flat assembler
Message board for the users of flat assembler.

Index > Windows > [SOLVED] MS64 COFF how to import functions?

Author
Thread Post new topic Reply to topic
kw



Joined: 12 Aug 2017
Posts: 2
kw 12 Aug 2017, 14:50
I need some spoonfeeding Sad

I want to import some ntdll.dll functions...

What i have so far:
Code:
format MS64 COFF
include 'win32a.inc'

;...............................................

struct OBJECT_ATTRIBUTES
     Length                      rd 1
     RootDirectory               dq 1
     ObjectName                  dq 1
     Attributes                  rd 1
     SecurityDescriptor          rq 1
     SecurityQualityOfService    rq 1
ends

struct CLIENT_ID
     UniqueProcess               rq 1
     UniqueThread                rq 1
ends

;...............................................

extrn NtOpenProcess ;This does not work!

public MEM_Open

;...............................................

section '.code' code readable executable align 4096

proc MEM_Open
     sub rsp,40h
     mov [CID.UniqueProcess],rcx
     mov [ATR.Length],sizeof.OBJECT_ATTRIBUTES
     mov rcx,Result
     mov rdx,PROCESS_ALL_ACCESS
     mov r8,ATR
     mov r9,CID
     call NtOpenProcess
     mov rax,[Result]
     add rsp,40h
     ret
endp

section '.data' data readable writeable
        CID          CLIENT_ID
        ATR          OBJECT_ATTRIBUTES
        Result       dq 0h

;section '.idata' import data readable writeable ;Fails -> extra characters on line...
        ;library    ntdll,'ntdll.dll'
        ;import  ntdll,\
                ;NtOpenProcess,'NtOpenProcess'         
    


I tried to add a data import section but that also did not work. Question


Last edited by kw on 12 Aug 2017, 15:39; edited 1 time in total
Post 12 Aug 2017, 14:50
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20300
Location: In your JS exploiting you and your system
revolution 12 Aug 2017, 15:06
What are you linking to?

It looks like you are linking to NTDLL.dll. So this would require a normal executable using the loader to do the linking at runtime.

To use COFF you would link to an object file using a separate linker to create the executable.
Post 12 Aug 2017, 15:06
View user's profile Send private message Visit poster's website Reply with quote
kw



Joined: 12 Aug 2017
Posts: 2
kw 12 Aug 2017, 15:36
Thanks, i fixed the issue in my executable by importing ntdll.lib.
Post 12 Aug 2017, 15:36
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.