hybrid mode" like ntdll.dll does. ouadji, I think you will have to better use MS COFF format and use a linker just like the MASM example does (linking statically so the DLL is not used), or try to compile the DLL in such a way that is suitable for kernel-mode use. I have no idea how to do this though, I guess it should be "native" option or something like that in the linker (but it won't be like ntdll.dll in that case, it would be more like HAL.DLL which is native). Also, BeaEngine.dll is pageable, which could give you some BSODs of IRQL_NOT_LESS_OR_EQUAL if you don't call it in the appropriate times (not in the example of course, DriverEntry is called at an IRQL that is suitable for calling pageable code and read/write pageable data) Quote: and ... feliz año nuevo 2010 ! You too PS: Something I've noticed with my test box (and unpatched WinXP SP2), is that once you load the driver and get the ERROR_BAD_DRIVER error is that no matter how many times you replace (or even delete) BeaEngine.dll with a good one, you'll keep getting that error, so when testing I've to change names to avoid rebooting. Seems that WinXP remembers the names of the bad DLLs and refuses to load the driver. PS2: And replacing the good one with the bad one (or just deleting it) after loading the driver does not make the driver fail, so seems that the old one is still in memory. |
|||
31 Dec 2009, 20:00 |
|
revolution 31 Dec 2009, 21:24
LocoDelAssembly wrote: PS: Something I've noticed with my test box (and unpatched WinXP SP2), is that once you load the driver and get the ERROR_BAD_DRIVER error is that no matter how many times you replace (or even delete) BeaEngine.dll with a good one, you'll keep getting that error, so when testing I've to change names to avoid rebooting. Seems that WinXP remembers the names of the bad DLLs and refuses to load the driver. But I can load and unload drivers (when logged in as admin) without having to reboot. But now that I think about it, I was never importing a DLL in my driver. Thanks for the useful info. |
|||
31 Dec 2009, 21:24 |
|
LocoDelAssembly 31 Dec 2009, 22:03
revolution, I've prepared a test in case you want to do extra checks. This is what I get with dbgview:
Code: 00000000 0.00000000 Number = 1 00000001 0.08812489 Number = 1 00000002 0.15256101 Number = 1 If possible please check if I'm not unloading the driver correctly (the code isn't mine).
|
|||||||||||
31 Dec 2009, 22:03 |
|
beatrix 01 Jan 2010, 10:01
Hi,
just a message to say that LocoDelAssembly is right when he says it is better to use format MS COFF to build the object file and then link it with the .lib. I have tried that solution (with PellesC linker) and it works fine. Here is a small test about that (see attachement)
|
|||||||||||
01 Jan 2010, 10:01 |
|
Goto page Previous 1, 2, 3 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.