flat assembler
Message board for the users of flat assembler.

Index > Projects and Ideas > [FASM] No Imports Macro

Author
Thread Post new topic Reply to topic
sphaaz



Joined: 14 Apr 2011
Posts: 2
sphaaz 05 Dec 2011, 21:47
First of all hi everybody Smile im new to fasm
and i must say im very delighted to see it has so much macros Smile

However i did not find anywhere macro that would dinamically resolve apis...

Lets say we make .inc that will get us kernel base adress and LoadLibrary adress... we save it and make small functions that will return adress of any api call we put in...

so it would look like this in .asm code

noimp(MessageBoxA) or something like that
wich would return adress of MessageBoxA in eax

i will try to make that but im not sure how you like the idea Smile ?
Post 05 Dec 2011, 21:47
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3499
Location: Bulgaria
JohnFound 05 Dec 2011, 22:09
If I understand you correctly, you are talking about loading .dll dynamically in runtime.
So, It is matter of API calls. In Windows it is GetProcAddress and LoadLibrary API functions.
To use macro in order to replace one easy API call is strange and dirty solution IMHO.
What you actually want to achieve with this solution?
Post 05 Dec 2011, 22:09
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
sphaaz



Joined: 14 Apr 2011
Posts: 2
sphaaz 05 Dec 2011, 22:25
What i want to achieve is type of api call obfuscation, so calls i make with specific command dont get into imports table but get loaded dinamically...
If there is a better method im all ears Smile
Post 05 Dec 2011, 22:25
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3499
Location: Bulgaria
JohnFound 05 Dec 2011, 22:56
As I already said, you need to import directly only two functions from kernel32.dll - "LoadLibrary" and "GetProcAddress". Then use them with simple: invoke GetProcAddress, [dll_handle], strFunctionName
You simply do not need to develop new macros for this task.
Post 05 Dec 2011, 22:56
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1637
Location: Toronto, Canada
AsmGuru62 06 Dec 2011, 16:05
If the obfuscation is a target of this exercise, how exactly it will work? If in debugger we simply can load a module with the API names and set a breakpoint onto an API entry (which returned by GetProcAddress) and debugger will stop there.
Post 06 Dec 2011, 16:05
View user's profile Send private message Send e-mail Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.