flat assembler
Message board for the users of flat assembler.

Index > Windows > how call api without import section?

Author
Thread Post new topic Reply to topic
asm0day_ru



Joined: 11 Jul 2014
Posts: 2
Location: russia
asm0day_ru 11 Jan 2015, 09:40
message


Description:
Download
Filename: noimport.asm
Filesize: 232 Bytes
Downloaded: 387 Time(s)


_________________
http://asm0day.xe0.ru
Post 11 Jan 2015, 09:40
View user's profile Send private message Send e-mail Visit poster's website ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 11 Jan 2015, 09:54
There are already a number of topics here about executables with no import section. Have you tried searching? Because it would be quicker for you to do that than waiting for someone to answer you now.

In short: It doesn't work reliably. And most AVs panic when they see it. If you are trying to use it for "protection against a debugger" or to "bypass malware detectors" then those paths have long since been closed.
Post 11 Jan 2015, 09:54
View user's profile Send private message Visit poster's website Reply with quote
Mikl___



Joined: 30 Dec 2014
Posts: 129
Location: Russian Federation, Irkutsk
Mikl___ 12 Jan 2015, 01:26
Hi, asm0day_ru!
look here Beep without API
Post 12 Jan 2015, 01:26
View user's profile Send private message Visit poster's website Reply with quote
lucifer



Joined: 24 Nov 2014
Posts: 4
lucifer 12 Jan 2015, 04:23
I actually wrote about one method fairly recently:

lucifer wrote:
DOS386 wrote:
search for "noimport" http://board.flatassembler.net/topic.php?t=7718
A bit off topic but that code snippet isn't the best. I hate it when the first thing a program does is use a stupid loop to get the base address of kernel32.dll. You can do it in two instructions and it works on all Windows platforms as far as I have tested! When the loader calls your entry point eax is a pointer inside kernel32.dll that is just a single page away from the base of kernel32.dll which is page aligned Smile (another cool trick is that ebx is loaded with the address to the PEB when the loader calls the entry point)
Code:
xor      ax, ax      ; align eax pointer to page boundaries
sub     eax, 10000h  ; roll back a page. eax is now equal to kernel32.dll base    
Anyway... it utilizes a lot of registers but this is something that I wrote that was the first thing my program did so I didn't need them for anything else yet Smile
Code:
;; Assuming that eax contains the pointer to the DOS header of the module
mov     ebx, eax            ; ebx = k32 base addr
mov     edx, eax
add     eax, [eax + 3Ch]    ; eax = ptr to pe header
add     edx, [eax + 78h]    ; edx = ptr to data directory
mov     ecx, [edx + 18h]    ; ecx = number of function names
mov     eax, [edx + 1Ch]
add     eax, ebx            ; eax = address of functions
mov     edx, [edx + 20h]
add     edx, ebx            ; edx = address of names    
It's easy from there just google about the export table!

also its my first post ;o


From there you just get the imports of GetProcAddress and LoadLibraryA and use those. If you wanted to use the native interface you can always get the the address of some code in ntdll.dll off of the stack but I don't know how many pages away it is from the base of the module. Since it may not be fixed like with kernel32.dll you might have to loop back pages to be compatible across all Windows installations. Quickly hacking something up in C you could do this:

Code:
short *base = <some ptr into ntdll.dll from stack (a return address)>
for(base &= 0xFFFF0000; *base != 'ZM'; base -= 0x10000)
    if (base <= 0)
        <you gave me a bad pointer :D>
    


Then walk the headers again and find the appropriate exports via binary search, comparing hashes, linear string search etc

Of course there are other ways but that one is my favorite. The most popular way is probably going through a pointer inside the PEB. Search around Smile
Post 12 Jan 2015, 04:23
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.