flat assembler
Message board for the users of flat assembler.

Index > Windows > Problem with WinAPI

Author
Thread Post new topic Reply to topic
MUFOS



Joined: 17 Apr 2016
Posts: 47
MUFOS
Hard to call the stack.


Last edited by MUFOS on 08 May 2017, 20:39; edited 1 time in total
Post 12 Jun 2016, 20:32
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17467
Location: In your JS exploiting you and your system
revolution
Show your code. We can't help without it. Post a minimal source that shows the problem.
Post 12 Jun 2016, 23:19
View user's profile Send private message Visit poster's website Reply with quote
MUFOS



Joined: 17 Apr 2016
Posts: 47
MUFOS
revolution wrote:
Show your code. We can't help without it. Post a minimal source that shows the problem.


I am currently away from my computer.
However, what I can tell you, is that it calls the exact address of MessageBoxA.
I don't see how it should not work.
I allocate memory with PAGE_READWRITEEXECUTABLE and MEM_COMMIT | MEM_RESERVE using VirtualAlloc.

I don't get why it doesn't work. The relocation is successful, same goes for resolving the imports.
Post 14 Jun 2016, 16:17
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17467
Location: In your JS exploiting you and your system
revolution
Clearly the relocation was not successful.

If you don't want to, or can't, post the code then use a debugger and see what is happening.
Post 15 Jun 2016, 01:31
View user's profile Send private message Visit poster's website Reply with quote
MUFOS



Joined: 17 Apr 2016
Posts: 47
MUFOS
revolution wrote:
Clearly the relocation was not successful.

If you don't want to, or can't, post the code then use a debugger and see what is happening.


If the relocation was not successful, why do other APIs work. I tried to use the GetProcAddress and LoadLibrary functions within the DLL, and it produced the broken MessageBox as well. And those APIs did indeed work as they resolved the right address of the module as well as proc address when they were called.

I have the executable available, so I can grab a debugger and explain what is happening in the relocation part, but I still do not understand why other WinAPIs like LoadLibrary, FreeConsole, and GetProcAddress still work.
Post 15 Jun 2016, 16:12
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17467
Location: In your JS exploiting you and your system
revolution
Perhaps your text pointers are incorrect? The API calls appear to be good, but there are other things that need relocating also.
Post 16 Jun 2016, 01:17
View user's profile Send private message Visit poster's website Reply with quote
Grom PE



Joined: 13 Mar 2008
Posts: 114
Location: i@grompe.org.ru
Grom PE
I remember I was getting weirdly shaped message boxes when I didn't keep the stack aligned to 16 bytes on a 64-bit machine.
Post 16 Jun 2016, 05:34
View user's profile Send private message Visit poster's website Reply with quote
MUFOS



Joined: 17 Apr 2016
Posts: 47
MUFOS
revolution wrote:
Perhaps your text pointers are incorrect? The API calls appear to be good, but there are other things that need relocating also.


The thing is I use NULL for all the variables when calling the MessageBox (just for simplicity), however if I provide text pointers instead, nothing changes.
Besides, the text pointers are working as I successfully use LoadLibrary and GetProcAddress with said arguments.

In addition, there is no text in the di√łog button either, which has nothing to fo with text pointers.
Post 16 Jun 2016, 05:45
View user's profile Send private message Reply with quote
MUFOS



Joined: 17 Apr 2016
Posts: 47
MUFOS
Grom PE wrote:
I remember I was getting weirdly shaped message boxes when I didn't keep the stack aligned to 16 bytes on a 64-bit machine.


The DLL as well as the loader is 32 bit. How do I align the stack to said bytes?
The C++ version of the pe loader has no isssues.
Post 16 Jun 2016, 05:49
View user's profile Send private message Reply with quote
MUFOS



Joined: 17 Apr 2016
Posts: 47
MUFOS
Still struggling with this. Any suggestions?
Post 19 Jun 2016, 01:46
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17467
Location: In your JS exploiting you and your system
revolution
MUFOS wrote:
Any suggestions?
Many suggestions have already been given but you didn't say if you tried them. We don't know what you have done. With no code to look at we are blind. With no example to test we have no information. Did you try the debugger? What did you see?
Post 19 Jun 2016, 02:31
View user's profile Send private message Visit poster's website Reply with quote
Hrstka



Joined: 05 May 2008
Posts: 17
Location: Czech republic
Hrstka
On Windows XP it would probably work OK, but with each version of Windows, more and more libraries are loaded in process address space. So if you load only User32.dll, it's not enough.
Post 21 Jun 2016, 14:48
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.