flat assembler
Message board for the users of flat assembler.
Index
> Windows > Native API, NtCreateFile, OBJECT_ATTRIBUTES |
Author |
|
KostX 20 Mar 2014, 22:16
Or can you give me an example in assembler?
|
|||
20 Mar 2014, 22:16 |
|
revolution 20 Mar 2014, 22:21
I don't see where you are setting the .Length or other members?
Perhaps you can post some minimal code that can be assembled. These little snippets require us to do a lot of work to get a working version of your code. |
|||
20 Mar 2014, 22:21 |
|
KostX 20 Mar 2014, 22:25
Excuse me. That's all my code.
Code: format PE native 4.0 at 1000000h as 'exe' entry DriverEntry include 'win32w.inc' section '.code' code readable executable proc DriverEntry, pDriverObject, pDriverPath ; Check for self deletion stdcall GetActiveDaysRemained test eax, eax jle SelfDelete stdcall PrintStringA, Config.String call Delay ; Initialize keyboard push KeyboardPath push keyboard call dword [RtlInitUnicodeString] stdcall OpenFile, keyboard, hKBEvent, FILE_DIRECTORY_FILE, FILE_OPEN, SYNCHRONIZE + GENERIC_READ + FILE_READ_ATTRIBUTES test eax, eax mov [hKeyboard], eax je Quit ; Wait for password stdcall PrintStringA, NewString stdcall PrintStringA, EnterPassword .WaitForKey: stdcall ReadFile, [hKeyboard], [hKBEvent], KBIData, 18h, dwZero stdcall ScanToChar, KBIData test eax, eax je .WaitForKey ; Check for ENTER press cmp eax, CHAR_ENTER jne @f stdcall CheckPassword, BufferA + 512, Config.Password test eax, eax jne Quit stdcall PrintStringA, WrongPassword pushad mov edx, 10 .Delaying: dec edx call Delay test edx, edx jne .Delaying popad mov eax, CHAR_BKSPACE @@: ; Check for BREAK_SPACE press cmp eax, CHAR_BKSPACE jne @f mov dword [BufferA + 512 + 0], 0 mov dword [BufferA + 512 + 4], 0 mov dword [BufferA + 512 + 8], 0 stdcall PrintStringA, BackSpace stdcall PrintStringA, EnterPassword mov [CurPos], 0 jmp .WaitForKey @@: ; Remember all typed symbols in memory xor ecx, ecx mov cl, byte [CurPos] mov byte [BufferA + 512 + ecx], al ; 10 chars per a line (max) inc byte [CurPos] ;mov [tmp], eax ; Check for password less then PASSWORD_MAX cmp byte [CurPos], PASSWORD_MAX - 1 jl @f mov byte [CurPos], PASSWORD_MAX - 1 jmp .WaitForKey @@: stdcall PrintStringA, Asterisk ; Print asterisk jmp .WaitForKey Quit: stdcall PrintStringA, Quitting call Delay call Delay call Delay push [hKeyboard] call dword [NtClose] push [hKBEvent] call dword [NtClose] push 0 push -1 call dword [NtTerminateProcess] SelfDelete: ;;;;;;;;; Doesn' work !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ; Delete configuration xor ebx, ebx push ebx push ebx push OBJ_CASE_INSENSITIVE push ConfigPath push ObjectAttributes call InitializeObjectAttributes invoke NtDeleteFile, ObjectAttributes jmp Quit endp nop align 2 proc PrintErrorCode, Code, Buffer pushad pushf stdcall dwtoh, [code], [Buffer] stdcall PrintStringA, [Buffer] call Delay call Delay popf popad ret endp proc ReadFromFile, FName, Buffer, Size pushad sub esp, 20 lea ebx, [esp + 04] lea edi, [esp + 12] push [FName] push ebx call dword [RtlInitUnicodeString] stdcall OpenFile, ebx, edi, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN, SYNCHRONIZE + GENERIC_READ test eax, eax je .Error mov esi, eax stdcall ReadFile, esi, [edi], [Buffer], [Size], dwZero test eax, eax je .Error .Return: xor eax, eax inc eax .Error: push eax invoke RtlFreeUnicodeString, ebx invoke NtClose, [edi] invoke NtClose, esi pop eax add esp, 20 mov [esp + 28], eax popad ret endp proc SaveToFile, FName, Buffer, Size pushad sub esp, 4 lea ebx, [esp + 04] push [FName] push ebx call dword [RtlInitUnicodeString] stdcall OpenFile, ebx, 0, FILE_SYNCHRONOUS_IO_NONALERT, FILE_CREATE, SYNCHRONIZE + GENERIC_WRITE test eax, eax je .Error mov esi, eax invoke NtWriteFile, esi, 0, 0, 0, iosb, [Buffer], [Size], dwZero, 0 test eax, eax jne .Error .Return: xor eax, eax inc eax .Error: push eax invoke RtlFreeUnicodeString, ebx invoke NtClose, esi pop eax add esp, 4 mov [esp + 28], eax popad ret endp GetActiveDaysRemained: pushad invoke NtQuerySystemTime, tmp invoke RtlSystemTimeToLocalTime, tmp, tmp invoke RtlTimeToTimeFields, tmp, TimeStruct xor eax, eax mov ax, word [TimeStruct.wYear] mov word [kTime.Year], ax mov ax, word [TimeStruct.wMonth] mov word [kTime.Month], ax mov ax, word [TimeStruct.wDay] mov word [kTime.Day], ax lea eax, dword [kTime + 6] stdcall ReadFromFile, ConfigPath, eax, 6 test eax, eax jne @f stdcall SaveToFile, ConfigPath, kTime, 6 xor eax, eax inc eax jmp .Return @@: xor eax, eax mov ebx, eax mov edx, ebx mov ecx, edx sub edi, edi mov ax, [kTime.Year] mov bx, [kTime.Month] mov di, [kTime.Day] sub ax, [kTime.Year + 6] sub bx, [kTime.Month + 6] sub di, [kTime.Day + 6] mov esi, 365 mul esi push eax mov eax, 30 mul ebx pop esi add esi, eax add esi, edi mov eax, dword [Config.SelfDelTime] sub eax, esi .Return: mov [esp + 28], eax popad ret proc CheckPassword, ToBeCompared, Original pushad mov esi, [ToBeCompared] mov edi, [Original] xor ebx, ebx cmp byte [esi + ebx], 0 je .Error dec ebx .Checking: inc ebx cmp byte [edi + ebx], 0 je .Return mov al, byte [esi + ebx] cmp al, byte [edi + ebx] je .Checking .Error: mov dword [esp + 28], 0 popad ret .Return: mov dword [esp + 28], 1 popad ret endp proc ScanToChar, pKBBuffer pushad xor eax, eax mov esi, dword [pKBBuffer] ; If key was up then goto error (return 0) cmp [esi + KBIData.MakeCode - KBIData], 1 je .Return ; Get key scan code mov eax, dword [esi + KBIData.UnitId - KBIData] shr eax, 16 test eax, eax je .Return shl eax, 24 shr eax, 24 xor edx, edx mov dl, byte [ASCIL + eax] mov eax, edx .Return: mov [esp + 28], eax popad ret endp proc PrintStringA, pString pushad stdcall AsciToUnicode, [pString], BufferA push BufferA push string call dword [RtlInitUnicodeString] push string call dword [NtDisplayString] push string call dword [RtlFreeUnicodeString] popad ret endp Delay: mov ecx, 2FFFFFFFh .wait1: dec ecx jne .wait1 ret proc OpenFile, pPath, pEvent, Options, Flags, Access pushad xor ebx, ebx push ebx push ebx push OBJ_CASE_INSENSITIVE push [pPath] push ObjectAttributes call InitializeObjectAttributes push ebx push ebx push [Options] push [Flags] push ebx push FILE_ATTRIBUTE_NORMAL push ebx push iosb push ObjectAttributes push [Access] push tmp call dword [NtCreateFile] test eax, eax jne .Error cmp [pEvent], 0 je .Return push ebx push ebx push ebx push ebx push ObjectAttributes call InitializeObjectAttributes @@: push ebx push 1 push ObjectAttributes push EVENT_ALL_ACCESS push [pEvent] call dword [NtCreateEvent] test eax, eax jne .Error .Return: mov eax, dword [tmp] mov dword [esp + 28], eax popad ret .Error: mov dword [esp + 28], 0 popad ret endp proc ReadFile, hFile, hEvent, Buffer, BufferLength, BytesOffset pushad mov dword [iosb + 00], 0 mov dword [iosb + 04], 0 mov dword [iosb + 08], 0 mov dword [iosb + 12], 0 push 0 push [BytesOffset] push [BufferLength] push [Buffer] push iosb push 0 push 0 push [hEvent] push [hFile] call dword [NtReadFile] cmp eax, 0C0000061h je .Error invoke NtWaitForSingleObject, [hEvent], 1, 0 .Return: mov dword [esp + 28], 1 popad ret .Error: mov dword [esp + 28], 0 popad ret endp align 2 nop proc InitializeObjectAttributes, pObj, objName, attr, rootDir, secDesc push eax ebx mov ebx, dword [pObj] mov dword [ebx + 0], 24 mov eax, dword [rootDir] mov dword [ebx + 4], eax mov eax, dword [objName] mov dword [ebx + 8], eax mov eax, dword [attr] mov dword [ebx + 12], eax mov eax, dword [secDesc] mov dword [ebx + 16], eax mov dword [ebx + 20], 0 pop ebx eax ret endp proc dwtoh, Value, pString pushad mov ebx, dword [Value] mov edi, dword [pString] inc edi inc edi mov ecx, 8 mov byte [edi + ecx], 0 .Converting: mov al, bl mov dl, al shr al, 4 cmp al, 10 jb @f add al, 41h - 30h - 10 @@: add al, 30h shl dl, 4 shr dl, 4 cmp dl, 10 jb @f add dl, 41h - 30h - 10 @@: add dl, 30h dec ecx mov byte [edi + ecx], dl dec ecx mov byte [edi + ecx], al shr ebx, 8 test ecx, ecx jne .Converting dec edi dec edi mov word [edi], '0x' mov [esp + 28], edi popad ret .char: endp proc AsciToUnicode, Source, Destination pushad mov esi, dword [Source] mov edi, dword [Destination] xor ebx, ebx dec ebx xor ecx, ecx dec ecx dec ecx xor eax, eax .Converting: inc ebx cmp byte [esi + ebx], 0 je .finish inc ecx inc ecx mov al, byte [esi + ebx] mov word [edi + ecx], ax jmp .Converting .finish: inc ecx inc ecx mov word [edi + ecx], 0 popad ret endp OBJ_CASE_INSENSITIVE = 64 FILE_DIRECTORY_FILE = 01 FILE_OPEN = 01 FILE_CREATE = 00000002h SYNCHRONIZE = 00100000h GENERIC_READ = 80000000h FILE_READ_ATTRIBUTES = 00000080h FILE_SYNCHRONOUS_IO_NONALERT = 00000020h EVENT_ALL_ACCESS = 001F0003h STATUS_PENDING = 00000103h ConfigPath du '\SystemRoot\msvrc', 0 KeyboardPath du '\Device\KeyboardClass0', 0 Quitting db 10 db 'Quitting', 10, 0 EnterPassword db 'Enter password: ', 0 WrongPassword db ' Wrong password', 0 NewString du 10, 00 BackSpace du 13, 00 Asterisk du '*', 00 ASCIL db 0, 0, "1234567890-=", CHAR_BKSPACE, 0, "qwertyuiop[]", CHAR_ENTER, 0, "asdfghjkl;'`", 0, "\zxcvbnm,./", 0, "*", 0, " ", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 CHAR_ENTER = 0Dh CHAR_BKSPACE = 08h section '.idata' import readable library ntdll,'ntdll.dll' import ntdll, NtDisplayString, 'NtDisplayString',\ NtTerminateProcess, 'NtTerminateProcess',\ RtlCreateUnicodeStringFromAsciiz, 'RtlCreateUnicodeStringFromAsciiz',\ RtlInitUnicodeString, 'RtlInitUnicodeString',\ RtlFreeUnicodeString, 'RtlFreeUnicodeString',\ NtCreateFile, 'NtCreateFile',\ NtCreateEvent, 'NtCreateEvent',\ NtReadFile, 'NtReadFile',\ NtWriteFile, 'NtWriteFile',\ NtDeleteFile, 'NtDeleteFile',\ NtWaitForSingleObject, 'NtWaitForSingleObject',\ NtClose, 'NtClose',\ NtQuerySystemTime, 'NtQuerySystemTime',\ RtlSystemTimeToLocalTime, 'RtlSystemTimeToLocalTime',\ RtlTimeToTimeFields, 'RtlTimeToTimeFields' section '.reloc' data fixups readable discardable section '.data' data readable writeable ObjectAttributes: .Length dd ? .RootDirectory dd ? .ObjectName dd ? .Attributes dd ? .SecurityDescriptor dd ? .SecurityQualityOfService dd ? dd ? dd ? align 32 BufferA db 1024 dup (?) BufferB db 32 dup (?) BufferC db 32 dup (?) tmp dd ? string dd 4 dup (?) keyboard dd 4 dup (?) conffile dd 4 dup (?) iosb dd 4 dup (?) hKeyboard dd ? hKBEvent dd ? hConf dd ? hFlEvnt dd ? dwZero dd 6 dup (?) KBIData: .UnitId dd ? .MakeCode dd ? .Flags dd ? .Reserved dd ? .ExtraInformation dd ? CurPos db ? TimeStruct: .wYear dw ? .wMonth dw ? .wDay dw ? .wHour dw ? .wMinute dw ? .wSecond dw ? .wMilliseconds dw ? .wDayOfWeek dw ? kTime: .Year dw ? .Month dw ? .Day dw ? section '.' data readable PASSWORD_MAX = 10 Config: .String db 'Test message', 10, 1024 - 13 dup (0) .Password db 'dworak', 0011 - 06 dup (0) .SelfDelTime dd 00000001h [/code] Last edited by KostX on 20 Mar 2014, 23:18; edited 1 time in total |
|||
20 Mar 2014, 22:25 |
|
KostX 20 Mar 2014, 22:30
I set length of OBJECT_ATTRIBUTES by this function. This is analog of InitializeObjectAttributes C++ macro that I wrote.
Code: proc InitializeObjectAttributes, pObj, objName, attr, rootDir, secDesc push eax ebx mov ebx, dword [pObj] mov dword [ebx + 0], 24 mov eax, dword [rootDir] mov dword [ebx + 4], eax mov eax, dword [objName] mov dword [ebx + 8], eax mov eax, dword [attr] mov dword [ebx + 12], eax mov eax, dword [secDesc] mov dword [ebx + 16], eax mov dword [ebx + 20], 0 pop ebx eax ret endp |
|||
20 Mar 2014, 22:30 |
|
revolution 20 Mar 2014, 22:36
Looks like one of the pointers to some data in the OBJECT_ATTRIBUTES structure points to a badly aligned address.
|
|||
20 Mar 2014, 22:36 |
|
KostX 20 Mar 2014, 22:54
I have just been redone InitializeObjectAttributes function:
Code: proc InitializeObjectAttributes, pObj, objName, attr, rootDir, secDesc push eax ebx mov ebx, dword [pObj] mov dword [ebx + ObjectAttributes.Length - ObjectAttributes], sizeof.OBJECT_ATTRIBUTES mov eax, dword [rootDir] mov dword [ebx + ObjectAttributes.RootDirectory - ObjectAttributes], eax mov eax, dword [objName] mov dword [ebx + ObjectAttributes.ObjectName - ObjectAttributes], eax mov eax, dword [attr] mov dword [ebx + ObjectAttributes.Attributes - ObjectAttributes], eax mov eax, dword [secDesc] mov dword [ebx + ObjectAttributes.SecurityDescriptor - ObjectAttributes], eax mov dword [ebx + ObjectAttributes.SecurityQualityOfService - ObjectAttributes], 0 pop ebx eax ret endp Its definetion: Code: struct OBJECT_ATTRIBUTES Length dd ? ;ULONG Length; RootDirectory dd ? ;HANDLE RootDirectory; ObjectName dd ? ;PUNICODE_STRING ObjectName; Attributes dd ? ;ULONG Attributes; SecurityDescriptor dd ? ;PVOID SecurityDescriptor; SecurityQualityOfService dd ? ;PVOID SecurityQualityOfService; ends ObjectAttributes OBJECT_ATTRIBUTES Its call: Code: ; Delete configuration xor ebx, ebx push ebx push ebx push OBJ_CASE_INSENSITIVE push ConfigPath push ObjectAttributes call InitializeObjectAttributes invoke NtDeleteFile, ObjectAttributes Result: NtCreateFile now works!! but NtDeleteFile still returns NTSTATUS 80000002h (STATUS_DATATYPE_MISALIGNMENT) |
|||
20 Mar 2014, 22:54 |
|
revolution 20 Mar 2014, 23:18
If you have struct definition then you can use it directly:
Code: mov [ebx+OBJECT_ATTRIBUTES.Length], ... |
|||
20 Mar 2014, 23:18 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.