flat assembler
Message board for the users of flat assembler.
Index
> Windows > Working execuable with no imports Goto page 1, 2 Next |
Author |
|
decard 25 Jul 2005, 10:13
Under from TotalCommander shows just "0 imported functions"
So how you call API funcions? Can you provide source? |
|||
25 Jul 2005, 10:13 |
|
Spidark 25 Jul 2005, 12:06
revolution wrote: As an experiment I have created a binary file that has an empty import section. Check it with a PE viewer for yourself. However it will not run on all versions of Windows. I tested it in Win2K (it doesn't run) and WinXP (it does run). If you have Win95, Win98 or WinME perhaps you would like to try it and post if your results here. Errrrrrr what the ^%%$ I tried to run the program on WinXP SP2 and it got intercepted by my virus scanner. Virus scanner wrote: A Virus has been Detected and cleaned Hmm now that's verry interesting ...... |
|||
25 Jul 2005, 12:06 |
|
Vasilev Vjacheslav 25 Jul 2005, 12:41
your virus scanner isn't smart
Quote: So how you call API funcions? it is only one way to call api functions without imports, find in mem kernel32, find in his iat address of GetProcAddress call, and then you call what you want |
|||
25 Jul 2005, 12:41 |
|
Vasilev Vjacheslav 25 Jul 2005, 12:44
i've already done something similar (old fasm syntax)
Code: format pe gui 4.0 entry start include '%fasminc%\win32a.inc' include '%fasminc%\macros.inc' include 'imagehdr.inc' MAX_PATH = 260 cGetProcAddress = 0C97C1FFFh cExitProcess = 0251097CCh cGetModuleHandle = 0B1866570h section '.data' data readable szNTDLL db "ntdll",0 section '.udata' readable writeable hKernelBase dd ? hNTDLLBase dd ? hGetProcAddress dd ? section '.code' code readable executable start: call _findkernel or eax,eax jz @F mov [hKernelBase],eax ;stdcall _getprocaddr,[hKernelBase],cGetProcAddress ;jc @F ;mov [hGetProcAddr],eax ;jc @F stdcall _getprocaddr,[hKernelBase],cGetModuleHandle jc @F stdcall eax,szNTDLL or eax,eax jz @F mov [hNTDLLBase],eax stdcall _getprocaddr,[hKernelBase],cExitProcess jc @F stdcall eax,NULL @@: retn proc _findkernel mov eax,[fs:eax+030h] test eax,eax js .win9x mov eax,[eax+0Ch] mov esi,[eax+01Ch] lodsd mov eax,[eax+08h] jmp .found .win9x: mov eax,[eax+034h] lea eax,[eax+07Ch] mov eax,[eax+03Ch] .found: cmp word [eax],"MZ" jz @F xor eax,eax @@: return endp proc _getprocaddr, lpKernel,lpCRC .hDirAddr dd ? .hAddrOfNames dd ? .hAddrOfOrdinals dd ? .hAddrOfFunctions dd ? .iNumberOfNames dd ? .iBase dd ? enter mov eax,[lpKernel] mov edi,[eax+IMAGE_DOS_HEADER.e_lfanew] mov ecx,dword [eax+edi+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory] add ecx,eax mov [.hDirAddr],ecx mov esi,[ecx+IMAGE_EXPORT_DIRECTORY.AddressOfNames] add esi,eax mov [.hAddrOfNames],esi mov esi,[ecx+IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals] add esi,eax mov [.hAddrOfOrdinals],esi mov esi,[ecx+IMAGE_EXPORT_DIRECTORY.AddressOfFunctions] add esi,eax mov [.hAddrOfFunctions],esi mov esi,[ecx+IMAGE_EXPORT_DIRECTORY.NumberOfNames] mov [.iNumberOfNames],esi mov esi,[ecx+IMAGE_EXPORT_DIRECTORY.nBase] mov [.iBase],esi xor edi,edi mov edx,[.iNumberOfNames] mov esi,[.hAddrOfNames] @@: lodsd xchg eax,ecx add ecx,[lpKernel] stdcall _strlen,ecx stdcall _crc32,eax,ecx cmp [lpCRC],eax jz .found inc edi cmp edx,edi jnz @B stc jmp .out .found: mov edx,[esi-4] imul edi,edi,4 add edi,[.hAddrOfFunctions] mov eax,[edi] add eax,[lpKernel] clc .out: return endp proc _crc32, _size,_data .hcrc dd ? enter pushad mov esi,[_data] mov ecx,[_size] xor eax,eax cdq dec edx .one: lodsb xor al,dl push ecx movzx ebx,al push 8 pop ecx .two: test bl,1 jz .three shr ebx,1 xor ebx,0EDB88320h jmp .four .three: shr ebx,1 .four: loop .two pop ecx shr edx,8 xor edx,ebx loop .one xchg eax,edx not eax mov [.hcrc],eax popad mov eax,[.hcrc] return endp proc _strlen, lpString .ilen dd ? enter pushad mov eax,[lpString] lea ecx,[eax-1] .1: inc ecx test ecx,3 jz .2 cmp byte [ecx],NULL jne .1 jmp .6 .2: mov ebx,[ecx] add ecx,4 test bl,bl jz .5 test bh,bh jz .4 test ebx,00FF0000h jz .3 test ebx,0FF000000h jnz .2 inc ecx .3: inc ecx .4: inc ecx .5: sub ecx,4 .6: sub ecx,eax mov [.ilen],ecx popad mov eax,[.ilen] return endp ;section '.idata' import data readable writeable ; ; library kernel32,'kernel32.dll',\ ; user32,'user32.dll',\ ; shell32,'shell32.dll',\ ; advapi32,'advapi32.dll' ; ; include '%fasminc%\apia\kernel32.inc' ; include '%fasminc%\apia\user32.inc' ; include '%fasminc%\apia\shell32.inc' ; include '%fasminc%\apia\advapi32.inc' ; ; eof _________________ [not enough memory] |
|||
25 Jul 2005, 12:44 |
|
Spidark 25 Jul 2005, 12:55
Vasilev Vjacheslav wrote: your virus scanner isn't smart Your right i have a stupid virus scanner But i was more interrested in the code, and the how etc etc thanks for the example |
|||
25 Jul 2005, 12:55 |
|
revolution 25 Jul 2005, 13:54
Hey guys, I promise you there is no virus in the attachement. Besides, there is not enough code in there to do anything more than print a message.
Vasilev Vjacheslav: I like the idea of searching for the CRC. My code is much more basic and searches directly for the text. Does your code run on Win2K? I cannot assemble because I don't have all your includes. My Win2K system rejects all executables with a blank import table because of a bug in NTDLL.DLL. It tries to call a Kernel32.DLL function when Kernel32.DLL is not even loaded! Spidark: Interesting that the virus scanner detects some non-existant virus. What scanner program do you use? Sorry that I didn't post the code but I had quickly put it together and it had many unnecessary bits that are remanants of things I was trying. Anyhow, I am now trying to get an all-windows-compatible version going and promise I will post the source later if I can get it working. However I actually have no practical purpose for this, just experimenting and trying to learn more about windows internals. Indeed if virus scanners are going to trigger then making any sort of wide release software is not going to be successful if people think it is a virus. |
|||
25 Jul 2005, 13:54 |
|
Vasilev Vjacheslav 25 Jul 2005, 15:07
Quote: I like the idea of searching for the CRC. My code is much more basic and searches directly for the text. Does your code run on Win2K? I cannot assemble because I don't have all your includes. nop, also doesn't run in win2k, because of bug, but if import contain only one record from kernel32 it works fine ps. later i post full source |
|||
25 Jul 2005, 15:07 |
|
Spidark 25 Jul 2005, 18:07
revolution wrote: Hey guys, I promise you there is no virus in the attachement. Besides, there is not enough code in there to do anything more than print a message. Well i'm feeling kinda stupid reporting to you what my virus scanner reported to me,it looks like i'm trying to make you look bad, but that wasn't my intension. I like an experiment myself IF YOU KNOW WHAT I MEAN. I didn't even get to the point where i could run the program it was deleted before i could say dammm. I just reported what my scanner did with it, as a warning that heavyweight Mc afee sees this file as a virus. It would be very odd to spread a virus this way i know, and i also know that virus scanners like Bitdefender and McAfee ( wich i use ) does tend to be a little bit nervous. Again it wasn't my intension to make anybody nervuos about the file MY BAD. |
|||
25 Jul 2005, 18:07 |
|
f0dder 25 Jul 2005, 22:55
Quote:
Dunno if you can classify it as a bug, it's simply the way the loader works. I'd say it's more buggy that no-imports actually work on other versions, by having kernel32.dll forced into your address space even if you don't use it Quote:
Either it does heuristic scanning, or a simple wildcard pattern match. These no-import executables tend to look alike. I'd say it's a good call for the virus scanner to be suspicious, since you rarely ever see valid executable that are built this way. Anyway, forget about McAfee. BitDefender is okayish (even if unstable on win9x), the real deal is kaspersky and f-prot. And of course a trusty hex editor and disassembler. |
|||
25 Jul 2005, 22:55 |
|
vid 25 Jul 2005, 23:31
Quote: Either it does heuristic scanning, or a simple wildcard pattern match. These no-import executables tend to look alike. I'd say it's a good call for the virus scanner to be suspicious, since you rarely ever see valid executable that are built this way. or learn about reversing and isntall som good on-run debugger as option while booting (i mean soft-ice ). Then you can make yourself sure if you understand things going on in your computer.... at least it worked great in DOS. And don't forget to install some S-ICE protector. |
|||
25 Jul 2005, 23:31 |
|
f0dder 25 Jul 2005, 23:47
A good AV product helps you avoid the everyday traps... I personally prefer hexeditor + disassembler to debugger, "dead" (but interactive) analysis is much safer
|
|||
25 Jul 2005, 23:47 |
|
Spidark 26 Jul 2005, 00:09
f0dder wrote:
Yes it's does heuristic scanning. I realy like mcafee's firewall i get lot's of info from this firewalll, but i'm gonna check out kaspersky. vid wrote:
I do have a copy of the latest Softice , but i hear that it's a cource on itself to learn how to work with the great ice, it's kinda slow on the tuts when i google out. There's not much ice tuts for windowsXP out there , or maybe i'm not looking in the right places |
|||
26 Jul 2005, 00:09 |
|
revolution 26 Jul 2005, 02:35
Quote: Dunno if you can classify it as a bug, it's simply the way the loader works. I'd say it's more buggy that no-imports actually work on other versions, by having kernel32.dll forced into your address space even if you don't use it Definitely a bug, NTDLL.DLL jumps to an unmapped piece of memory where it expects to have Kernel32.DLL present. If it needs it there it should load it there and not rely on the app to put it in it's import section. WinXP does the right thing by loading up Kernel32.DLL before jumping. Win95, 98 and ME don't have NTDLL.DLL so Kernel32.DLL is always there anyway. |
|||
26 Jul 2005, 02:35 |
|
revolution 26 Jul 2005, 06:28
Quote: Again it wasn't my intension to make anybody nervuos about the file But just to be sure here is (almost) the source I was using. This is not the same source to generate the above attachment because since that was made I have edited and cut a few unnecessary things to a kind of bare bones file. Still doesn't work in Win2K of course. Hope this can clear any worries some might still have. Code: format PE console at 0400000h section '.text' code readable writeable executable entry _start STD_OUTPUT_HANDLE=-11 macro import [proc,string] { common macro ImportsA \{ forward db string,0 common db 0 \} macro ImportsB \{ forward proc dd ? common \} } import ExitProcess,'ExitProcess',\ GetStdHandle,'GetStdHandle',\ Sleep,'Sleep',\ WriteFile,'WriteFile' macro invoke proc,[arg] { common if ~ arg eq reverse push arg common end if call [proc] } _start: ;get the return address (in KERNEL32.DLL) mov ebx,[esp] ;find the start of the module .a: sub ebx,1 xor bx,bx cmp word[ebx],'MZ' jnz .a mov eax,[ebx+03ch] cmp dword[ebx+eax],'PE' jnz .a ;ebx=handle for kernel32.dll ;eax=PE header offset ;search for GetProcAddress mov ecx,[ebx+eax+078h] ;get the export table offset add ecx,ebx mov edx,[ecx+6*4] ;count of exported functions mov edi,[ecx+8*4] ;offset of address of function names mov esi,[ecx+9*4] ;offset of ordinals add esi,ebx add edi,ebx .h: mov eax,[edi] add eax,ebx cmp dword[eax],'GetP' jz .i .j: add esi,2 add edi,4 sub edx,1 jnz .h .cannot_load: or eax,-1 ret ;fatal: die .i: cmp dword[eax+4],'rocA' jnz .j cmp dword[eax+8],'ddre' jnz .j cmp word[eax+12],'ss' jnz .j test byte[eax+14],-1 jnz .j movzx eax,word[esi] mov esi,[ecx+7*4] ;offset of address of function offsets add esi,ebx mov eax,[esi+eax*4] add eax,ebx mov [GetProcAddress],eax ;get our imported functions from KERNEL32.DLL mov esi,_import_data mov edi,_import_names cld .e: invoke GetProcAddress,ebx,edi test eax,eax jz .cannot_load mov [esi],eax add esi,4 or ecx,-1 xor eax,eax repne scasb test byte[edi],-1 jnz .e ;now our normal code from here on invoke GetStdHandle,STD_OUTPUT_HANDLE invoke WriteFile,eax,intro,intro_length,dummy,0 invoke Sleep,8000 invoke ExitProcess,0 section '.data' data readable writeable intro: db 'This file has no imports, but has successfully run on your system.',13,10,\ 'Check the import section with your favourite PE decoder software',13,10,\ 'This program does not run on Win2K',13,10,\ 'This was written as an experiment just for proof of concept.' intro_length=$-intro times ((-(RVA $)) and 3) db 0 virtual GetProcAddress dd ? dummy dd ? end virtual data import dd 5 dup 0 end data _import_names: ImportsA times ((-(RVA $)) and 3) db 0 _import_data: ImportsB data fixups end data |
|||
26 Jul 2005, 06:28 |
|
asmdemon 26 Jul 2005, 13:16
if i recall correctly, y0da did this using masm. his proggie is http://scifi.pages.at/yoda9k/snippets/kernel2.zip
|
|||
26 Jul 2005, 13:16 |
|
Tyler Durden 29 Jul 2005, 07:02
Cool ! But you can optimize it a lot (mine is 601 bytes in cab droppper VS 850 bytes). And why you need this fixup section ?
P.S. Hmmm... Now need to add other libraries loading... |
|||
29 Jul 2005, 07:02 |
|
revolution 29 Jul 2005, 23:59
Quote: But you can optimize it a lot |
|||
29 Jul 2005, 23:59 |
|
AgentX 30 Jul 2005, 15:56
I can't download the attachment!
|
|||
30 Jul 2005, 15:56 |
|
Frank 31 Jul 2005, 06:38
revolution wrote:
That's perfectly okay. But still: Tyler Durden wrote: And why you need this fixup section ? |
|||
31 Jul 2005, 06:38 |
|
Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.