flat assembler
Message board for the users of flat assembler.

Index > Windows > [Solved]Pure PE GUI fails

Author
Thread Post new topic Reply to topic
Hornet52



Joined: 20 Feb 2011
Posts: 11
Location: NULL
Hornet52 20 Feb 2011, 02:00
Hey,
I'm new to this forum (new member not viewer), and have to say it's one of the better maintained assembly forums in general. I actually use NASM but the syntax is not that far off from FASM (and the members of FASM seem to be so much smarter).

This is the only forum I could find which even has references to successful people who have made a PE file with custom headers. So on to my problem, using material (MSDN, here, google) I was able to successfully create a working PE file using a console (gui, allocconsole) which leads me to believe the format is working but the code is at fault.

The problem with the code seems to be that a call to CreateWindowEx fails, I can't seem to find the error as to why it would. Hopefully someone here can elaborate on reasons why it might fail.

Code I've created (NASM syntax):

Code:
;================================================
;Portable Executable(PE) format
;-Assemble as a pure binary format
;================================================

BITS 32
ORG 0x400E00

AppBase equ 0x400E00
Section_Alignment equ 0x1000
File_Alignment equ 0x200
%define RVA(n) ((n-File_Alignment)+Section_Alignment-AppBase)
%define RoundAlign(n, r) (((n+(r-1))/r)*r)

DOS_Header:                                      
   dw 0x5A4D
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00 
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   times 4 dw 0x00                               ;Reserved words
   dw 0x00
   dw 0x00
   times 10 dw 0x00                              ;Reserved words
   dd PE_Signature - AppBase

DOS_Stub:
   mov DX, DOS_Stub.msg - AppBase
   mov AH, 0x09
   int 0x21
   mov AH, 0x4C
   int 0x21 
.msg:
   db "This is a Win32 NT Windows program only", 0x0D, 0x0D, 0x0A, 0x24

ALIGN 0x08, db 0x00
PE_Signature:                                    ;must be in 8-byte alignment
   dd 0x00004550

COFF_Header:
   dw 0x014C
   dw 0x01                                       ;Only 1 section(.text)
   dd 0x00                                       
   dd 0x00
   dd 0x00
   dw Optional_Header_Size 
   dw 0x0103

Optional_Header:
   dw 0x010B
   db 0x00
   db 0x00
   dd Code_Section_Size
   dd 0x00
   dd 0x00
   dd RVA(Main)                                  ;Execution will start at this point
   dd Code_Section - AppBase
   dd Code_Section_Size 

   dd 0x400000                                   ;Windows-only fields
   dd Section_Alignment                          
   dd File_Alignment
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x04
   dw 0x00
   dd 0x00
   dd (RoundAlign(Code_Section_Size, Section_Alignment) + Section_Alignment)  
   dd RoundAlign(All_Header_Size, File_Alignment)
   dd 0x00
   dw 0x02
   dw 0x00
   dd 0x100000
   dd 0x1000
   dd 0x100000
   dd 0x00
   dd 0x00
   dd 0x10                                       ;Number of directories

   dd 0x00                                       ;Data directories
   dd 0x00
   dd RVA(Idata)
   dd Idata_Size
   times 0x0E dq 0x00
Optional_Header_Size equ $ - Optional_Header

Code_Section_Header:
   db ".text", 0x00, 0x00, 0x00
   dd Code_Section_Size
   dd RVA(Code_Section)
   dd RoundAlign(Code_Section_Size, File_Alignment)
   dd Code_Section - AppBase
   dd 0x00
   dd 0x00
   dw 0x00
   dw 0x00
   dd 0xE0000020                                 ;All access rights (read/write/execute)
All_Header_Size equ $ - $$                       

ALIGN File_Alignment, db 0x00                    ;should be at 0x401000
Code_Section:                                    ;===================.text===================

Main:
   push DWORD 0x00                               ;Get hInstance for class etc.
   call [GetModuleHandleW]
   mov [hInstance], EAX

   push DWORD 0x7F00                             ;Get a cursor for application
   push DWORD 0x00
   call [LoadCursorW]
   mov [hCursor], EAX

   push DWORD WNDCLASSEX                         ;Register windows class
   call [RegisterClassExW]

   push DWORD 0x00                               ;Create Window
   push DWORD [hInstance]
   push DWORD 0x00
   push DWORD 0x00
   push DWORD 0x01F4
   push DWORD 0x01F4
   push DWORD 0x64
   push DWORD 0x64
   push DWORD 0x10CF0000                         ;WS_OVERLAPPEDWINDOW | WS_VISIBLE
   push DWORD String.WindowName
   push DWORD String.ClassName
   push DWORD 0x00
   call [CreateWindowExW]                        

   or EAX, EAX
   jz Error

MessageLoop:
   push DWORD 0x00
   push DWORD 0x00
   push DWORD 0x00                               
   push DWORD MSG
   call [GetMessageW]                            

   or EAX, EAX
   jz WM_QUIT                                    ;check for quiting

   push DWORD MSG
   call [TranslateMessage]

   push DWORD MSG
   call [DispatchMessageW]
jmp MessageLoop


WndProc:   
   push EBP                                      ;[EBP+0x08] hWnd
   mov EBP, ESP                                  ;[EBP+0x0C] Message
   push EBX                                      ;[EBP+0x10] wParam
   push ESI                                      ;[EBP+0x14] lParam
   push EDI

   cmp DWORD [EBP+0x0C], 0x02
   je WM_DESTORY


.Default:
   push DWORD [EBP+0x14]
   push DWORD [EBP+0x10]
   push DWORD [EBP+0x0C]
   push DWORD [EBP+0x08]
   call [DefWindowProcW]

.Return:
   mov ESP, EBP
   pop EBP
   pop EDI
   pop ESI
   pop EBX
   ret  

WM_DESTORY:
   push DWORD 0x00
   call [PostQuitMessage]
   jmp WndProc.Return
   
WM_QUIT:
   push DWORD wParam
   call [ExitProcess]

Error:
   push DWORD 0x00
   push DWORD 0x00
   push DWORD 0x00
   push DWORD 0x00
   call [MessageBoxW]
   jmp WM_QUIT
                                                 ;===================.data===================

WNDCLASSEX:
   cbSize        dd 0x30                         ;48 bytes (same everytime)
   style         dd 0x03                         ;CS_HREDRAW | CS_VREDRAW, redraw
   lpfnWndProc   dd WndProc
   cbClsExtra    dd 0x00
   cbWndExtra    dd 0x00
   hInstance     dd 0x00                         ;Will be updated when application starts
   hIcon         dd 0x00                         ;No Icon
   hCursor       dd 0x00                         ;Will be set in Main
   hbrBackground dd 0x06                         ;COLOR_WINDOW+1
   lpszMenuName  dd 0x00             
   lpszClassName dd String.ClassName             ;"Main Class"
   hIconSm       dd 0x00   

MSG:
   hwnd    dd 0x00
   message dd 0x00
   wParam  dd 0x00
   lParam  dd 0x00
   time    dd 0x00
   ptx     dd 0x00
   pty     dd 0x00

String:
.ClassName:
   db "Main Class", 0x00 
.WindowName:
   db "Basic Window", 0x00


Idata:                                           ;===================.idata===================
   dd 0x00 
   dd 0x00
   dd 0x00
   dd RVA(Kernel32.name)
   dd RVA(Kernel32.iat) 

   dd 0x00
   dd 0x00
   dd 0x00
   dd RVA(User32.name) 
   dd RVA(User32.iat) 

   dd 0x00                                       ;null entry, end of table/directory
   dd 0x00
   dd 0x00
   dd 0x00
   dd 0x00

Kernel32:
.name:
   db "KERNEL32.dll", 0x00
.iat:
   ExitProcess      dd RVA(FunctionName.K1)
   GetModuleHandleW dd RVA(FunctionName.K2)
   dd 0x00

User32:
.name:
   db "USER32.dll", 0x00
.iat:
   MessageBoxW      dd RVA(FunctionName.U1) 
   RegisterClassExW dd RVA(FunctionName.U2)
   LoadCursorW      dd RVA(FunctionName.U3)
   CreateWindowExW  dd RVA(FunctionName.U4)
   GetMessageW      dd RVA(FunctionName.U5)
   TranslateMessage dd RVA(FunctionName.U6)
   DispatchMessageW dd RVA(FunctionName.U7)
   DefWindowProcW   dd RVA(FunctionName.U8)
   PostQuitMessage  dd RVA(FunctionName.U9)         
   dd 0x00


FunctionName:                                          
.K1:
   dw 0x00
   db "ExitProcess", 0x00
.K2:
   dw 0x00
   db "GetModuleHandleW", 0x00, 0x00
.U1:
   dw 0x00
   db "MessageBoxW", 0x00
.U2:
   dw 0x00
   db "RegisterClassExW", 0x00, 0x00
.U3:
   dw 0x00
   db "LoadCursorW", 0x00
.U4:
   dw 0x00
   db "CreateWindowExW", 0x00
.U5:
   dw 0x00
   db "GetMessageW", 0x00
.U6:
   dw 0x00
   db "TranslateMessage", 0x00, 0x00
.U7:
   dw 0x00
   db "DispatchMessageW", 0x00, 0x00
.U8:
   dw 0x00
   db "DefWindowProcW", 0x00, 0x00
.U9:
   dw 0x00
   db "PostQuitMessage", 0x00
Idata_Size equ $ - Idata

Code_Section_Size equ $ - Code_Section
ALIGN File_Alignment, db 0x00

     


Last edited by Hornet52 on 20 Feb 2011, 19:20; edited 1 time in total
Post 20 Feb 2011, 02:00
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20485
Location: In your JS exploiting you and your system
revolution 20 Feb 2011, 02:03
If you had it in fasm syntax then perhaps I could test it for you.
Post 20 Feb 2011, 02:03
View user's profile Send private message Visit poster's website Reply with quote
Hornet52



Joined: 20 Feb 2011
Posts: 11
Location: NULL
Hornet52 20 Feb 2011, 03:11
That's fair enough this is a FASM board after all, below is the code converted to FASM style syntax:

Code:
 ;================================================
;Portable Executable(PE) format
;-Assemble as a pure binary format
;================================================

use32
ORG 0x400E00

AppBase equ 0x400E00
Section_Alignment equ 0x1000
File_Alignment equ 0x200

DOS_Header:                                      
   dw 0x5A4D
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00 
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   times 4 dw 0x00                               ;Reserved words
   dw 0x00
   dw 0x00
   times 10 dw 0x00                              ;Reserved words
   dd PE_Signature - AppBase

DOS_Stub:
   mov DX, DOS_Stub.msg - AppBase
   mov AH, 0x09
   int 0x21
   mov AH, 0x4C
   int 0x21 
.msg:
   db "This is a Win32 NT Windows program only", 0x0D, 0x0D, 0x0A, 0x24

ALIGN 0x08
PE_Signature:                                    ;must be in 8-byte alignment
   dd 0x00004550

COFF_Header:
   dw 0x014C
   dw 0x01                                       ;Only 1 section(.text)
   dd 0x00                                       
   dd 0x00
   dd 0x00
   dw Optional_Header_Size
   dw 0x0103

Optional_Header:
   dw 0x010B
   db 0x00
   db 0x00
   dd Code_Section_Size
   dd 0x00
   dd 0x00
   dd (Main-File_Alignment)+Section_Alignment-AppBase    ;Execution will start at this point
   dd Code_Section - AppBase
   dd Code_Section_Size 

   dd 0x400000                                   ;Windows-only fields
   dd Section_Alignment                          
   dd File_Alignment
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x04
   dw 0x00
   dd 0x00
   dd (((Code_Section_Size+(Section_Alignment-1))/Section_Alignment)*Section_Alignment)+Section_Alignment
   dd (((All_Header_Size+(File_Alignment-1))/File_Alignment)*File_Alignment)
   dd 0x00
   dw 0x02
   dw 0x00
   dd 0x100000
   dd 0x1000
   dd 0x100000
   dd 0x00
   dd 0x00
   dd 0x10                                       ;Number of directories

   dd 0x00                                       ;Data directories
   dd 0x00
   dd (Idata-File_Alignment)+Section_Alignment-AppBase
   dd Idata_Size
   times 0x0E dq 0x00
Optional_Header_Size = $ - Optional_Header

Code_Section_Header:
   db ".text", 0x00, 0x00, 0x00
   dd Code_Section_Size
   dd (Code_Section-File_Alignment)+Section_Alignment-AppBase
   dd (((Code_Section_Size+(File_Alignment-1))/File_Alignment)*File_Alignment)
   dd Code_Section - AppBase
   dd 0x00
   dd 0x00
   dw 0x00
   dw 0x00
   dd 0xE0000020                                 ;All access rights (read/write/execute)
All_Header_Size = $ - $$

ALIGN File_Alignment                             ;should be at 0x401000
Code_Section:                                    ;===================.text===================

Main:
   push DWORD 0x00                               ;Get hInstance for class etc.
   call [GetModuleHandleW]
   mov [hInstance], EAX

   push DWORD 0x7F00                             ;Get a cursor for application
   push DWORD 0x00
   call [LoadCursorW]
   mov [hCursor], EAX

   push DWORD WNDCLASSEX                         ;Register windows class
   call [RegisterClassExW]

   push DWORD 0x00                               ;Create Window
   push DWORD [hInstance]
   push DWORD 0x00
   push DWORD 0x00
   push DWORD 0x01F4
   push DWORD 0x01F4
   push DWORD 0x64
   push DWORD 0x64
   push DWORD 0x10CF0000                         ;WS_OVERLAPPEDWINDOW | WS_VISIBLE
   push DWORD String.WindowName
   push DWORD String.ClassName
   push DWORD 0x00
   call [CreateWindowExW]                        

   or EAX, EAX
   jz Error

MessageLoop:
   push DWORD 0x00
   push DWORD 0x00
   push DWORD 0x00                               
   push DWORD MSG
   call [GetMessageW]                            

   or EAX, EAX
   jz WM_QUIT                                    ;check for quiting

   push DWORD MSG
   call [TranslateMessage]

   push DWORD MSG
   call [DispatchMessageW]
jmp MessageLoop


WndProc:   
   push EBP                                      ;[EBP+0x08] hWnd
   mov EBP, ESP                                  ;[EBP+0x0C] Message
   push EBX                                      ;[EBP+0x10] wParam
   push ESI                                      ;[EBP+0x14] lParam
   push EDI

   cmp DWORD [EBP+0x0C], 0x02
   je WM_DESTORY


.Default:
   push DWORD [EBP+0x14]
   push DWORD [EBP+0x10]
   push DWORD [EBP+0x0C]
   push DWORD [EBP+0x08]
   call [DefWindowProcW]

.Return:
   mov ESP, EBP
   pop EBP
   pop EDI
   pop ESI
   pop EBX
   ret  

WM_DESTORY:
   push DWORD 0x00
   call [PostQuitMessage]
   jmp WndProc.Return
   
WM_QUIT:
   push DWORD wParam
   call [ExitProcess]

Error:
   push DWORD 0x00
   push DWORD 0x00
   push DWORD 0x00
   push DWORD 0x00
   call [MessageBoxW]
   jmp WM_QUIT
                                                 ;===================.data===================

WNDCLASSEX:
   cbSize        dd 0x30                         ;48 bytes (same everytime)
   style         dd 0x03                         ;CS_HREDRAW | CS_VREDRAW, redraw
   lpfnWndProc   dd WndProc
   cbClsExtra    dd 0x00
   cbWndExtra    dd 0x00
   hInstance     dd 0x00                         ;Will be updated when application starts
   hIcon         dd 0x00                         ;No Icon
   hCursor       dd 0x00                         ;Will be set in Main
   hbrBackground dd 0x06                         ;COLOR_WINDOW+1
   lpszMenuName  dd 0x00             
   lpszClassName dd String.ClassName             ;"Main Class"
   hIconSm       dd 0x00   

MSG:
   hwnd    dd 0x00
   message dd 0x00
   wParam  dd 0x00
   lParam  dd 0x00
   time    dd 0x00
   ptx     dd 0x00
   pty     dd 0x00

String:
.ClassName:
   db "Main Class", 0x00 
.WindowName:
   db "Basic Window", 0x00


Idata:                                           ;===================.idata===================
   dd 0x00 
   dd 0x00
   dd 0x00
   dd (Kernel32.name-File_Alignment)+Section_Alignment-AppBase
   dd (Kernel32.iat-File_Alignment)+Section_Alignment-AppBase

   dd 0x00
   dd 0x00
   dd 0x00
   dd (User32.name-File_Alignment)+Section_Alignment-AppBase
   dd (User32.iat-File_Alignment)+Section_Alignment-AppBase

   dd 0x00                                       ;null entry, end of table/directory
   dd 0x00
   dd 0x00
   dd 0x00
   dd 0x00

Kernel32:
.name:
   db "KERNEL32.dll", 0x00
.iat:
   ExitProcess      dd (FunctionName.K1-File_Alignment)+Section_Alignment-AppBase
   GetModuleHandleW dd (FunctionName.K2-File_Alignment)+Section_Alignment-AppBase
   dd 0x00

User32:
.name:
   db "USER32.dll", 0x00
.iat:
   MessageBoxW      dd (FunctionName.U1-File_Alignment)+Section_Alignment-AppBase
   RegisterClassExW dd (FunctionName.U2-File_Alignment)+Section_Alignment-AppBase
   LoadCursorW      dd (FunctionName.U3-File_Alignment)+Section_Alignment-AppBase
   CreateWindowExW  dd (FunctionName.U4-File_Alignment)+Section_Alignment-AppBase
   GetMessageW      dd (FunctionName.U5-File_Alignment)+Section_Alignment-AppBase
   TranslateMessage dd (FunctionName.U6-File_Alignment)+Section_Alignment-AppBase
   DispatchMessageW dd (FunctionName.U7-File_Alignment)+Section_Alignment-AppBase
   DefWindowProcW   dd (FunctionName.U8-File_Alignment)+Section_Alignment-AppBase
   PostQuitMessage  dd (FunctionName.U9-File_Alignment)+Section_Alignment-AppBase
   dd 0x00


FunctionName:                                          
.K1:
   dw 0x00
   db "ExitProcess", 0x00
.K2:
   dw 0x00
   db "GetModuleHandleW", 0x00, 0x00
.U1:
   dw 0x00
   db "MessageBoxW", 0x00
.U2:
   dw 0x00
   db "RegisterClassExW", 0x00, 0x00
.U3:
   dw 0x00
   db "LoadCursorW", 0x00
.U4:
   dw 0x00
   db "CreateWindowExW", 0x00
.U5:
   dw 0x00
   db "GetMessageW", 0x00
.U6:
   dw 0x00
   db "TranslateMessage", 0x00, 0x00
.U7:
   dw 0x00
   db "DispatchMessageW", 0x00, 0x00
.U8:
   dw 0x00
   db "DefWindowProcW", 0x00, 0x00
.U9:
   dw 0x00
   db "PostQuitMessage", 0x00
Idata_Size = $ - Idata

Code_Section_Size = $ - Code_Section
times 0x600-($-$$) db 0        
    
Post 20 Feb 2011, 03:11
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20485
Location: In your JS exploiting you and your system
revolution 20 Feb 2011, 03:27
A couple of changes to get you started:
Code:
;...
.Return:
   pop EDI
   pop ESI
   pop EBX
   pop EBP
   ret

;...

String:
.ClassName:
   du "Main Class", 0x00
.WindowName:
   du "Basic Window", 0x00

;...    
Post 20 Feb 2011, 03:27
View user's profile Send private message Visit poster's website Reply with quote
Hornet52



Joined: 20 Feb 2011
Posts: 11
Location: NULL
Hornet52 20 Feb 2011, 18:48
Thanks, I changed the stack unwinding and made unicode compliant strings, still no effect on the error however. 'CreateWindowEx" still returns a fail(Null). Any ideas why?
Post 20 Feb 2011, 18:48
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 20 Feb 2011, 18:55
When API fails, use GetLastError to find out error code (and optionally FormatMessage to turn it into readable string)
Post 20 Feb 2011, 18:55
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20485
Location: In your JS exploiting you and your system
revolution 20 Feb 2011, 18:55
Hornet52: Really? It worked for me when I ran it with just those two changes. Gives me a white window which can be closed by clicking the X.
Post 20 Feb 2011, 18:55
View user's profile Send private message Visit poster's website Reply with quote
Hornet52



Joined: 20 Feb 2011
Posts: 11
Location: NULL
Hornet52 20 Feb 2011, 19:19
Sorry my mistake, in the return state I left the "mov ESP, EBP", which I realize is the actual error. So I assume due to moving the pointers back and forth the stack would have grown beyond the applications scope? I took that line out and sure enough ran as you said. Damn calling conventions I'll have to look into them more.

Thanks FASM gentleman

Finished code below (FASM syntax):
Code:
 ;================================================
;Portable Executable(PE) format
;-Assemble as a pure binary format
;================================================

use32
ORG 0x400E00

AppBase equ 0x400E00
Section_Alignment equ 0x1000
File_Alignment equ 0x200

DOS_Header:                                      
   dw 0x5A4D
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00 
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   times 4 dw 0x00                               ;Reserved words
   dw 0x00
   dw 0x00
   times 10 dw 0x00                              ;Reserved words
   dd PE_Signature - AppBase

DOS_Stub:
   mov DX, DOS_Stub.msg - AppBase
   mov AH, 0x09
   int 0x21
   mov AH, 0x4C
   int 0x21 
.msg:
   db "This is a Win32 NT Windows program only", 0x0D, 0x0D, 0x0A, 0x24

ALIGN 0x08
PE_Signature:                                    ;must be in 8-byte alignment
   dd 0x00004550

COFF_Header:
   dw 0x014C
   dw 0x01                                       ;Only 1 section(.text)
   dd 0x00                                       
   dd 0x00
   dd 0x00
   dw Optional_Header_Size
   dw 0x0103

Optional_Header:
   dw 0x010B
   db 0x00
   db 0x00
   dd Code_Section_Size
   dd 0x00
   dd 0x00
   dd (Main-File_Alignment)+Section_Alignment-AppBase    ;Execution will start at this point
   dd Code_Section - AppBase
   dd Code_Section_Size 

   dd 0x400000                                   ;Windows-only fields
   dd Section_Alignment                          
   dd File_Alignment
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x00
   dw 0x04
   dw 0x00
   dd 0x00
   dd (((Code_Section_Size+(Section_Alignment-1))/Section_Alignment)*Section_Alignment)+Section_Alignment
   dd (((All_Header_Size+(File_Alignment-1))/File_Alignment)*File_Alignment)
   dd 0x00
   dw 0x02
   dw 0x00
   dd 0x100000
   dd 0x1000
   dd 0x100000
   dd 0x00
   dd 0x00
   dd 0x10                                       ;Number of directories

   dd 0x00                                       ;Data directories
   dd 0x00
   dd (Idata-File_Alignment)+Section_Alignment-AppBase
   dd Idata_Size
   times 0x0E dq 0x00
Optional_Header_Size = $ - Optional_Header

Code_Section_Header:
   db ".text", 0x00, 0x00, 0x00
   dd Code_Section_Size
   dd (Code_Section-File_Alignment)+Section_Alignment-AppBase
   dd (((Code_Section_Size+(File_Alignment-1))/File_Alignment)*File_Alignment)
   dd Code_Section - AppBase
   dd 0x00
   dd 0x00
   dw 0x00
   dw 0x00
   dd 0xE0000020                                 ;All access rights (read/write/execute)
All_Header_Size = $ - $$

ALIGN File_Alignment                             ;should be at 0x401000
Code_Section:                                    ;===================.text===================

Main:
   push DWORD 0x00                               ;Get hInstance for class etc.
   call [GetModuleHandleW]
   mov [hInstance], EAX

   push DWORD 0x7F00                             ;Get a cursor for application
   push DWORD 0x00
   call [LoadCursorW]
   mov [hCursor], EAX

   push DWORD WNDCLASSEX                         ;Register windows class
   call [RegisterClassExW]

   push DWORD 0x00                               ;Create Window
   push DWORD [hInstance]
   push DWORD 0x00
   push DWORD 0x00
   push DWORD 0x01F4
   push DWORD 0x01F4
   push DWORD 0x64
   push DWORD 0x64
   push DWORD 0x10CF0000                         ;WS_OVERLAPPEDWINDOW | WS_VISIBLE
   push DWORD String.WindowName
   push DWORD String.ClassName
   push DWORD 0x00
   call [CreateWindowExW]                        

   or EAX, EAX
   jz Error

MessageLoop:
   push DWORD 0x00
   push DWORD 0x00
   push DWORD 0x00                               
   push DWORD MSG
   call [GetMessageW]                            

   or EAX, EAX
   jz WM_QUIT                                    ;check for quiting

   push DWORD MSG
   call [TranslateMessage]

   push DWORD MSG
   call [DispatchMessageW]
jmp MessageLoop


WndProc:   
   push EBP                                      ;[EBP+0x08] hWnd
   mov EBP, ESP                                  ;[EBP+0x0C] Message
   push EBX                                      ;[EBP+0x10] wParam
   push ESI                                      ;[EBP+0x14] lParam
   push EDI

   cmp DWORD [EBP+0x0C], 0x02
   je WM_DESTORY


.Default:
   push DWORD [EBP+0x14]
   push DWORD [EBP+0x10]
   push DWORD [EBP+0x0C]
   push DWORD [EBP+0x08]
   call [DefWindowProcW]

.Return:
   pop EDI
   pop ESI
   pop EBX
   pop EBP
   ret   

WM_DESTORY:
   push DWORD 0x00
   call [PostQuitMessage]
   jmp WndProc.Return
   
WM_QUIT:
   push DWORD wParam
   call [ExitProcess]

Error:
   push DWORD 0x00
   push DWORD 0x00
   push DWORD 0x00
   push DWORD 0x00
   call [MessageBoxW]
   jmp WM_QUIT
                                                 ;===================.data===================

WNDCLASSEX:
   cbSize        dd 0x30                         ;48 bytes (same everytime)
   style         dd 0x03                         ;CS_HREDRAW | CS_VREDRAW, redraw
   lpfnWndProc   dd WndProc
   cbClsExtra    dd 0x00
   cbWndExtra    dd 0x00
   hInstance     dd 0x00                         ;Will be updated when application starts
   hIcon         dd 0x00                         ;No Icon
   hCursor       dd 0x00                         ;Will be set in Main
   hbrBackground dd 0x06                         ;COLOR_WINDOW+1
   lpszMenuName  dd 0x00             
   lpszClassName dd String.ClassName             ;"Main Class"
   hIconSm       dd 0x00   

MSG:
   hwnd    dd 0x00
   message dd 0x00
   wParam  dd 0x00
   lParam  dd 0x00
   time    dd 0x00
   ptx     dd 0x00
   pty     dd 0x00

String:
.ClassName:
   du "Main Class", 0x00 
.WindowName:
   du "Basic Window", 0x00


Idata:                                           ;===================.idata===================
   dd 0x00 
   dd 0x00
   dd 0x00
   dd (Kernel32.name-File_Alignment)+Section_Alignment-AppBase
   dd (Kernel32.iat-File_Alignment)+Section_Alignment-AppBase

   dd 0x00
   dd 0x00
   dd 0x00
   dd (User32.name-File_Alignment)+Section_Alignment-AppBase
   dd (User32.iat-File_Alignment)+Section_Alignment-AppBase

   dd 0x00                                       ;null entry, end of table/directory
   dd 0x00
   dd 0x00
   dd 0x00
   dd 0x00

Kernel32:
.name:
   db "KERNEL32.dll", 0x00
.iat:
   ExitProcess      dd (FunctionName.K1-File_Alignment)+Section_Alignment-AppBase
   GetModuleHandleW dd (FunctionName.K2-File_Alignment)+Section_Alignment-AppBase
   dd 0x00

User32:
.name:
   db "USER32.dll", 0x00
.iat:
   MessageBoxW      dd (FunctionName.U1-File_Alignment)+Section_Alignment-AppBase
   RegisterClassExW dd (FunctionName.U2-File_Alignment)+Section_Alignment-AppBase
   LoadCursorW      dd (FunctionName.U3-File_Alignment)+Section_Alignment-AppBase
   CreateWindowExW  dd (FunctionName.U4-File_Alignment)+Section_Alignment-AppBase
   GetMessageW      dd (FunctionName.U5-File_Alignment)+Section_Alignment-AppBase
   TranslateMessage dd (FunctionName.U6-File_Alignment)+Section_Alignment-AppBase
   DispatchMessageW dd (FunctionName.U7-File_Alignment)+Section_Alignment-AppBase
   DefWindowProcW   dd (FunctionName.U8-File_Alignment)+Section_Alignment-AppBase
   PostQuitMessage  dd (FunctionName.U9-File_Alignment)+Section_Alignment-AppBase
   dd 0x00


FunctionName:                                          
.K1:
   dw 0x00
   db "ExitProcess", 0x00
.K2:
   dw 0x00
   db "GetModuleHandleW", 0x00, 0x00
.U1:
   dw 0x00
   db "MessageBoxW", 0x00
.U2:
   dw 0x00
   db "RegisterClassExW", 0x00, 0x00
.U3:
   dw 0x00
   db "LoadCursorW", 0x00
.U4:
   dw 0x00
   db "CreateWindowExW", 0x00
.U5:
   dw 0x00
   db "GetMessageW", 0x00
.U6:
   dw 0x00
   db "TranslateMessage", 0x00, 0x00
.U7:
   dw 0x00
   db "DispatchMessageW", 0x00, 0x00
.U8:
   dw 0x00
   db "DefWindowProcW", 0x00, 0x00
.U9:
   dw 0x00
   db "PostQuitMessage", 0x00
Idata_Size = $ - Idata

Code_Section_Size = $ - Code_Section
times 0x600-($-$$) db 0
    
Post 20 Feb 2011, 19:19
View user's profile Send private message Reply with quote
Yardman



Joined: 12 Apr 2005
Posts: 244
Location: US
Yardman 20 Feb 2011, 19:22
[ Post removed by author. ]


Last edited by Yardman on 04 Apr 2012, 03:53; edited 1 time in total
Post 20 Feb 2011, 19:22
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20485
Location: In your JS exploiting you and your system
revolution 20 Feb 2011, 19:28
Hornet52 wrote:
So I assume due to moving the pointers back and forth the stack would have grown beyond the applications scope?
No, it is not anything to do with stack growth, it is just a matter of restoring the registers from the stack properly. Changing the stack pointer just creates an unbalanced stack and then your POPs get wrong data and the return point lost.
Post 20 Feb 2011, 19:28
View user's profile Send private message Visit poster's website Reply with quote
Hornet52



Joined: 20 Feb 2011
Posts: 11
Location: NULL
Hornet52 20 Feb 2011, 19:42
Thanks I see what you mean, I had read the calling convention for the Win32 api ahead of time so the last statement was actually more so out of place. I added the "mov ESP, EBP" before restoring EBP so as to clear the stack of the input parameters (which I believe is the callee's job).

Again thanks, I'm not used to using a predefined calling convention that I didn't create.
Post 20 Feb 2011, 19:42
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20485
Location: In your JS exploiting you and your system
revolution 20 Feb 2011, 19:48
Actually I missed that, you do need to clear the stack of incoming parameters. But you do it with this:
Code:
ret 16 ;release 4 dword parameters    
Post 20 Feb 2011, 19:48
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.