flat assembler
Message board for the users of flat assembler.
![]() |
Author |
|
typedef
ReadProcessMemory reads a specific area in memory.
You must have been allowed to do so. MapViewOfFile puts data in memory. This data can be executable or so. I think they are the same in different contexts though |
|||
![]() |
|
revolution
File on disk != process data in memory. Why would you expect them to be the same?
If you map a text file on disk with MapViewOfFile, then what is the equivalent to do that with ReadProcessMemory? |
|||
![]() |
|
typedef
revolution wrote: File on disk != process data in memory. Why would you expect them to be the same? I said in different contexts, their goal is the same but different ways. That is what I meant. And notice i said different contexts. |
|||
![]() |
|
Overflowz
revolution
you mean, MapViewOfFile can also map executable on disk in memory ? -- Anyway, I'm trying to make little debugger (to be honest, the loader) but I don't know how debuggers work. I did something like this but I can't continue.. Code: format PE GUI 4.0 include 'WIN32AX.INC' entry main section '.data' data readable writeable fname db "due-cm5.exe",0 baddr dd 0x00401000 int3addr db 0xCC sinfo STARTUPINFO pinfo PROCESS_INFORMATION align 4 fhandle dd ? wbytes dd ? section '.text' code readable executable main: invoke CreateProcess,fname,0,0,0,0,CREATE_SUSPENDED,0,0,sinfo,pinfo mov [fhandle],eax invoke OpenProcess,PROCESS_ALL_ACCESS,0,[pinfo.dwProcessId] invoke WriteProcessMemory,eax,baddr,int3addr,1,wbytes ret section '.idata' import data readable library user32,'user32.dll',\ kernel32,'kernel32.dll' include 'API\USER32.INC' include 'API\KERNEL32.INC' I'm trying to put int3 (0xCC) instruction to cause exception to make little modification there but I don't know what to do next.. Anyone can suggest me the theory what should I do next ? Thank you. -- Program has new section, that decrypts in memory and jumps to OEP (0x401000) where I'm putting int3 instruction. Also, I'll be thankful if you will give me some theory how should I dump it. Thank you! |
|||
![]() |
|
Overflowz
Please, someone just suggest me what should I do..
|
|||
![]() |
|
Feryno
http://www.google.com/#q=iczelion+debug_process
DEBUG_PROCESS flag is missing, no need to CREATE_SUSPENDED in your above sample the child won't start to run (is suspended) eitheir hit the breakpoint you write at OEP then you must construct debug loop (WaitForDebugEvent, ContinueDebugEvent) where parent will handle exceptions coming from debuggee (child) else the child will die immediately after generating exception (this is why the DEBUG_PROCESS flag and debug loop is necessary - the parent will handle exceptions generated by the child so the child can continue its execution after generating exceptions like int3 etc) |
|||
![]() |
|
Overflowz
Feryno
Thank you, I'll try! |
|||
![]() |
|
AsmGuru62
This may be useful:
http://msdn.microsoft.com/en-us/library/ms679288(v=VS.85).aspx |
|||
![]() |
|
Overflowz
AsmGuru62
I tried that already but I don't understand where to start.. Thanks anyway ![]() |
|||
![]() |
|
Overflowz
P.S how this structure will be in FASM style ?
Code: DEBUG_EVENT STRUCT
dwDebugEventCode dd ?
dwProcessId dd ?
dwThreadId dd ?
u DEBUGSTRUCT <>
DEBUG_EVENT ENDS I don't know how to convert it because I see strange things there.. Does anyone have this structure here ? Thanks. |
|||
![]() |
|
Overflowz
bump.. Nobody have or can't translate ?
![]() |
|||
![]() |
|
typedef
in your code, doesn't CreateProcess return a boolean instead of handle?
|
|||
![]() |
|
Overflowz
typedef
damn.. you're right. but it doesn't matter for now ![]() |
|||
![]() |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.
Website powered by rwasa.