flat assembler
Message board for the users of flat assembler.

Index > Windows > PE Native ... extrn ???

Goto page Previous  1, 2, 3
Author
Thread Post new topic Reply to topic
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji

thank for all LocoDelAssembly, thank you Revolution,

thank you Bea Wink

The linker of Fasm is not powerful enough in this case for create de link with BeaEngine.lib
use a format "MS COFF" and an external linker, it's the right way.
This is the right solution.

Post 01 Jan 2010, 11:38
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
Or you could rewrite BeaEngine in assembly. Wink
Post 01 Jan 2010, 11:39
View user's profile Send private message Visit poster's website Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji

I would have liked to have the view of Mr Tomasz Grysztar about this problem.

Please Mr Grysztar, what's your view about this ?

thank you very much.

Post 01 Jan 2010, 11:50
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:

The linker of Fasm is not powerful enough
It is soo, soooo weak that there is no linker in fasm in first place Wink

However, you can use any just like with MASM, it is just fasm package that doesn't provide one.

Thanks beatrix for doing the job, I was about to do the same today since I've just downloaded the WDK (to have ntoskrnl.lib, though a I haven't checked first if PellesC already comes with it...), but now I won't have to.

BTW, if someone else wants to try that thing I've prepared for revolution you're of course welcome to try.
Post 01 Jan 2010, 16:06
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
LocoDelAssembly wrote:
revolution, I've prepared a test in case you want to do extra checks. This is what I get with dbgview:
Code:
00000000      0.00000000      Number = 1      
00000001    0.08812489      Number = 1      
00000002    0.15256101      Number = 1          
I've also tested in my no-virtualized WinXP SP3 and the results (besides slight variations in the times) were the same.

If possible please check if I'm not unloading the driver correctly (the code isn't mine).
Sorry, I missed this message.

I can't test it here, I don't have a VM or kernel debugger installed.

However a couple of things I noticed from the .asm file:

1) The IAT is in a separate section from the main imports.
2) The INIT section is marked as executable.

I've always put the IAT in the same section as the imports and only marked sections with code as executable. Perhaps it makes no difference but it looks weird.
Post 01 Jan 2010, 20:09
View user's profile Send private message Visit poster's website Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji

LocoDelAssembly :

no linker ? yes, in this case, the linker is of course very weak Razz

I tried with "Format MS COFF" and the linker of "PellesC",
it works without problem !
I'm happy. Wink (thank you Béa and LocoDA)

Post 01 Jan 2010, 20:12
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:
1) The IAT is in a separate section from the main imports.
2) The INIT section is marked as executable.
I based my code on the driver example in the link I've posted earlier, don't know whether all of that is needed or not but since it worked I followed it. I think the idea of using the data 12 (which is really needed anyway?) on a separate section was because that section is not discardable whereas the INIT section is.

Quote:
I can't test it here, I don't have a VM or kernel debugger installed.
You don't need a debugger, with DebugView(286 KB) is just enough (remember to go to Capture>Capture Kernel)
Post 01 Jan 2010, 20:31
View user's profile Send private message Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji
I read your conversation
but ... What is "data 12" ??? ... Embarassed
LocoDelAssembly or Revolution,
could you explain me a little, or give me a link about it.
thank very much

Post 01 Jan 2010, 20:46
View user's profile Send private message Send e-mail Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Iirc drivers are only allowed to import from a list of predefined DLLs - so rewriting BeaEngine.dll for "format PE native" and not importing from usermode DLLs probably won't help you at all.

The "refuse to load after DLL error" thing sounds a bit strange - tried deleting the driver reference from the SCM? Do you have unclosed handle opens? etc.
Post 01 Jan 2010, 20:59
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
'data 12' is part of the PE header section. There are generally 16 data sections defined and number 12 is the 'ImportAddressTable' or IAT.

ExportTable is data 0
ImportTable is data 1
Resource_Table is data 2
Exception_Table is data 3
Certificate_Table is data 4
Relocation_Table is data 5
Debug_Data is data 6
Architecture is data 7
Global_PTR is data 8
TLS_Table is data 9
Load_Config_Table is data 10
BoundImportTable is data 11
ImportAddressTable is data 12
DelayImportDescriptor is data 13
COMplusRuntimeHeader is data 14
Post 01 Jan 2010, 21:00
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:

The "refuse to load after DLL error" thing sounds a bit strange
After BAD_DRIVER error, if the error was FILE_NOT_FOUND (the DLL was not there yet), then I'm still able to run the driver when I provide the correct DLL.

Quote:

- tried deleting the driver reference from the SCM? Do you have unclosed handle opens? etc.
I guess the loader code does that (test.asm). I don't have open handles and is not feasible to have any actually because DriverEntry returns an error code intentionally so the driver always kills itself after doing some debug prints.
Post 01 Jan 2010, 21:18
View user's profile Send private message Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji

Revolution :

'data 12' is part of the PE header section
ImportAddressTable is data 12

ok, it's enough so that I can now search by myself.
thank you Wink


_________________
I am not young enough to know everything (Oscar Wilde)- Image
Post 01 Jan 2010, 21:24
View user's profile Send private message Send e-mail Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.