flat assembler
Message board for the users of flat assembler.

Index > Main > Run PE in Memory

Author
Thread Post new topic Reply to topic
just76



Joined: 09 Aug 2014
Posts: 1
just76
Hello!
Why don't run my file ( msg.exe - regular window - messagebox )?
example:

this code is working:
Code:
FORMAT PE GUI 4.0

entry start
FILE_NAME equ 'MSG.EXE'

include 'C:\fasm\INCLUDE\win32a.inc'

section '.main' code readable writable executable

data import

library kernel32,'KERNEL32.DLL',\
          user32,'USER32.DLL'

include 'C:\fasm\INCLUDE\API\user32.inc'
include 'C:\fasm\INCLUDE\API\kernel32.inc'
end data

macro xinvoke proc,[arg]
  {
    common
      if ~ arg eq
    reverse
      pushd arg
    common
      end if
    call [ebx+_#proc-_delta]
  }

proc start
     locals
        pVA  dd ?
        shit dd ?
     endl

        mov     esi,some_file
        add     esi,[esi+3ch] ;peheader
        mov     ecx,[esi+34h] ;image base
        mov     edx,[esi+50h] ;image size

        lea     edi,[edx+ecx]
        ;imagebase+imagesize

        mov     esi,alloced_size
        add     esi,10000h
        and     esi,0ffff0000h
        ;îêðóãëèòü çíà÷åíèÿ.

  @@:
        add     edi,10000h
        invoke  VirtualAlloc,edi,esi,MEM_RESERVE+MEM_COMMIT,PAGE_EXECUTE_READWRITE
        ;èùåì íîâîå ìåñòî ãäå-íèáóäü çà imagebase+imagesize, ÷òîá ðàçìåñòèòü òàì çàãðóç÷èê
        test    eax,eax
        jz      @b
        mov     [pVA],eax
        ;ñîõðàíèòü

        mov     esi,api_table
        mov     edi,esi
  @@:
        lodsd
        test    eax,eax
        jz      @f
        mov     eax,[eax]
        stosd
        jmp     @b
        ;òàê êàê òàáëèöó èìïîðòà ìû íå ïåðåíîñèì, àäðåñà íåîáõîäèìûõ àïè çàíåñåì â òàáëèöó.
  @@:
        mov     esi,alloced_area_start
        mov     edi,[pVA]
        mov     ecx,alloced_size
        rep     movsb
        ;êîïèðîâàíèå íà íîâîå ìåñòî çàãðóç÷èêà ñ îáðàçîì ôàéëà
        jmp     [pVA]
        ;ïðûæîê íà íà÷àëî êîäà çàãðóç÷èêà
endp


;äàëüøå òîëüêî áàçîíåçàâèñèìûé êîä
proc alloced_area_start
     locals
        pVA dd ?
     endl
        call    _delta
     _delta:
        pop     ebx
        ;ebx=delta
        lea     esi,[ebx+some_file-_delta]
        push    esi
        add     esi,dword[esi+3ch]
        mov     ecx,[esi+34h] ;image base
        mov     edx,[esi+50h] ;image size

        mov     edi,ecx
        stdcall Allock_Region,ecx,edx
        ;ïîëó÷èì ïàìÿòè ïîä çàãðóçêó ôàéëà
        mov     [pVA],ecx
        ;çàïîìíèì ýòî çíà÷åíèå

        mov     edx,esi
        ;edx=pointer to PE header
        pop     esi
        push    esi
        ;ïîñëåäíèé ïàðàìåòð â process_sections

        mov     ecx,[edx+54h]
        add     ecx,18h
        ;ðàçìåð çàãîëîâêîâ è òàáëèöû ñåêöèé
        rep     movsb
        ;ïåðåìåùàåì èõ

        lea     eax,[edx+78h+16*8]
        ;óêàçàòåëü íà ïåðâûé IMAGE_SECTION_HEADER
        movzx   ecx,word[edx+6]
        ;IMAGE_NT_HEADER.FileHeader.NumberOfSections
        stdcall process_sections,ecx,eax,[pVA]
        ;ðàññòàâëÿåì ñåêöèè ïî ìåñòàì
        stdcall process_imports,dword[edx+78h+8],[pVA]
        ;çàïîëíÿåì èìïîðòû

        push    MEM_RELEASE
        ;òåïåðü íàäî îñâîáîäèòü ïàìÿòü, çàíÿòóþ çàãðóç÷èêîì
        push    0
        mov     eax,ebx
        and     eax,0fffff000h
        push    eax
        ;àäðåñ
        mov     ecx,dword[edx+28h]
        ;RVA òî÷êè âõîäà
        add     ecx,[pVA]
        ;VA
        push    ecx
        ;àäðåñ âîçâðàòà èç VirtualFree
        jmp     [_VirtualFree+ebx-_delta]
        ;îñâîáîæäàåì ïàìÿòü
endp

proc    process_imports pTab,pImageBase
;pTab - RVA òàáëèöû èìïîðòîâ (áåðåì èç ìàññèâà DataDirectory)
;pImageBase - óêàçàòåëü íà "ïàìÿòü"
        pusha
        mov     edx,[pTab]
        add     edx,[pImageBase]
        ;VA òàáëèöû èìïîðòîâ
      .loop:
        push    edx
        mov     edi,[edx+4*4]
        ;import address table (å¸ è áóäåì çàïîëíÿòü)
        mov     esi,[edx] 
        ;lookup table (ìîæíî ñäåëàòü ïðîñòî = import address table, îíè èäåíòè÷íû)
        test    edi,edi
        jz      .ends
        ;ïîñëåäíèé IMAGE_IMPORT_DESCRIPTOR íóëåâîé
        test    esi,esi
        jnz     .ok
        mov     esi,edi
      .ok:
        mov     ecx,[pImageBase]
        add     esi,ecx
        add     edi,ecx
        ;VA ñîîòâåòñòâóþùèõ òàáëèö
        mov     eax,[edx+4*3]
        add     eax,ecx
        ;VA èìåíè DLL
      @@:
        cmp     byte[eax],0
        jnz     @f
        inc     eax
        jmp     @b
        ;ìîãóò áûòü íóëè äëÿ âûðàâíèâàíèÿ
      @@:
        xinvoke LoadLibrary,eax
        mov     edx,eax
        ;çàãðóçèòü DLL
      .po_1_dll:
        lodsd
        ;RVA IMAGE_IMPORT_BY_NAME
        test    eax,eax
        jz      .exit_it
        ;òàáëèöà çàêàí÷èâàåòñÿ íóëåâûì ýëåìåíòîì
        bt      eax,31
        ;åñëè óñòàíîâëåí 31 áèò, òî èìïîðò ïî îðäèíàëó.
        jnc     .no_ord
        and     eax,0ffffh
        jmp     .getproc
      .no_ord:
        add     eax,[pImageBase]
        ;VA IMAGE_IMPORT_BY_NAME
        add     eax,2
        ;VA IMAGE_IMPORT_BY_NAME.Name
      .getproc:
        push    edx
        xinvoke GetProcAddress,edx,eax
        ;ïîëó÷èòü àäðåñ ÀÏÈ
        pop     edx
        stosd
        ;ïîìåñòèòü åãî íà ñâîå ìåñòî
        jmp     .po_1_dll
      .exit_it:
        pop     edx
        add     edx,5*4
        ;ïåðåéòè ê ñëåäóþùåìó IMAGE_IMPORT_DESCRIPTOR
        jmp     .loop
      .ends:
        pop     edx
        popa
        ret
endp

proc    process_sections num, pStable,pImageBase,pImage
;num - êîë-âî ñåêöèé, áåðåì Number Of Sections èç IMAGE_FILE_HEADER
;pStable - óêàçàòåëü íà òàáëèöó ñåêöèé (ñðàçó çà ìàññèâîì DataDirectory)
;pImageBase - óêàçàòåëü íà âûäåëåííóþ "ïàìÿòü"
;pImage - óêàçàòåëü íà îáðàç Á
        pusha
        mov     ecx,[num]
        mov     edx,[pStable]
     @@:
        push    ecx
        mov     edi,[edx+0ch]
        ;Section RVA
        add     edi,[pImageBase]
        ;Section VA
        mov     ecx,[edx+10h]
        ;Physical Size
        mov     esi,[pImage]
        add     esi,[edx+14h]
        ;Physical Offset
        rep     movsb
        ;êîïèðóåì ñåêöèþ íà å¸ çàêîííîå ìåñòî
        pop     ecx
        add     edx,28h
        ;ñëåäóþùàÿ
        dec     ecx
        jnz     @b

        popa
        ret
endp

proc    Allock_Region pRegion,Size
        pusha
        mov     edi,[pRegion]
        mov     esi,[Size]
        add     esi,edi
        ;esi - óêàçàòåëü íà êîíåö âûäåëÿåìîé îáëàñòè
        ;edi - óêàçàòåëü íà íà÷àëî
     @@:
        xinvoke UnmapViewOfFile,edi
        xinvoke VirtualFree,edi,0,MEM_RELEASE
        ;îñâîáîäèòü ïàìÿòü
        xinvoke VirtualAlloc,edi,10000h,MEM_RESERVE+MEM_COMMIT,PAGE_EXECUTE_READWRITE
        ;çàðåçåðâèðîâàòü
        test    eax,eax
        jz      @f
        ;áåç ýòîé ïðîâåðêè ôóíêöèÿ ðàáîòàåò, åñëè ïàðàìåòðû â "ðàçóìíûõ" ïðåäåëàõ
        add     edi,10000h
        ;ïàìÿòü ðåçåðâèðóåòñÿ ïî 10000h çà øàã
        cmp     edi,esi
        jl      @b
     @@:
        popa
        ret
endp

api_table:
_UnmapViewOfFile dd UnmapViewOfFile
_VirtualAlloc    dd VirtualAlloc
_LoadLibrary     dd LoadLibrary
_GetProcAddress  dd GetProcAddress
_VirtualFree     dd VirtualFree
dd 0
;òàáëèöà ÀÏÈ, íåîáõîäèìûõ äëÿ ðàáîòû çàãðóç÷èêà

some_file:
_bin    file FILE_NAME
;ôàéëèê, êîòîðûé áóäåì çàãðóæàòü
        _bin_size         = $ - _bin
alloced_size=$-alloced_area_start

    


but when I add in the code function "MessageBox", this code is not working.

this code is not working:

Code:
FORMAT PE GUI 4.0

entry start
FILE_NAME equ 'MSG.EXE'

include 'C:\fasm\INCLUDE\win32a.inc'

section '.main' code readable writable executable

data import

library kernel32,'KERNEL32.DLL',\
          user32,'USER32.DLL'

include 'C:\fasm\INCLUDE\API\user32.inc'
include 'C:\fasm\INCLUDE\API\kernel32.inc'
end data

macro xinvoke proc,[arg]
  {
    common
      if ~ arg eq
    reverse
      pushd arg
    common
      end if
    call [ebx+_#proc-_delta]
  }

proc start
     locals
        pVA  dd ?
        shit dd ?
     endl
     ;------ ADD THIS MESSAGEBOX AND MY FILE DON'T RUNNING -------

     invoke MessageBox, 0, 0, 0, 0

     ;------------------------------------------------------------
        mov     esi,some_file
        add     esi,[esi+3ch] ;peheader
        mov     ecx,[esi+34h] ;image base
        mov     edx,[esi+50h] ;image size

        lea     edi,[edx+ecx]
        ;imagebase+imagesize

        mov     esi,alloced_size
        add     esi,10000h
        and     esi,0ffff0000h
        ;îêðóãëèòü çíà÷åíèÿ.

  @@:
        add     edi,10000h
        invoke  VirtualAlloc,edi,esi,MEM_RESERVE+MEM_COMMIT,PAGE_EXECUTE_READWRITE
        ;èùåì íîâîå ìåñòî ãäå-íèáóäü çà imagebase+imagesize, ÷òîá ðàçìåñòèòü òàì çàãðóç÷èê
        test    eax,eax
        jz      @b
        mov     [pVA],eax
        ;ñîõðàíèòü

        mov     esi,api_table
        mov     edi,esi
  @@:
        lodsd
        test    eax,eax
        jz      @f
        mov     eax,[eax]
        stosd
        jmp     @b
        ;òàê êàê òàáëèöó èìïîðòà ìû íå ïåðåíîñèì, àäðåñà íåîáõîäèìûõ àïè çàíåñåì â òàáëèöó.
  @@:
        mov     esi,alloced_area_start
        mov     edi,[pVA]
        mov     ecx,alloced_size
        rep     movsb
        ;êîïèðîâàíèå íà íîâîå ìåñòî çàãðóç÷èêà ñ îáðàçîì ôàéëà
        jmp     [pVA]
        ;ïðûæîê íà íà÷àëî êîäà çàãðóç÷èêà
endp


;äàëüøå òîëüêî áàçîíåçàâèñèìûé êîä
proc alloced_area_start
     locals
        pVA dd ?
     endl
        call    _delta
     _delta:
        pop     ebx
        ;ebx=delta
        lea     esi,[ebx+some_file-_delta]
        push    esi
        add     esi,dword[esi+3ch]
        mov     ecx,[esi+34h] ;image base
        mov     edx,[esi+50h] ;image size

        mov     edi,ecx
        stdcall Allock_Region,ecx,edx
        ;ïîëó÷èì ïàìÿòè ïîä çàãðóçêó ôàéëà
        mov     [pVA],ecx
        ;çàïîìíèì ýòî çíà÷åíèå

        mov     edx,esi
        ;edx=pointer to PE header
        pop     esi
        push    esi
        ;ïîñëåäíèé ïàðàìåòð â process_sections

        mov     ecx,[edx+54h]
        add     ecx,18h
        ;ðàçìåð çàãîëîâêîâ è òàáëèöû ñåêöèé
        rep     movsb
        ;ïåðåìåùàåì èõ

        lea     eax,[edx+78h+16*8]
        ;óêàçàòåëü íà ïåðâûé IMAGE_SECTION_HEADER
        movzx   ecx,word[edx+6]
        ;IMAGE_NT_HEADER.FileHeader.NumberOfSections
        stdcall process_sections,ecx,eax,[pVA]
        ;ðàññòàâëÿåì ñåêöèè ïî ìåñòàì
        stdcall process_imports,dword[edx+78h+8],[pVA]
        ;çàïîëíÿåì èìïîðòû

        push    MEM_RELEASE
        ;òåïåðü íàäî îñâîáîäèòü ïàìÿòü, çàíÿòóþ çàãðóç÷èêîì
        push    0
        mov     eax,ebx
        and     eax,0fffff000h
        push    eax
        ;àäðåñ
        mov     ecx,dword[edx+28h]
        ;RVA òî÷êè âõîäà
        add     ecx,[pVA]
        ;VA
        push    ecx
        ;àäðåñ âîçâðàòà èç VirtualFree
        jmp     [_VirtualFree+ebx-_delta]
        ;îñâîáîæäàåì ïàìÿòü
endp

proc    process_imports pTab,pImageBase
;pTab - RVA òàáëèöû èìïîðòîâ (áåðåì èç ìàññèâà DataDirectory)
;pImageBase - óêàçàòåëü íà "ïàìÿòü"
        pusha
        mov     edx,[pTab]
        add     edx,[pImageBase]
        ;VA òàáëèöû èìïîðòîâ
      .loop:
        push    edx
        mov     edi,[edx+4*4]
        ;import address table (å¸ è áóäåì çàïîëíÿòü)
        mov     esi,[edx] 
        ;lookup table (ìîæíî ñäåëàòü ïðîñòî = import address table, îíè èäåíòè÷íû)
        test    edi,edi
        jz      .ends
        ;ïîñëåäíèé IMAGE_IMPORT_DESCRIPTOR íóëåâîé
        test    esi,esi
        jnz     .ok
        mov     esi,edi
      .ok:
        mov     ecx,[pImageBase]
        add     esi,ecx
        add     edi,ecx
        ;VA ñîîòâåòñòâóþùèõ òàáëèö
        mov     eax,[edx+4*3]
        add     eax,ecx
        ;VA èìåíè DLL
      @@:
        cmp     byte[eax],0
        jnz     @f
        inc     eax
        jmp     @b
        ;ìîãóò áûòü íóëè äëÿ âûðàâíèâàíèÿ
      @@:
        xinvoke LoadLibrary,eax
        mov     edx,eax
        ;çàãðóçèòü DLL
      .po_1_dll:
        lodsd
        ;RVA IMAGE_IMPORT_BY_NAME
        test    eax,eax
        jz      .exit_it
        ;òàáëèöà çàêàí÷èâàåòñÿ íóëåâûì ýëåìåíòîì
        bt      eax,31
        ;åñëè óñòàíîâëåí 31 áèò, òî èìïîðò ïî îðäèíàëó.
        jnc     .no_ord
        and     eax,0ffffh
        jmp     .getproc
      .no_ord:
        add     eax,[pImageBase]
        ;VA IMAGE_IMPORT_BY_NAME
        add     eax,2
        ;VA IMAGE_IMPORT_BY_NAME.Name
      .getproc:
        push    edx
        xinvoke GetProcAddress,edx,eax
        ;ïîëó÷èòü àäðåñ ÀÏÈ
        pop     edx
        stosd
        ;ïîìåñòèòü åãî íà ñâîå ìåñòî
        jmp     .po_1_dll
      .exit_it:
        pop     edx
        add     edx,5*4
        ;ïåðåéòè ê ñëåäóþùåìó IMAGE_IMPORT_DESCRIPTOR
        jmp     .loop
      .ends:
        pop     edx
        popa
        ret
endp

proc    process_sections num, pStable,pImageBase,pImage
;num - êîë-âî ñåêöèé, áåðåì Number Of Sections èç IMAGE_FILE_HEADER
;pStable - óêàçàòåëü íà òàáëèöó ñåêöèé (ñðàçó çà ìàññèâîì DataDirectory)
;pImageBase - óêàçàòåëü íà âûäåëåííóþ "ïàìÿòü"
;pImage - óêàçàòåëü íà îáðàç Á
        pusha
        mov     ecx,[num]
        mov     edx,[pStable]
     @@:
        push    ecx
        mov     edi,[edx+0ch]
        ;Section RVA
        add     edi,[pImageBase]
        ;Section VA
        mov     ecx,[edx+10h]
        ;Physical Size
        mov     esi,[pImage]
        add     esi,[edx+14h]
        ;Physical Offset
        rep     movsb
        ;êîïèðóåì ñåêöèþ íà å¸ çàêîííîå ìåñòî
        pop     ecx
        add     edx,28h
        ;ñëåäóþùàÿ
        dec     ecx
        jnz     @b

        popa
        ret
endp

proc    Allock_Region pRegion,Size
        pusha
        mov     edi,[pRegion]
        mov     esi,[Size]
        add     esi,edi
        ;esi - óêàçàòåëü íà êîíåö âûäåëÿåìîé îáëàñòè
        ;edi - óêàçàòåëü íà íà÷àëî
     @@:
        xinvoke UnmapViewOfFile,edi
        xinvoke VirtualFree,edi,0,MEM_RELEASE
        ;îñâîáîäèòü ïàìÿòü
        xinvoke VirtualAlloc,edi,10000h,MEM_RESERVE+MEM_COMMIT,PAGE_EXECUTE_READWRITE
        ;çàðåçåðâèðîâàòü
        test    eax,eax
        jz      @f
        ;áåç ýòîé ïðîâåðêè ôóíêöèÿ ðàáîòàåò, åñëè ïàðàìåòðû â "ðàçóìíûõ" ïðåäåëàõ
        add     edi,10000h
        ;ïàìÿòü ðåçåðâèðóåòñÿ ïî 10000h çà øàã
        cmp     edi,esi
        jl      @b
     @@:
        popa
        ret
endp

api_table:
_UnmapViewOfFile dd UnmapViewOfFile
_VirtualAlloc    dd VirtualAlloc
_LoadLibrary     dd LoadLibrary
_GetProcAddress  dd GetProcAddress
_VirtualFree     dd VirtualFree
dd 0
;òàáëèöà ÀÏÈ, íåîáõîäèìûõ äëÿ ðàáîòû çàãðóç÷èêà

some_file:
_bin    file FILE_NAME
;ôàéëèê, êîòîðûé áóäåì çàãðóæàòü
        _bin_size         = $ - _bin
alloced_size=$-alloced_area_start             


why?????!!!
help me please!!! help me!!!


Description: source code with the problem example.
Download
Filename: fasm_run.rar
Filesize: 4.07 KB
Downloaded: 212 Time(s)

Post 09 Aug 2014, 05:33
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Debugger
Post 09 Aug 2014, 10:21
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17714
Location: In your JS exploiting you and your system
revolution
I suspect there is something you are doing with the import tables that is being corrupted. Note that MessageBox does not need to be called to make it crash, it is the existence of MessageBox in the import table that is enough to create the problem.
Post 10 Aug 2014, 01:01
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.