flat assembler
Message board for the users of flat assembler.

Index > Windows > p64kill.exe

Author
Thread Post new topic Reply to topic
semiono



Joined: 31 Aug 2007
Posts: 176
Location: section '.code' executable
semiono
Please, guru, help me?! How to rebuild the source for PE64 ?

Code:
include '%fasm%\win32ax.inc'
entry start

section '.rsrc' resource data executable readable writeable
        directory RT_ICON,icons,RT_GROUP_ICON,group_icons,RT_VERSION,versions

        resource icons,\
        1,LANG_NEUTRAL,icon_data1,\
        2,LANG_NEUTRAL,icon_data2,\
        3,LANG_NEUTRAL,icon_data3,\
        4,LANG_NEUTRAL,icon_data4
        resource group_icons,17,LANG_NEUTRAL,main_icon
        resource versions,1,LANG_NEUTRAL,version

        icon main_icon,\
        icon_data1,'%fasm%\exec1.ico',\
        icon_data2,'%fasm%\exec2.ico',\
        icon_data3,'%fasm%\exec3.ico',\
        icon_data4,'%fasm%\exec4.ico'

        versioninfo version,VOS__WINDOWS32,VFT_APP,VFT2_UNKNOWN,LANG_ENGLISH+SUBLANG_DEFAULT,0,\
                    'FileDescription','pkill...',\
                    'LegalCopyright','2001-2005 GmbH',\
                    'FileVersion','1.0.0.0',\
                    'ProductVersion','1.0.0.0',\
                    'OriginalFilename','pkill.exe',\
                    'Company','Semiono'

start:  ; l_inc
        invoke GetCommandLine
        invoke CommandLineToArgv,eax,argsNum
        cmp dword[argsNum],1
        push eax
        jbe @F  ; jump_if_below_or_equal
                push dword[eax+4]
                call AdjustMyToken
                stdcall findProcessID
                test eax,eax
                jz @F
                invoke OpenProcess,PROCESS_TERMINATE,FALSE,eax
                push eax
                invoke TerminateProcess,eax,1
                invoke CloseHandle
                jmp start
        @@:
;       invoke LocalFree
        invoke ExitProcess,0
; ret

        argsNum dd ?

section '.idata' import data executable readable writeable
        library advapi32,'ADVAPI32.dll',kernel32,'KERNEL32.DLL',shell32,'SHELL32.DLL'
        include '%fasm%\api\advapi32.inc'
        import kernel32,OpenProcess,'OpenProcess',\
                        TerminateProcess,'TerminateProcess',\
                        CloseHandle,'CloseHandle',\
                        lstrcmpi,'lstrcmpiW',\
                        CreateToolhelp32Snapshot,'CreateToolhelp32Snapshot',\
                        Process32First,'Process32FirstW',\
                        Process32Next,'Process32NextW',\
                        GetCommandLine,'GetCommandLineW',\
                        LocalFree,'LocalFree',ExitProcess,'ExitProcess'
        import shell32,CommandLineToArgv,'CommandLineToArgvW'

        TOKEN_ADJUST_PRIVILEGES equ 20h
        TOKEN_QUERY             equ 8h
        SE_PRIVILEGE_ENABLED    equ 2h

AdjustMyToken:
        invoke LookupPrivilegeValue,emptyStr,privName,tokenPriv.LUID1
        mov dword[tokenPriv.PrivilegeCount],1h
        mov dword[tokenPriv.Attributes],SE_PRIVILEGE_ENABLED
        invoke OpenProcessToken,-1,TOKEN_ADJUST_PRIVILEGES OR TOKEN_QUERY,hToken
        invoke AdjustTokenPrivileges,[hToken],FALSE,tokenPriv,0,0,0
        invoke CloseHandle,[hToken]
ret

        emptyStr                db '',0
        privName                db 'SeDebugPrivilege',0

struct TOKEN_PRIVILEGES
        PrivilegeCount          dd ?
        LUID1                   dd ?
        LUID2                   dd ?
        Attributes              dd ?
ends

        hToken  dd ?

        TH32CS_SNAPPROCESS      equ 2

findProcessID: ; takes one parameter through stack: pointer to the process name
        push ebp
        invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
        mov ebp,eax
        mov dword[procEntry.dwSize],sizeof.PROCESSENTRY32W
        invoke Process32First,eax,procEntry
        @@:
                invoke Process32Next,ebp,procEntry
                test eax,eax
                jz @F
                invoke lstrcmpi,procEntry.szExeFile,dword[esp+8]
                test eax,eax
        jnz @B
        mov eax,dword[procEntry.th32ProcessID]
        @@:
        pop ebp
retn 4

struct PROCESSENTRY32W
        dwSize                  dd ?
        cntUsage                dd ?
        th32ProcessID           dd ?
        th32DefaultHeapID       dd ?
        th32ModuleID            dd ?
        cntThreads              dd ?
        th32ParentProcessID     dd ?
        pcPriClassBase          dd ?
        dwFlags                 dd ?
        szExeFile               dw MAX_PATH dup (?)
ends

        tokenPriv               TOKEN_PRIVILEGES <>
        procEntry               PROCESSENTRY32W <>

        align 4
    


What you say about this 32bit binary for WinXP x64 platphorm?
It's work normal, but maybe i not see all hiden problems?
I could wish true PE64 binary as well Confused

The import sections is need to be changed or only to replace registers? Please show! Smile

_________________
Memory=8388608
Post 13 Mar 2010, 02:48
View user's profile Send private message ICQ Number Reply with quote
a115433



Joined: 05 Mar 2010
Posts: 144
a115433
using global varialbes = lame
there is no pe64. or at least i dont know about it. only pe32 and pe32+.

you dont check for errors.
invoke CloseHandle

no argument?


you imports have wrong name, look into manual for correct ones.
use heap functions instead of Local/Global.
Post 13 Mar 2010, 13:47
View user's profile Send private message Reply with quote
semiono



Joined: 31 Aug 2007
Posts: 176
Location: section '.code' executable
semiono
a115433 wrote:
using global varialbes = lame

Very Happy yes! ))

Quote:
invoke CloseHandle
no argument?

Ok, sorry!..

_________________
Memory=8388608
Post 13 Mar 2010, 17:07
View user's profile Send private message ICQ Number Reply with quote
semiono



Joined: 31 Aug 2007
Posts: 176
Location: section '.code' executable
semiono
PE > PE64
win32a.inc > win64a.inc
dword > qword
dd > dq
eax > rax etc...
align 4 > align 8
retn 4 > retn 8
Compiled with no bugs! Smile

Not work! Confused
Post 13 Mar 2010, 21:48
View user's profile Send private message ICQ Number Reply with quote
a115433



Joined: 05 Mar 2010
Posts: 144
a115433
format pe64

section '' readable executable
jmp $


does it work?
Post 13 Mar 2010, 22:08
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
If this is a question of whether "format pe64" works or not in Windows 64-bit, all examples in the package work and use "format PE64 GUI 5.0" except for WIN64\PE64DEMO
Post 13 Mar 2010, 22:40
View user's profile Send private message Reply with quote
semiono



Joined: 31 Aug 2007
Posts: 176
Location: section '.code' executable
semiono
Not work it (kill not work)
# pkill.exe calc.exe

Compilation not say a reports of bug

Code:
format PE64
include '%fasm%\win64ax.inc'
entry start

section '.rsrc' resource data executable readable writeable
; ...

start:
        invoke GetCommandLine
        invoke CommandLineToArgv,rax,argsNum
        cmp qword[argsNum],1
        push rax
        jbe @F  ; jump_if_below_or_equal
                push qword[rax+4]
                call AdjustMyToken
                stdcall findProcessID
                test rax,rax
                jz @F
                invoke OpenProcess,PROCESS_TERMINATE,FALSE,rax
                push rax
                invoke TerminateProcess,rax,1
                invoke CloseHandle,[hToken]
                jmp start
        @@:

        invoke ExitProcess,0

        argsNum dq ?

section '.idata' import data executable readable writeable
        library advapi32,'ADVAPI32.dll',kernel32,'KERNEL32.DLL',shell32,'SHELL32.DLL'
        include '%fasm%\api\advapi32.inc'
        import kernel32,OpenProcess,'OpenProcess',\
                        TerminateProcess,'TerminateProcess',\
                        CloseHandle,'CloseHandle',\
                        lstrcmpi,'lstrcmpiW',\
                        CreateToolhelp32Snapshot,'CreateToolhelp32Snapshot',\
                        Process32First,'Process32FirstW',\
                        Process32Next,'Process32NextW',\
                        GetCommandLine,'GetCommandLineW',\
                        LocalFree,'LocalFree',ExitProcess,'ExitProcess'
        import shell32,CommandLineToArgv,'CommandLineToArgvW'

        TOKEN_ADJUST_PRIVILEGES equ 20h
        TOKEN_QUERY             equ 8h
        SE_PRIVILEGE_ENABLED    equ 2h

AdjustMyToken:
        invoke LookupPrivilegeValue,emptyStr,privName,tokenPriv.LUID1
        mov qword[tokenPriv.PrivilegeCount],1h
        mov qword[tokenPriv.Attributes],SE_PRIVILEGE_ENABLED
        invoke OpenProcessToken,-1,TOKEN_ADJUST_PRIVILEGES OR TOKEN_QUERY,hToken
        invoke AdjustTokenPrivileges,[hToken],FALSE,tokenPriv,0,0,0
        invoke CloseHandle,[hToken]
ret

        emptyStr                db '',0
        privName                db 'SeDebugPrivilege',0

struct TOKEN_PRIVILEGES
        PrivilegeCount          dq ?
        LUID1                   dq ?
        LUID2                   dq ?
        Attributes              dq ?
ends

        hToken  dq ?

        TH32CS_SNAPPROCESS      equ 2

findProcessID: ; takes one parameter through stack: pointer to the process name
        push rbp
        invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
        mov rbp,rax
        mov qword[procEntry.dwSize],sizeof.PROCESSENTRY32W
        invoke Process32First,rax,procEntry
        @@:
                invoke Process32Next,ebp,procEntry
                test rax,rax
                jz @F
                invoke lstrcmpi,procEntry.szExeFile,qword[rsp+16]
                test rax,rax
        jnz @B
        mov rax,qword[procEntry.th32ProcessID]
        @@:
        pop rbp
retn 8

struct PROCESSENTRY32W
        dwSize                  dq ?
        cntUsage                dq ?
        th32ProcessID           dq ?
        th32DefaultHeapID       dq ?
        th32ModuleID            dq ?
        cntThreads              dq ?
        th32ParentProcessID     dq ?
        pcPriClassBase          dq ?
        dwFlags                 dq ?
        szExeFile               dd MAX_PATH dup (?)
ends

        tokenPriv               TOKEN_PRIVILEGES <>
        procEntry               PROCESSENTRY32W <>

        align 8

    


Code:
push qword[rax+8]    

not result the same Cool
Post 13 Mar 2010, 22:48
View user's profile Send private message ICQ Number Reply with quote
a115433



Joined: 05 Mar 2010
Posts: 144
a115433
push qword[rax+8]
you dont have to write operand size.
push is always 64bit in ia32e.


test rax,rax
jnz @B
also, i suggest using cmovcc's. jnz are dead in ia32e.
Post 13 Mar 2010, 23:03
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
So, "push [rax+8]" compiles for you? Can you share the "patch"?
Post 13 Mar 2010, 23:05
View user's profile Send private message Reply with quote
a115433



Joined: 05 Mar 2010
Posts: 144
a115433
hmm, it doesnt.
my mistake, sorry.

but ive read that it can be only 64bit address size, why fasm doesnt compile with qword word? its only possibility, and this is not present in some other instructions.
Post 13 Mar 2010, 23:17
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
fasm supports "push word [rax+8]". I though for a moment it was a mistake (I was expecting dword allowed), but it is actually supported:
Intel's PUSH documentation wrote:
IF StackAddrSize = 64
THEN
IF OperandSize = 64
THEN
RSP ← (RSP − 8);
IF (SRC is FS or GS)
THEN
TEMP = ZeroExtend64(SRC);
ELSE IF (SRC is IMMEDIATE)
TEMP = SignExtend64(SRC); FI;
ELSE
TEMP = SRC;
FI
RSP ← TEMP; (* Push quadword *)
ELSE (* OperandSize = 16; 66H used *) <<<< HERE
RSP ← (RSP − 2);
RSP ← SRC; (* Push word *)
FI;
ELSE IF StackAddrSize = 32
.
.
.
Post 13 Mar 2010, 23:28
View user's profile Send private message Reply with quote
semiono



Joined: 31 Aug 2007
Posts: 176
Location: section '.code' executable
semiono
Code:
Can you share the "patch"?    

Very Happy patch > fasm.exe ))) +1

_________________
Memory=8388608
Post 14 Mar 2010, 00:18
View user's profile Send private message ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.