Porting AntiSandbox Code from C to FASM

Index > Windows > Porting AntiSandbox Code from C to FASM

Author

Thread

Nameless

Joined: 30 Apr 2010
Posts: 95

Nameless

i couldn't continue cause i didnt know what to loop and arrays in fasm yet
can anybody help finishing porting?

Code:

format PE GUI 4.0
include "C:\fasm\include\win32ax.inc"
.data
 H_Heap dd 0
 i dd 0
 n dd 0
 ret dd 0
 count dd 0
 char **hptr;

.code

proc IsInsideSandbox

 pusha
 xor  eax, eax
 xor  ebx, ebx
 invoke GetProcessHeap
 mov ebx, eax
 mov eax, 1024
 mul eax, 16
 invoke HeapAlloc, ebx, 0, eax
 mov    hptr, eax
 cmp    eax, 0
 je     .done

 mov eax, 1024
 mul eax, 16
 invoke      HeapCreate, HEAP_NO_SERIALIZE, 1024, 1024*16
 mov         [H_Heap], eax
 cmp         H_Heap, 0
 je          .done

for (i = 0; i < 16; i++)
hptr[i] = (char *)HeapAlloc(H_Heap, HEAP_ZERO_MEMORY, 2048);

// Now let's count how many allocations have failed
for (i = n = 0; i < 16; i++)
if (hptr[i] == NULL)
n++;
else
HeapFree(H_Heap, 0, hptr[i]);
// Now let's check.. we should have 9 failures.. if not.. let's exit
if (n == 0) {
ret = 1;
}

// Destroy the heap area since it is useless to us now
invoke HeapDestroy, H_Heap

HeapFree(GetProcessHeap(), 0, hptr);

mov eax, [ret];


 .done:
  popa
  ret

endp


 Start:


.end Start

C++

Code:

int Inside_Sandbox() {
 HANDLE H_Heap;
 char **hptr;
 int i, n;
 int ret = 0;
 int count = 0;

 if ((hptr = (char **)HeapAlloc(GetProcessHeap(), 0, 1024 * 16)) == NULL) return 0;

// Let's create a new heap object that can only handle 16k.. 
 if ((H_Heap = HeapCreate(HEAP_NO_SERIALIZE, 1024, 1024*16)) == NULL)
 return 0;

// Now let's allocate 2K from it 16 times (half should fail)
for (i = 0; i < 16; i++)
hptr[i] = (char *)HeapAlloc(H_Heap, HEAP_ZERO_MEMORY, 2048);

// Now let's count how many allocations have failed
for (i = n = 0; i < 16; i++)
if (hptr[i] == NULL)
n++;
else
HeapFree(H_Heap, 0, hptr[i]);
// Now let's check.. we should have 9 failures.. if not.. let's exit
if (n == 0) {
ret = 1;
}

// Destroy the heap area since it is useless to us now
HeapDestroy(H_Heap);

HeapFree(GetProcessHeap(), 0, hptr);

return ret;

}

20 Sep 2010, 13:21

LocoDelAssembly
Your code has a bug

Joined: 06 May 2005
Posts: 4624
Location: Argentina

LocoDelAssembly

Code:

mov edi, array
mov esi, 16
@@:
invoke ...
stos dword [edi]
dec esi
jnz @b

; counting
mov esi, array
mov edi, 16
xor ecx, ecx
@@:
lods dword [esi]
cmp eax, 1
adc ecx, 0
dec edi
jnz @b

There you have reading and writing example, you should be able to complete the code now.

20 Sep 2010, 16:25

Nameless

Joined: 30 Apr 2010
Posts: 95

Nameless

ty, im gonna try again now Very Happy

20 Sep 2010, 18:06

DJ Mauretto

Joined: 14 Mar 2007
Posts: 464
Location: Rome,Italy

DJ Mauretto

Hello

Code:


n      DD ?

Inside_Sandbox:

 XOR     ESI,ESI

 PUSH    1024*16
     PUSH    ESI
 CALL    [GetProcessHeap]

        PUSH    EAX
 CALL    [HeapAlloc]

     MOV     EDI,EAX                 ; EDI = hptr
        CMP     EDI,ESI
     JNZ     .1

      XOR     EAX,EAX                 ; Return 0

      RET

.1:
  PUSH    1024*16
     PUSH    1024
        PUSH    HEAP_NO_SERIALIZE                       
    CALL    [HeapCreate]

    MOV     EBX,EAX                 ; EBX = H_Heap
      CMP     EBX,ESI
     JNZ     .2

      XOR     EAX,EAX                 ; Return 0

      RET

.2:
  PUSH    2048
        PUSH    HEAP_ZERO_MEMORY                        
    PUSH    EBX                     ; H_Heap
    CALL    [HeapAlloc]

     MOV     [EDI+ESI*4],EAX
     INC     ESI
 CMP     ESI,16
      JC      .2

      XOR     ESI,ESI
     MOV     [n],ESI                 

.3:
     MOV     EAX,[EDI+ESI*4]
     TEST    EAX,EAX
     JNZ     .4

      INC     [n]
 JMP     .5

.4:
   PUSH    EAX                     
    PUSH    0
   PUSH    EBX                     ; H_Heap
    CALL    [HeapFree]

.5:
   INC     ESI
 CMP     ESI,16
      JC      .3

      MOV     EAX,[n]
     TEST    EAX,EAX
     MOV     ESI,1
       JZ      .6

      MOV     ESI,0
.6:
    PUSH    EBX                     ; H_Heap
    CALL    [HeapDestroy]

   PUSH    EDI                     ; hptr
      PUSH    0
   CALL    [GetProcessHeap]

        PUSH    EAX
 CALL    [HeapFree]

      MOV     EAX,ESI                 ; Return 0 or 1

 RET

_________________
Nil Volentibus Arduum Razz

Last edited by DJ Mauretto on 20 Sep 2010, 19:45; edited 1 time in total

20 Sep 2010, 18:55

windwakr

Joined: 30 Jun 2004
Posts: 827
Location: Michigan, USA

windwakr

Exactly what type of sandboxing does this test for? When ran in Sandboxie, this doesn't detect it.

Although, detecting Sandboxie is as easy as just calling "GetModuleHandle('SbieDll.dll')" and seeing if a non-zero value was returned.

_________________
----> * <---- My star, won HERE

20 Sep 2010, 19:03

Nameless

Joined: 30 Apr 2010
Posts: 95

Nameless

@windwakr: yea, this works on other ones, like anubis i guess, im trying to port all the anti sandbox codes i have to asm.
anything simple to code and learn from in asm (this one is from the hardest i tried to port) Very Happy

@DJ Mauretto: thanks alot, im gonna print this code and study it Very Happy

, im sure im gonna learn alot from this one

21 Sep 2010, 13:29

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum