flat assembler
Message board for the users of flat assembler.

Index > Windows > Launch Executable from Memory ?

Goto page Previous  1, 2, 3, 4, 5  Next
Author
Thread Post new topic Reply to topic
dancho



Joined: 06 Mar 2011
Posts: 74
dancho
@Overflowz
so you need VirtualAddress,SizeOfRawData and PointerToRawData of IMAGE_SECTION_HEADER for each section in exe...
Code:
;               eax is pointer to IMAGE_NT_HEADERS32
           virtual at eax
                      .inth IMAGE_NT_HEADERS32
            end virtual
                ; how many section we have ?
         movzx ecx,[.inth.FileHeader.NumberOfSections]
               ; skip signature 4+
         ; skip FileHeader 0x14+
             ; skip OptionalHeader 0x60+
         ; skip DataDirectory array 0x80 = 0xF8
              add eax,0xF8
                ; loop
      @@: 
            ; is it done ?
              cmp ecx,0
           je @f
               ; VirtualAddress
            push dword[eax+3*4]
         pop [vAddress]
              ; SizeOfRawData
             push dword[eax+4*4]
         pop [sRawData]
              ; PointerToRawData
          push dword[eax+5*4]
         pop [pRawData]
              ; next one
          add eax,sizeof.IMAGE_SECTION_HEADER
         dec ecx
             jmp @b
      @@: 
            ; out
    


PS
no,it is not...
Post 10 Apr 2011, 09:10
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
dancho
I don't understand why you're using such things like "3*4, 4*4 and 5*4.." What they does ? :/
Post 10 Apr 2011, 12:47
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Grr.. It's going more and more hard code for me.. I have done this but what I'm missing to launch it from memory, can anyone suggest me ? Because I can't understnad more things now from MASM code.. Thanks. ))


Last edited by Overflowz on 12 Apr 2011, 15:09; edited 1 time in total
Post 10 Apr 2011, 12:55
View user's profile Send private message Reply with quote
dancho



Joined: 06 Mar 2011
Posts: 74
dancho
Overflowz wrote:
dancho
I don't understand why you're using such things like "3*4, 4*4 and 5*4.." What they does ? :/

they represent offsets of the structure elements,from the structure beginning to the element start,for example VirtualAddress :
we have to skip this :
_Name db 8 dup (?)
union
PhysicalAddress dd ?
VirtualSize dd ?
ends
that is total of 3 dwords so 3*4 where 4 is size of dword ( what we are skiping ),eax is pointer so we have to dereferencing eax at eax+3*4 ,
at that place we have VirtualAddress data which size is dword so code is :

push dword[eax+3*4]
Post 10 Apr 2011, 18:22
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
dancho
Thank you for help )) I still don't understand. My mind is not so developed about these things so.. Smile Isn't there another way to do that ?
Post 10 Apr 2011, 18:27
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
eax = base_address_or_current_address
3 = index at which the value is at
4 = size of the value (size of DWORD) Tells the computer how many bytes to jump in order to get to that value

so we end up with
Example. You have stack (Addressing relatively to EBP) ;

Assume EBP = 100

Code:
EBP+08 : 20 |  100 + 08 = 108 : 20
EBP+12 : 02 |  100 + 12 = 112 : 02
EBP+16 : 00 |  100 + 16 = 116 : 00
EBP+20 : 10 |  100 + 20 = 120 : 10

mov eax,ebp    ; eax points to ebp (eax=ebx=100)

dword [eax + 5 * 4 ] = 10  | dword at 100 + 5 *4 : 120 = 10
dword [eax + 4 * 4 ] = 00  | dword at 100 + 4 *4:  116 = 00
dword [eax + 3 * 4 ] = 02  | dword at 100 + 3 *4:  112 = 02
dword [eax + 2 * 4 ] = 20  | dword at 100 + 2 *4:  108 = 20

    

LEGEND:
|: OR
=: equals

Very Happy


I think you should be able to get that. I even gave you a legend... I'm awesome. Very Happy Laughing Very Happy
Post 10 Apr 2011, 20:20
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
typedef
I can't say anything ^^ just SORRY Sad still can't understand Neutral never mind, I'll think about that. Thanks for support anyway.
Post 10 Apr 2011, 20:47
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
let me guess, * = multiplication ?
Post 11 Apr 2011, 18:41
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
yes
Post 11 Apr 2011, 19:01
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
So, push dword[eax+3*4] = push dword[eax+12] ? Why just not write 12, 16, 20 etc.. instead of 3*4, 4*4 and so on, I don't understand :/
Post 11 Apr 2011, 23:18
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Because it's in a loop and ecx changes.
and you don't know how many times you need to do that. You should learn High Level Language so you can start understanding these things.

Or maybe QBASIC Very Happy Just kidding.
Post 11 Apr 2011, 23:40
View user's profile Send private message Reply with quote
dancho



Joined: 06 Mar 2011
Posts: 74
dancho
so we are accessing some memory in indirect way with 4 elements,( this is fasm,masm,jwasm way... )

1. Base address
2. Index
3. Scale
4. Displacement

and code is:
[base+index*scale+displacement]

base or index can be any general purpose register ( except esp ) , scaling factor can be 1,2,4,8 and displacement represents an additional offset from the memory location...
scaling is used as index to arrays,because an array can have different sizes of elements,scaling factor 1 is for byte array,2 for word array,4 for doubleword and 8 for quadword arrays...
in a exe IMAGE_SECTION_HEADER are contiguously in memory,1.,2.,3. etc,they are array so we can use this way to acces each header...
so in a code
push dword[eax+3*4]
eax is base , pointer to the first structure
3 is index , an element in the structure
4 is scale , size of the element ( dword )
and no displacement...
Post 12 Apr 2011, 08:52
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
people, isn't this same ? :/
Code:
;ECX = number of sections
;EAX = base address
testloop:
    push [eax+12]
    pop  [somevar]
    add eax,sizeof.IMAGE_SECTION_HEADER
    dec ecx
loop testloop    

or you mean, like this:
Code:
;ECX = number of sections
;EAX = base address
testloop:
    mov ebx,sizeof.IMAGE_SECTION_HEADER
    push [eax+ebx*4]
    pop  [somevar]
    add eax,sizeof.IMAGE_SECTION_HEADER
    dec ecx
loop testloop    
Post 12 Apr 2011, 13:35
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
I have little problem here. I have just 1 question to ask.. I wrote DLL and EXE for testing to get export of function from that dll but I fail after going to AddressOfNames offset. Debugger says "???".. Can someone tell me what I'm doing wrong or how to get address of this function from my dll ? Thank you.
DLL Source:
Code:
format PE GUI 4.0 DLL
include 'WIN32A.INC'
entry DllEntry
section '.data' data readable writeable
msg db "Hello World!",0
ttl db "Simple DLL",0
section '.text' code readable executable
proc DllEntry hInst, dwReason, lpReserved
     mov eax,[dwReason]
     test eax,eax
     jz .check_detach
     jmp .exit_true
.check_detach:
     test eax,eax
     jz .exit_true
     ret
.exit_true:
     mov eax,1
     ret
endp

proc domsg

        invoke MessageBox,0,msg,ttl,MB_OK+MB_ICONINFORMATION
ret
endp
section '.idata' import data readable
library user32,'user32.dll'
include 'API\USER32.INC'
section '.edata' export data readable
export '',domsg,'domsg'
section '.reloc' fixups data readable discardable      

EXE Source:
Code:
format PE GUI 4.0
include 'WIN32A.INC'
entry main
section '.data' data readable writeable
fName db "memory.dll",0
func db "domsg",0
dllbase dd ?
peh dd ?
eat dd ?
afn dd ?
hFile dd ?
nSize dd ?
alloc dd ?
rbytes dd ?
section '.text' code readable executable
proc main
invoke CreateFile,fName,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0
mov [hFile],eax
invoke GetFileSize,eax,0
mov [nSize],eax
invoke GlobalAlloc,0,eax
mov [alloc],eax
invoke ReadFile,[hFile],eax,[nSize],rbytes,0
invoke CloseHandle,[hFile]
mov eax,[alloc]
;---------------------------------
     mov [dllbase],eax       ;DLL base address
     add eax,[eax+0x3c]
     mov [peh],eax      ;PE Header
     mov edx,[peh]
     mov eax,[edx+0x78]      ;OptionalHeader.DataDirectory[0].VirtualAddress
     add eax,dword[dllbase]
     mov [eat],eax      ;Export address table (EAT)
     mov eax,[eax+0x20]      ;EAT -> AddressOfNames    <--- Here I fail.
     add eax,dword[dllbase]
     mov [afn],eax      ;AddressOfNames
endp
section '.idata' import data readable
library user32,'user32.dll',kernel32,'kernel32.dll'
include 'API\USER32.INC'
include 'API\KERNEL32.INC'
section '.reloc' fixups data readable discardable    

I have 1 question, is there any difference hdd dll and loaded dll ? They don't have same size or they're different ? Should I copy all headers in new allocated space or what I'm doing wrong ?? Evil or Very Mad
and also, I really don't understand what the hell does "virtual at ..". I did something like this but it's not working or I don't understand why people are using virtual thing..
Code:
mov eax,0x401000
virtual at eax
.test1 dd 0x01
end virtual
mov eax,[.test1] ;EAX must be 1 after this but it's not..     
Post 13 Apr 2011, 21:49
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
I've figured out much things here. but I have BIG problem about relocation. I can't figure out how to move it from 1 process to another... Can anyone help me about this please ? Smile or give me some tutorial link how to do thing like that..
I'll explain some better way..
I did everything and new base, entry point and everything match except base relocation thing.. I see there are thing like:
Code:
push 0
push 401020
push 401020
push 0
call 40XXXX    

I have MessageBox API there but I need to rebase it somehow but I don't know way. I have added reloc section to my executable but still same result.. when moving sections and data to memory, still got same problem ! could anyone suggest me way what should I do ? Thanks..
Post 25 Apr 2011, 23:34
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2936
Location: vpcmipstrm
bitRAKE
It might be easier to learn how to write position independent code - reference all pointers through a base register. That way you can move the code and update the base register -- nothing else needs to be changed.
Code:
    call __
__: pop ebx ; base register

    mov eax,[ebx+MyData-__] ; base register relative addressing
...

MyData dd 123    
Post 26 Apr 2011, 02:35
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
bitRAKE
How I guess, it would not work in my code.. Because of, I'm moving from 1 process to another one and I don't know how to find pointers there to change it's value.. I have something like this:
Code:
push 0
call 401030 ;ExitProcess in 2nd executable    

but when I'm adding allocated memory's relative address, it works fine! I mean, If I have allocated this exe eg. 005D3000, then when changing 00401030 with 005d3030 then it works fine! and shows "PUSH [kernel32.ExitProcess]".. How can I do something like that ? Sad
Post 26 Apr 2011, 18:07
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
I did everything and my project works fine. I just converted relocations from MASM to FASM but problem is that, if EXE don't have reloc section, then it fails. Just want to know, is there another way to do things like that ? or can someone give me tutorial about relocations because I can't find any.. Thank you.
Post 27 Apr 2011, 01:27
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2936
Location: vpcmipstrm
bitRAKE
My point was there is no need to find pointers - everything becomes relative. Only example, I could kind at the moment:
Code:
; =======================================
; NO_IMPORT by mob aka drcmda 
; this program demonstrates how to write 
; portable code... this code could be 
; added to other executables with no prob. 
; i'm over that virus shit so don't waste 
; your time... i'm working on something 
; like a executable patcher right now so 
; portable code was very interesting for 
; me................................... 
; if you want to use other apis or other 
; dll's then use this structure: 
; 
; 00      db ?? ;lenght of name 
; 01 - ?? db ?? ;API name 
; ??      dd ?? ;pointer 
; 
; then use 'GetApis' to find their 
; pointers so you don't have to search 
; the pointers with GetModuleHandle 
; write to drcmda@gmx.de  
; ======================================= 

; --------------------------------------------------- 
; Build with MAKEIT.BAT to merge the .text and .data 
; sections. Result is a 1024 byte length EXE file. 
; --------------------------------------------------- 

.486 
.Model        Flat, Stdcall 
Option        Casemap:None 

.Data 

; kernel32.dll api's 
___Kernel32            db 14,"GetProcAddress" 
_Getprocaddress     dd 0 
              db 11,"LoadLibrary" 
_Loadlibrary          dd 0 
               db 11,"ExitProcess" 
_Exitprocess          dd 0 

; user32.dll api's 
___User32          db 11,"MessageBeep" 
_Messagebeep          dd 0 
               db 10,"MessageBox" 
_MessageBox            dd 0                     

_Kernel        Dd 0 
_User32        db "USER32",0 
_Default            Dd 0    

.Code            
     
Start: 
           Call    Delta 
Delta: 
       Pop     Ebp                                 ; get deltaofs     
     Sub     Ebp,Offset Delta                    ; for portability          
      
           Call    Get_Kernel                          ; get kernel base/set default 
           
           Push    3                                   ; 3 api's in the kernel32 struc 
       pop     Ecx 
        Lea     Esi,[Ebp+Offset ___Kernel32]                                            
            Call    Get_Apis                            ; get kernel apis 
                  
        Lea     Eax,[Ebp+Offset _User32]            ; load user32.dll 
      Push    Eax 
        Call    [Ebp+_Loadlibrary]             
      
           test    Eax,Eax 
            jz      Error_Exit 

     Mov     [Ebp+Offset _Default],Eax           ; store result in 'default' 

      push    2                                   ; 4 api's in the user32 struc 
         pop     Ecx 
        Lea     Esi, [Ebp+Offset ___User32]                                            
     Call    Get_Apis                            ; get user32 apis            
                                  
     Push    -1 
         Call    [Ebp+_Messagebeep]                  ; beep 
          
           Push    0 
          Call    _t02 
       db      "little test",0 
_t02:         Call    _t01 
       db      "MessageBox without imports, funny eh?",0 
_t01:       Push    0 
          Call    [Ebp+_MessageBox]                   ; messagebox 

Error_Exit:                                
            Push    0 
          Call    [Ebp+_Exitprocess]                  ; get out 


; ######################## get kernel ######################## 
; returns kernelbase and stores it in 'default' and 'kernel' 
Get_Kernel: 
          Mov     Ecx,[Esp+4] ; get kerneladdr from stack 
             
Kernel_Loop: 
      Xor     Edx,Edx 
            Dec     Ecx 
        Mov     Dx,[Ecx+3Ch]  
      Test    Dx,0F800H 
          Jnz     Kernel_Loop 
        Cmp     Ecx,[Ecx+Edx+34H] 
          Jnz     Kernel_Loop             
            Mov     [Ebp+Offset _Kernel],Ecx 
           Mov     [Ebp+Offset _Default],Ecx                                              
     Ret 

; ######################## get apis   ######################## 
; default   = dll base 
; ecx       = number of api's in the structure 
; esi       = pointer to structure 
Get_Apis:   
       Xor     Ebx,Ebx 
Api_Loop: 
          Inc     Esi         ; scan through the api 
         Push    Ecx         ; table and try to 
     Movzx   ecx, byte ptr [Esi-1] ; addresses...                 
       Push    Ecx 
        Call    Get_Api 
            Pop     Ebx 
        Pop     Ecx 
        Add     Esi,Ebx             
        Mov     [Esi],Eax 
          Add     Esi,4 
      Loop    Api_Loop 
           Ret        

; ######################## get api    ######################## 
; default = dll base 
; ecx     = structure entry 
Get_Api:    
     Mov     Edx, [Ebp+Offset _Default] 
         Add     Edx, [Edx+3Ch] ; get default module         
        Mov     Edx, [Edx+78H] 
     Add     Edx, [Ebp+Offset _Default] 

     Mov     Edi, [Edx+32] ;Get Addrofnames 
     Add     Edi, [Ebp+Offset _Default] 
         Mov     Edi, [Edi] ;Get Addrofnames 
        Add     Edi, [Ebp+Offset _Default] 
         Mov     Eax, [Edx+24] ;Get Numberofnames                                    
        Xor     Ebx,Ebx 
Next_One:         
          Push    Ecx 
        Inc     Ebx           
      Push    Esi 
        Push    Edi 
        Repz    Cmpsb ; compare api with export 
            Pop     Edi 
        Pop     Esi 
        Jnz     Not_Found             
      Pop     Ecx 
        Mov     Ecx, [Edx+36] ;Get Addrnameord 
     Add     Ecx, [Ebp+Offset _Default] 
         Dec     Ebx 
        Movzx   eax, word ptr [Ecx+Ebx*2]                         
          Mov     Ebx, [Edx+28] ;Get Addroffunctions 
         Add     Ebx, [Ebp+Offset _Default] 
         Mov     Eax, [Ebx+Eax*4]                 
           Add     Eax, [Ebp+Offset _Default] 
         Ret 
Not_Found:   
           Dec     Edi             
Loop_1: 
            Inc     Edi 
        Cmp     Byte Ptr [Edi],0 
           Jnz     Loop_1 

         Inc     Edi             
            Dec     Eax 
        Jz      Exit_Search             
            Pop     Ecx 
        Jmp     Next_One 
Exit_Search:   
            Jmp     Error_Exit 
         Ret                         
     
End            Start    
Notice the "call Delta" to get address where code currently is executing - move the code and the address popped from the stack changes.
Post 28 Apr 2011, 10:55
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
bitRAKE
Thanks, I'll work on it. Smile Thread closed now.
Post 28 Apr 2011, 18:56
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4, 5  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.