flat assembler
Message board for the users of flat assembler.

Index > Windows > How to make a api call in a dynamically loaded binary code?

Author
Thread Post new topic Reply to topic
TheRedPill



Joined: 28 Jan 2013
Posts: 18
TheRedPill 06 Feb 2013, 07:18
Hi,

i am not sure if this is even possible due to stuff like ASLR, relocation and smiliar, but is it possible to make a api call (on Windows systems) e.g. LoadLibrary, MessageBox, etc. in dynamically created->loaded->executed machine code, On fixed PE files all is left to the loader and tables in the PE, but i dont know (is it even possible?) how to load/get the library/export address of some function in dynamic generated code at runtime? It would be a win situation for me if i could call LoadLibrary and GetprocAddress at least. The rest is common practice. But to do LoadLibrary and GetProcAddress i must know their addresses and how do i get them at runtime from within dynamically loaded machine code? I was thinking of something like passing the first parameters (address of LoadLibrary and GetProcAddress) to the dynamic machine code and save it in the stack somewhere so i can CALL on them if needed. But maybe there is some better way?

tia

TRP
Post 06 Feb 2013, 07:18
View user's profile Send private message Reply with quote
Spool



Joined: 08 Jan 2013
Posts: 151
Spool 06 Feb 2013, 07:42
[ Post removed by author. ]


Last edited by Spool on 17 Mar 2013, 10:09; edited 1 time in total
Post 06 Feb 2013, 07:42
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20300
Location: In your JS exploiting you and your system
revolution 06 Feb 2013, 07:45
Short answer: Yes it is possible.

Long answer: Search this board for topics about exe's having no imports section.

BTW: Moved to Windows section.
Post 06 Feb 2013, 07:45
View user's profile Send private message Visit poster's website Reply with quote
Spool



Joined: 08 Jan 2013
Posts: 151
Spool 06 Feb 2013, 07:48
[ Post removed by author. ]


Last edited by Spool on 17 Mar 2013, 10:09; edited 1 time in total
Post 06 Feb 2013, 07:48
View user's profile Send private message Reply with quote
TheRedPill



Joined: 28 Jan 2013
Posts: 18
TheRedPill 06 Feb 2013, 17:49
These answers could be of help to me, i only had a short run over the pages, but they look very promising:

http://board.flatassembler.net/topic.php?t=3845
http://board.flatassembler.net/topic.php?t=5666
http://board.flatassembler.net/topic.php?t=7718
http://board.flatassembler.net/topic.php?t=9367

As it seems, at first sight, its not as easy as i thought it would be and its always never 100% safe to work with as some AV software or another protection mechanism will do a false positive on the generated code. Beside that, there seems to be no really 100% approved way to do this.
Post 06 Feb 2013, 17:49
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 06 Feb 2013, 18:49
If you are the one designing both the dynamically loaded binary as well as the invoking code, there shouldn't be any problems - make a convention that LL+GPA are on the stack, or registers, or to some data structure pointed to by <whatever> when the binary code is called.

Shellcode is a different matter, though.
Post 06 Feb 2013, 18:49
View user's profile Send private message Visit poster's website Reply with quote
nmaps



Joined: 26 Oct 2012
Posts: 8
nmaps 08 Feb 2013, 05:32
There are several ways, although the easiest [to understand and implement] is to use the fact that kernel32.dll is loaded into each process, so use the PEB's LDR_MODULE list to find kernel32.dll and get its base address, then navigate the PE headers to the imports section and walk it until you get the functions you need.

All the structs can be found on msdn or undocumented.ntinternals.net
Post 08 Feb 2013, 05:32
View user's profile Send private message Reply with quote
ACP



Joined: 23 Sep 2006
Posts: 204
ACP 09 Feb 2013, 23:13
When parsing PEB or using some other internal Windows structures keep in mind that those could differ between x86 and x64 versions. Furthermore you need to remember about WoW layer in case of x64 running x86 process.
Post 09 Feb 2013, 23:13
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.