flat assembler
Message board for the users of flat assembler.

Index > Windows > Porting AntiSandbox Code from C to FASM

Author
Thread Post new topic Reply to topic
Nameless



Joined: 30 Apr 2010
Posts: 95
Nameless
i couldn't continue cause i didnt know what to loop and arrays in fasm yet
can anybody help finishing porting?

Code:
format PE GUI 4.0
include "C:\fasm\include\win32ax.inc"
.data
 H_Heap dd 0
 i dd 0
 n dd 0
 ret dd 0
 count dd 0
 char **hptr;

.code

proc IsInsideSandbox

 pusha
 xor  eax, eax
 xor  ebx, ebx
 invoke GetProcessHeap
 mov ebx, eax
 mov eax, 1024
 mul eax, 16
 invoke HeapAlloc, ebx, 0, eax
 mov    hptr, eax
 cmp    eax, 0
 je     .done

 mov eax, 1024
 mul eax, 16
 invoke      HeapCreate, HEAP_NO_SERIALIZE, 1024, 1024*16
 mov         [H_Heap], eax
 cmp         H_Heap, 0
 je          .done

for (i = 0; i < 16; i++)
hptr[i] = (char *)HeapAlloc(H_Heap, HEAP_ZERO_MEMORY, 2048);

// Now let's count how many allocations have failed
for (i = n = 0; i < 16; i++)
if (hptr[i] == NULL)
n++;
else
HeapFree(H_Heap, 0, hptr[i]);
// Now let's check.. we should have 9 failures.. if not.. let's exit
if (n == 0) {
ret = 1;
}

// Destroy the heap area since it is useless to us now
invoke HeapDestroy, H_Heap

HeapFree(GetProcessHeap(), 0, hptr);

mov eax, [ret];


 .done:
  popa
  ret

endp


 Start:


.end Start
    


C++
Code:
int Inside_Sandbox() {
 HANDLE H_Heap;
 char **hptr;
 int i, n;
 int ret = 0;
 int count = 0;

 if ((hptr = (char **)HeapAlloc(GetProcessHeap(), 0, 1024 * 16)) == NULL) return 0;

// Let's create a new heap object that can only handle 16k.. 
 if ((H_Heap = HeapCreate(HEAP_NO_SERIALIZE, 1024, 1024*16)) == NULL)
 return 0;

// Now let's allocate 2K from it 16 times (half should fail)
for (i = 0; i < 16; i++)
hptr[i] = (char *)HeapAlloc(H_Heap, HEAP_ZERO_MEMORY, 2048);

// Now let's count how many allocations have failed
for (i = n = 0; i < 16; i++)
if (hptr[i] == NULL)
n++;
else
HeapFree(H_Heap, 0, hptr[i]);
// Now let's check.. we should have 9 failures.. if not.. let's exit
if (n == 0) {
ret = 1;
}

// Destroy the heap area since it is useless to us now
HeapDestroy(H_Heap);

HeapFree(GetProcessHeap(), 0, hptr);

return ret;

}    


ty
Post 20 Sep 2010, 13:21
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Code:
mov edi, array
mov esi, 16
@@:
invoke ...
stos dword [edi]
dec esi
jnz @b

; counting
mov esi, array
mov edi, 16
xor ecx, ecx
@@:
lods dword [esi]
cmp eax, 1
adc ecx, 0
dec edi
jnz @b    
There you have reading and writing example, you should be able to complete the code now.
Post 20 Sep 2010, 16:25
View user's profile Send private message Reply with quote
Nameless



Joined: 30 Apr 2010
Posts: 95
Nameless
ty, im gonna try again now Very Happy
Post 20 Sep 2010, 18:06
View user's profile Send private message Reply with quote
DJ Mauretto



Joined: 14 Mar 2007
Posts: 464
Location: Rome,Italy
DJ Mauretto
Hello Wink
Code:

n      DD ?

Inside_Sandbox:

 XOR     ESI,ESI

 PUSH    1024*16
     PUSH    ESI
 CALL    [GetProcessHeap]

        PUSH    EAX
 CALL    [HeapAlloc]

     MOV     EDI,EAX                 ; EDI = hptr
        CMP     EDI,ESI
     JNZ     .1

      XOR     EAX,EAX                 ; Return 0

      RET

.1:
  PUSH    1024*16
     PUSH    1024
        PUSH    HEAP_NO_SERIALIZE                       
    CALL    [HeapCreate]

    MOV     EBX,EAX                 ; EBX = H_Heap
      CMP     EBX,ESI
     JNZ     .2

      XOR     EAX,EAX                 ; Return 0

      RET

.2:
  PUSH    2048
        PUSH    HEAP_ZERO_MEMORY                        
    PUSH    EBX                     ; H_Heap
    CALL    [HeapAlloc]

     MOV     [EDI+ESI*4],EAX
     INC     ESI
 CMP     ESI,16
      JC      .2

      XOR     ESI,ESI
     MOV     [n],ESI                 

.3:
     MOV     EAX,[EDI+ESI*4]
     TEST    EAX,EAX
     JNZ     .4

      INC     [n]
 JMP     .5

.4:
   PUSH    EAX                     
    PUSH    0
   PUSH    EBX                     ; H_Heap
    CALL    [HeapFree]

.5:
   INC     ESI
 CMP     ESI,16
      JC      .3

      MOV     EAX,[n]
     TEST    EAX,EAX
     MOV     ESI,1
       JZ      .6

      MOV     ESI,0
.6:
    PUSH    EBX                     ; H_Heap
    CALL    [HeapDestroy]

   PUSH    EDI                     ; hptr
      PUSH    0
   CALL    [GetProcessHeap]

        PUSH    EAX
 CALL    [HeapFree]

      MOV     EAX,ESI                 ; Return 0 or 1

 RET
    

_________________
Nil Volentibus Arduum Razz


Last edited by DJ Mauretto on 20 Sep 2010, 19:45; edited 1 time in total
Post 20 Sep 2010, 18:55
View user's profile Send private message Reply with quote
windwakr



Joined: 30 Jun 2004
Posts: 827
Location: Michigan, USA
windwakr
Exactly what type of sandboxing does this test for? When ran in Sandboxie, this doesn't detect it.

Although, detecting Sandboxie is as easy as just calling "GetModuleHandle('SbieDll.dll')" and seeing if a non-zero value was returned.

_________________
----> * <---- My star, won HERE
Post 20 Sep 2010, 19:03
View user's profile Send private message Reply with quote
Nameless



Joined: 30 Apr 2010
Posts: 95
Nameless
@windwakr: yea, this works on other ones, like anubis i guess, im trying to port all the anti sandbox codes i have to asm.
anything simple to code and learn from in asm (this one is from the hardest i tried to port) Very Happy

@DJ Mauretto: thanks alot, im gonna print this code and study it Very Happy, im sure im gonna learn alot from this one
Post 21 Sep 2010, 13:29
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.