Index
> Windows > Launch Executable from Memory ?Goto page Previous 1, 2, 3, 4, 5 Next |
| Author |
|
|
Overflowz 10 Apr 2011, 12:47
dancho
I don't understand why you're using such things like "3*4, 4*4 and 5*4.." What they does ? :/ |
|||
10 Apr 2011, 12:47 |
|
|
Overflowz 10 Apr 2011, 12:55
Grr.. It's going more and more hard code for me.. I have done this but what I'm missing to launch it from memory, can anyone suggest me ? Because I can't understnad more things now from MASM code.. Thanks. ))
Last edited by Overflowz on 12 Apr 2011, 15:09; edited 1 time in total |
|||
|
10 Apr 2011, 12:55 |
|
|
dancho 10 Apr 2011, 18:22
Overflowz wrote: dancho they represent offsets of the structure elements,from the structure beginning to the element start,for example VirtualAddress : we have to skip this : _Name db 8 dup (?) union PhysicalAddress dd ? VirtualSize dd ? ends that is total of 3 dwords so 3*4 where 4 is size of dword ( what we are skiping ),eax is pointer so we have to dereferencing eax at eax+3*4 , at that place we have VirtualAddress data which size is dword so code is : push dword[eax+3*4] |
|||
|
10 Apr 2011, 18:22 |
|
|
Overflowz 10 Apr 2011, 18:27
dancho
Thank you for help )) I still don't understand. My mind is not so developed about these things so..  Isn't there another way to do that ? |
|||
|
10 Apr 2011, 18:27 |
|
|
typedef 10 Apr 2011, 20:20
eax = base_address_or_current_address
3 = index at which the value is at 4 = size of the value (size of DWORD) Tells the computer how many bytes to jump in order to get to that value so we end up with Example. You have stack (Addressing relatively to EBP) ; Assume EBP = 100 Code: EBP+08 : 20 | 100 + 08 = 108 : 20 EBP+12 : 02 | 100 + 12 = 112 : 02 EBP+16 : 00 | 100 + 16 = 116 : 00 EBP+20 : 10 | 100 + 20 = 120 : 10 mov eax,ebp ; eax points to ebp (eax=ebx=100) dword [eax + 5 * 4 ] = 10 | dword at 100 + 5 *4 : 120 = 10 dword [eax + 4 * 4 ] = 00 | dword at 100 + 4 *4: 116 = 00 dword [eax + 3 * 4 ] = 02 | dword at 100 + 3 *4: 112 = 02 dword [eax + 2 * 4 ] = 20 | dword at 100 + 2 *4: 108 = 20 LEGEND: |: OR =: equals 
I think you should be able to get that. I even gave you a legend... I'm awesome.  |
|||
|
10 Apr 2011, 20:20 |
|
|
Overflowz 10 Apr 2011, 20:47
typedef
I can't say anything ^^ just SORRY  still can't understand  never mind, I'll think about that. Thanks for support anyway. |
|||
|
10 Apr 2011, 20:47 |
|
|
Overflowz 11 Apr 2011, 18:41
let me guess, * = multiplication ?
|
|||
|
11 Apr 2011, 18:41 |
|
|
typedef 11 Apr 2011, 19:01
yes
|
|||
|
11 Apr 2011, 19:01 |
|
|
Overflowz 11 Apr 2011, 23:18
So, push dword[eax+3*4] = push dword[eax+12] ? Why just not write 12, 16, 20 etc.. instead of 3*4, 4*4 and so on, I don't understand :/
|
|||
|
11 Apr 2011, 23:18 |
|
|
typedef 11 Apr 2011, 23:40
Because it's in a loop and ecx changes.
and you don't know how many times you need to do that. You should learn High Level Language so you can start understanding these things. Or maybe QBASIC Just kidding. |
|||
|
11 Apr 2011, 23:40 |
|
|
dancho 12 Apr 2011, 08:52
so we are accessing some memory in indirect way with 4 elements,( this is fasm,masm,jwasm way... )
1. Base address 2. Index 3. Scale 4. Displacement and code is: [base+index*scale+displacement] base or index can be any general purpose register ( except esp ) , scaling factor can be 1,2,4,8 and displacement represents an additional offset from the memory location... scaling is used as index to arrays,because an array can have different sizes of elements,scaling factor 1 is for byte array,2 for word array,4 for doubleword and 8 for quadword arrays... in a exe IMAGE_SECTION_HEADER are contiguously in memory,1.,2.,3. etc,they are array so we can use this way to acces each header... so in a code push dword[eax+3*4] eax is base , pointer to the first structure 3 is index , an element in the structure 4 is scale , size of the element ( dword ) and no displacement... |
|||
|
12 Apr 2011, 08:52 |
|
|
Overflowz 12 Apr 2011, 13:35
people, isn't this same ? :/
Code: ;ECX = number of sections ;EAX = base address testloop: push [eax+12] pop [somevar] add eax,sizeof.IMAGE_SECTION_HEADER dec ecx loop testloop or you mean, like this: Code: ;ECX = number of sections ;EAX = base address testloop: mov ebx,sizeof.IMAGE_SECTION_HEADER push [eax+ebx*4] pop [somevar] add eax,sizeof.IMAGE_SECTION_HEADER dec ecx loop testloop |
|||
|
12 Apr 2011, 13:35 |
|
|
Overflowz 13 Apr 2011, 21:49
I have little problem here. I have just 1 question to ask.. I wrote DLL and EXE for testing to get export of function from that dll but I fail after going to AddressOfNames offset. Debugger says "???".. Can someone tell me what I'm doing wrong or how to get address of this function from my dll ? Thank you.
DLL Source: Code: format PE GUI 4.0 DLL include 'WIN32A.INC' entry DllEntry section '.data' data readable writeable msg db "Hello World!",0 ttl db "Simple DLL",0 section '.text' code readable executable proc DllEntry hInst, dwReason, lpReserved mov eax,[dwReason] test eax,eax jz .check_detach jmp .exit_true .check_detach: test eax,eax jz .exit_true ret .exit_true: mov eax,1 ret endp proc domsg invoke MessageBox,0,msg,ttl,MB_OK+MB_ICONINFORMATION ret endp section '.idata' import data readable library user32,'user32.dll' include 'API\USER32.INC' section '.edata' export data readable export '',domsg,'domsg' section '.reloc' fixups data readable discardable EXE Source: Code: format PE GUI 4.0 include 'WIN32A.INC' entry main section '.data' data readable writeable fName db "memory.dll",0 func db "domsg",0 dllbase dd ? peh dd ? eat dd ? afn dd ? hFile dd ? nSize dd ? alloc dd ? rbytes dd ? section '.text' code readable executable proc main invoke CreateFile,fName,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0 mov [hFile],eax invoke GetFileSize,eax,0 mov [nSize],eax invoke GlobalAlloc,0,eax mov [alloc],eax invoke ReadFile,[hFile],eax,[nSize],rbytes,0 invoke CloseHandle,[hFile] mov eax,[alloc] ;--------------------------------- mov [dllbase],eax ;DLL base address add eax,[eax+0x3c] mov [peh],eax ;PE Header mov edx,[peh] mov eax,[edx+0x78] ;OptionalHeader.DataDirectory[0].VirtualAddress add eax,dword[dllbase] mov [eat],eax ;Export address table (EAT) mov eax,[eax+0x20] ;EAT -> AddressOfNames <--- Here I fail. add eax,dword[dllbase] mov [afn],eax ;AddressOfNames endp section '.idata' import data readable library user32,'user32.dll',kernel32,'kernel32.dll' include 'API\USER32.INC' include 'API\KERNEL32.INC' section '.reloc' fixups data readable discardable I have 1 question, is there any difference hdd dll and loaded dll ? They don't have same size or they're different ? Should I copy all headers in new allocated space or what I'm doing wrong ?? 
and also, I really don't understand what the hell does "virtual at ..". I did something like this but it's not working or I don't understand why people are using virtual thing.. Code: mov eax,0x401000 virtual at eax .test1 dd 0x01 end virtual mov eax,[.test1] ;EAX must be 1 after this but it's not.. |
|||
|
13 Apr 2011, 21:49 |
|
|
Overflowz 25 Apr 2011, 23:34
I've figured out much things here. but I have BIG problem about relocation. I can't figure out how to move it from 1 process to another... Can anyone help me about this please ?
or give me some tutorial link how to do thing like that..
I'll explain some better way.. I did everything and new base, entry point and everything match except base relocation thing.. I see there are thing like: Code: push 0 push 401020 push 401020 push 0 call 40XXXX I have MessageBox API there but I need to rebase it somehow but I don't know way. I have added reloc section to my executable but still same result.. when moving sections and data to memory, still got same problem ! could anyone suggest me way what should I do ? Thanks.. |
|||
|
25 Apr 2011, 23:34 |
|
|
bitRAKE 26 Apr 2011, 02:35
It might be easier to learn how to write position independent code - reference all pointers through a base register. That way you can move the code and update the base register -- nothing else needs to be changed.
Code: call __ __: pop ebx ; base register mov eax,[ebx+MyData-__] ; base register relative addressing ... MyData dd 123 |
|||
|
26 Apr 2011, 02:35 |
|
|
Overflowz 26 Apr 2011, 18:07
bitRAKE
How I guess, it would not work in my code.. Because of, I'm moving from 1 process to another one and I don't know how to find pointers there to change it's value.. I have something like this: Code: push 0 call 401030 ;ExitProcess in 2nd executable but when I'm adding allocated memory's relative address, it works fine! I mean, If I have allocated this exe eg. 005D3000, then when changing 00401030 with 005d3030 then it works fine! and shows "PUSH [kernel32.ExitProcess]".. How can I do something like that ? |
|||
|
26 Apr 2011, 18:07 |
|
|
Overflowz 27 Apr 2011, 01:27
I did everything and my project works fine. I just converted relocations from MASM to FASM but problem is that, if EXE don't have reloc section, then it fails. Just want to know, is there another way to do things like that ? or can someone give me tutorial about relocations because I can't find any.. Thank you.
|
|||
|
27 Apr 2011, 01:27 |
|
|
bitRAKE 28 Apr 2011, 10:55
My point was there is no need to find pointers - everything becomes relative. Only example, I could kind at the moment:
Code: ; ======================================= ; NO_IMPORT by mob aka drcmda ; this program demonstrates how to write ; portable code... this code could be ; added to other executables with no prob. ; i'm over that virus shit so don't waste ; your time... i'm working on something ; like a executable patcher right now so ; portable code was very interesting for ; me................................... ; if you want to use other apis or other ; dll's then use this structure: ; ; 00 db ?? ;lenght of name ; 01 - ?? db ?? ;API name ; ?? dd ?? ;pointer ; ; then use 'GetApis' to find their ; pointers so you don't have to search ; the pointers with GetModuleHandle ; write to drcmda@gmx.de ; ======================================= ; --------------------------------------------------- ; Build with MAKEIT.BAT to merge the .text and .data ; sections. Result is a 1024 byte length EXE file. ; --------------------------------------------------- .486 .Model Flat, Stdcall Option Casemap:None .Data ; kernel32.dll api's ___Kernel32 db 14,"GetProcAddress" _Getprocaddress dd 0 db 11,"LoadLibrary" _Loadlibrary dd 0 db 11,"ExitProcess" _Exitprocess dd 0 ; user32.dll api's ___User32 db 11,"MessageBeep" _Messagebeep dd 0 db 10,"MessageBox" _MessageBox dd 0 _Kernel Dd 0 _User32 db "USER32",0 _Default Dd 0 .Code Start: Call Delta Delta: Pop Ebp ; get deltaofs Sub Ebp,Offset Delta ; for portability Call Get_Kernel ; get kernel base/set default Push 3 ; 3 api's in the kernel32 struc pop Ecx Lea Esi,[Ebp+Offset ___Kernel32] Call Get_Apis ; get kernel apis Lea Eax,[Ebp+Offset _User32] ; load user32.dll Push Eax Call [Ebp+_Loadlibrary] test Eax,Eax jz Error_Exit Mov [Ebp+Offset _Default],Eax ; store result in 'default' push 2 ; 4 api's in the user32 struc pop Ecx Lea Esi, [Ebp+Offset ___User32] Call Get_Apis ; get user32 apis Push -1 Call [Ebp+_Messagebeep] ; beep Push 0 Call _t02 db "little test",0 _t02: Call _t01 db "MessageBox without imports, funny eh?",0 _t01: Push 0 Call [Ebp+_MessageBox] ; messagebox Error_Exit: Push 0 Call [Ebp+_Exitprocess] ; get out ; ######################## get kernel ######################## ; returns kernelbase and stores it in 'default' and 'kernel' Get_Kernel: Mov Ecx,[Esp+4] ; get kerneladdr from stack Kernel_Loop: Xor Edx,Edx Dec Ecx Mov Dx,[Ecx+3Ch] Test Dx,0F800H Jnz Kernel_Loop Cmp Ecx,[Ecx+Edx+34H] Jnz Kernel_Loop Mov [Ebp+Offset _Kernel],Ecx Mov [Ebp+Offset _Default],Ecx Ret ; ######################## get apis ######################## ; default = dll base ; ecx = number of api's in the structure ; esi = pointer to structure Get_Apis: Xor Ebx,Ebx Api_Loop: Inc Esi ; scan through the api Push Ecx ; table and try to Movzx ecx, byte ptr [Esi-1] ; addresses... Push Ecx Call Get_Api Pop Ebx Pop Ecx Add Esi,Ebx Mov [Esi],Eax Add Esi,4 Loop Api_Loop Ret ; ######################## get api ######################## ; default = dll base ; ecx = structure entry Get_Api: Mov Edx, [Ebp+Offset _Default] Add Edx, [Edx+3Ch] ; get default module Mov Edx, [Edx+78H] Add Edx, [Ebp+Offset _Default] Mov Edi, [Edx+32] ;Get Addrofnames Add Edi, [Ebp+Offset _Default] Mov Edi, [Edi] ;Get Addrofnames Add Edi, [Ebp+Offset _Default] Mov Eax, [Edx+24] ;Get Numberofnames Xor Ebx,Ebx Next_One: Push Ecx Inc Ebx Push Esi Push Edi Repz Cmpsb ; compare api with export Pop Edi Pop Esi Jnz Not_Found Pop Ecx Mov Ecx, [Edx+36] ;Get Addrnameord Add Ecx, [Ebp+Offset _Default] Dec Ebx Movzx eax, word ptr [Ecx+Ebx*2] Mov Ebx, [Edx+28] ;Get Addroffunctions Add Ebx, [Ebp+Offset _Default] Mov Eax, [Ebx+Eax*4] Add Eax, [Ebp+Offset _Default] Ret Not_Found: Dec Edi Loop_1: Inc Edi Cmp Byte Ptr [Edi],0 Jnz Loop_1 Inc Edi Dec Eax Jz Exit_Search Pop Ecx Jmp Next_One Exit_Search: Jmp Error_Exit Ret End Start |
|||
|
28 Apr 2011, 10:55 |
|
|
Overflowz 28 Apr 2011, 18:56
bitRAKE
Thanks, I'll work on it. Thread closed now. |
|||
|
28 Apr 2011, 18:56 |
|
| Goto page Previous 1, 2, 3, 4, 5 Next < Last Thread | Next Thread > |
Forum Rules:
|