flat assembler
Message board for the users of flat assembler.

Index > Windows > problem with array of byte scan

Author
Thread Post new topic Reply to topic
extra_12345



Joined: 21 Apr 2020
Posts: 45
extra_12345 10 Nov 2020, 11:12
so i wrote a dll to perform array of byte scan inside the target's process upon injection which works fine except when the target array is not found the aob function goes to unlimited loop and eventually crashes the process,these are the main functions:

Code:
proc AOBScan uses rbx rsi rdi r12 r13 r14 r15,lpArr2Scan:qword

local sbyte dq ?

mov [lpArr2Scan],rcx

stdcall ConvAsciiHex2ByteArr,qword [lpArr2Scan],addr sbyte ; convert the ascii hex ;to hex array and store it to an allocated memory

mov [lpArr2Scan],rax
mov r13,rax

invoke GetNativeSystemInfo,sysinfo
mov rax,[sysinfo.lpMinimumApplicationAddress]
mov rsi,lpiminaddr
mov [rsi],rax
mov r14,[rsi]

mov rbx,[sbyte]
mov rdi,[hinst];base of the dll
xor r12,r12

.while r14 < qword [sysinfo.lpMaximumApplicationAddress] ;insurance not to loop ;over the maximum address inside the memory provided by the system
mov r14,[rsi]

invoke VirtualQuery,qword [rsi] ,mbi,sizeof.MEMORY_BASIC_INFORMATION

.breakif rax = 0

.if qword [mbi.AllocationBase] = rdi |  qword [mbi.Protect] = PAGE_NOACCESS | qword [mbi.AllocationBase] = r13 ; if it reaches the dll region or the allocated space ;where the converted bytes are stored then skip it
jmp nextr
.endif

.if  ~ dword [mbi.Protect] = PAGE_READONLY & ~ dword [mbi.Protect] = PAGE_EXECUTE_READ & ~ dword [mbi.Protect] = PAGE_READWRITE & ~ dword [mbi.Protect] = PAGE_EXECUTE_READWRITE;check for the memory regions access before proceeding forward 

nextr:
mov rax,[mbi.BaseAddress]
add rax,[mbi.RegionSize]
mov [rsi],rax
.continue

.endif

stdcall ArrayofByteScan,[mbi.BaseAddress],[mbi.RegionSize],[lpArr2Scan],rbx

.if rax = 0
mov rax,[mbi.BaseAddress]
add rax,[mbi.RegionSize]
mov [rsi],rax
mov r12,0
.else
add rax,[mbi.BaseAddress]
mov r12,rax
.break
.endif

.endw

invoke VirtualFree,r13,rbx,MEM_DECOMMIT

mov rax,r12
ret

endp

proc ArrayofByteScan uses rbx rdi rsi r12 r13 r14 r15 ,baseaddr:QWORD,RegionSize:QWORD,lpBytesToScan:QWORD,SizeofByte:QWORD

mov QWORD  [baseaddr], rcx
mov QWORD  [RegionSize], rdx
mov QWORD  [lpBytesToScan], r8
mov QWORD  [SizeofByte], r9

mov rbx,[baseaddr]
mov rdx,[lpBytesToScan]
xor rsi,rsi
mov rcx,rsi
mov rax,rcx

.NextA:
cmp rsi,[RegionSize]
jnb .Found

.NextAc:
cmp rcx,[SizeofByte]
je .Found

mov al,BYTE[rdx+rcx]
cmp al,'?'
je .SkT

cmp BYTE [rbx],al
jne .NoM

.SkT:
inc rbx
inc rcx
inc rsi
jmp .NextAc
.NoM:
xor rcx,rcx
inc rbx
inc rsi
jmp .NextA


.Found:
xor rax,rax
.if rcx
sub rbx,QWORD [baseaddr]
sub rbx,rcx
mov rax,rbx
.endif

ret

endp                                                                                                        


and the call to the function:

Code:
stdcall AOBScan,Sig2ScanHpAc
mov [HpAcAddr],rax       


despite the check for the maximum address to not step over which would cause unlimited loop to not happen still when the array is not found the function goes to unlimited loop but on the other hand when the array is found the function returns with no problem,any help would be hugely appricated,thanks!
Post 10 Nov 2020, 11:12
View user's profile Send private message Reply with quote
extra_12345



Joined: 21 Apr 2020
Posts: 45
extra_12345 10 Nov 2020, 14:12
by debugging and using getlasterror found out that i was dealing with the ERROR_INVALID_ADDRESS meaning the memory location that i was trying to access to had no read access so by using virtualprotect with PAGE_EXECUTE_READWRITE and changing the protection prior the array search and restoring it post search been able to solve the issue.
Post 10 Nov 2020, 14:12
View user's profile Send private message Reply with quote
extra_12345



Joined: 21 Apr 2020
Posts: 45
extra_12345 10 Nov 2020, 19:02
soooooo still it crashes sometimes whether the pattern is found or not!,i'm out of ideas why!
this is the updated code:

Code:
proc AOBScan uses rbx rsi rdi r12 r13 r14 r15,lpArr2Scan:qword

local sbyte dq ?

mov [lpArr2Scan],rcx

stdcall ConvAsciiHex2ByteArr,qword [lpArr2Scan],addr sbyte
mov [lpArr2Scan],rax
mov r13,rax

invoke GetNativeSystemInfo,sysinfo
mov rax,[sysinfo.lpMinimumApplicationAddress]
mov rsi,lpiminaddr
mov [rsi],rax
mov r14,[rsi]

mov rbx,[sbyte]
mov rdi,[hinst]
xor r12,r12

.while r14 < qword [sysinfo.lpMaximumApplicationAddress]

invoke VirtualQuery,qword [rsi] ,mbi,sizeof.MEMORY_BASIC_INFORMATION

.breakif rax = 0

invoke VirtualProtect,qword [mbi.BaseAddress],qword [mbi.RegionSize],PAGE_EXECUTE_READWRITE,oldpp

.if rax & ~ qword [mbi.AllocationBase] = rdi & ~ qword [mbi.AllocationBase] = r13

stdcall ArrayofByteScan,[mbi.BaseAddress],[mbi.RegionSize],r13,rbx
mov r15,rax
invoke VirtualProtect,qword [mbi.BaseAddress],qword [mbi.RegionSize],dword [oldpp],oldpp

.if r15 = 0
mov rax,[mbi.BaseAddress]
add rax,[mbi.RegionSize]
mov [rsi],rax
mov r12,0
.else
add r15,[mbi.BaseAddress]
mov r12,r15
.break
.endif

.else

mov rax,[mbi.BaseAddress]
add rax,[mbi.RegionSize]
mov [rsi],rax
mov r12,0

.endif

mov r14,[rsi]

.endw

invoke VirtualFree,r13,rbx,MEM_DECOMMIT

mov rax,r12
ret

endp                                                            
    
Post 10 Nov 2020, 19:02
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.