flat assembler
Message board for the users of flat assembler.

Index > Windows > API problems

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
Paul6253



Joined: 19 Oct 2003
Posts: 31
Location: NY
Paul6253 30 Nov 2003, 18:46
hello all,
This is my first attempt at a windows assembly hack. I'm coming from a UNIX environent.
My first attempt was to create self-modifying code.
Using VirtualProtect I was successful in that alone. However ,
I was unable to use MessageBox to show the results of modification.
It appears that the this function needs a window handle,however,I've seen
other code that passes a NULL and it works fine...
There is a function called GetDesktopWindow which returns a handle,
but it didnt work-- I got an exception stating that it could not find the entry
point in kernel32.dll
So below I post two versions: The first one does not use a window handle,
and it compiled and ran,although no output.
second verson gives exception
I know there's alot of really good programmers in here who have experianced the same pitfalls at some point,so Thanks for sharing your
experiance and wisdom Smile

Code:

first version:

format PE GUI 4.0
entry start

include '%include%\win32a.inc'


section '.data' data readable writeable
wHandle     dd ?
Old_Protect dd ?
string     db 'normal execution',0
hstring    db 'I am modified!',0
captioN    db 'SMC example',0

data import

 library kernel32,'KERNEL32.DLL',\
         user32,'USER32.DLL',\
         winmm,'WINMM.DLL'

 import kernel32,\
        ExitProcess,'ExitProcess',\
        GetCurrentProcessId,'GetCurrentProcessId',\
        VirtualProtectEx,'VirtualProtectEx',\
        GetDesktopWindow,'GetDesktopWindow'

 import user32,\
        MessageBox,'MessageBoxA'

 import winmm,\
        mciSendString,'mciSendStringA'

end data


section '.code' code readable executable

start:

jmp Begin


hacked: ;the hook


                 invoke MessageBox,0,hstring,captioN,MB_OK
                 jmp exit



Begin:
                 invoke GetCurrentProcessId
                 invoke VirtualProtectEx,eax,hack_me,1,PAGE_EXECUTE_READWRITE,Old_Protect
                 jz  exit ;failed







                  call modify
                  xor eax,eax
hack_me:           ;gets replaced
                   invoke MessageBox,0,string,captioN,MB_OK


modify:

                 mov edi, to_write      ;load address of code-to-write in EDI
                 mov [hack_me], edi    ;write code to location 'hack_me:'
                 ret                   ;return from call
to_write:


                  jmp hacked

exit:
      invoke   ExitProcess,eax


second version:

format PE GUI 4.0
entry start

include '%include%\win32a.inc'


section '.data' data readable writeable
wHandle     dd ?
Old_Protect dd ?
string     db 'normal execution',0
hstring    db 'I am modified!',0
captioN    db 'SMC example',0

data import

 library kernel32,'KERNEL32.DLL',\
         user32,'USER32.DLL',\
         winmm,'WINMM.DLL'

 import kernel32,\
        ExitProcess,'ExitProcess',\
        GetCurrentProcessId,'GetCurrentProcessId',\
        VirtualProtectEx,'VirtualProtectEx',\
        GetDesktopWindow,'GetDesktopWindow'

 import user32,\
        MessageBox,'MessageBoxA'

 import winmm,\
        mciSendString,'mciSendStringA'

end data


section '.code' code readable executable

start:

jmp Begin


hacked: ;the hook


                 invoke MessageBox,wHandle,hstring,captioN,MB_OK
                 jmp exit



Begin:
                 invoke GetCurrentProcessId
                 invoke VirtualProtectEx,eax,hack_me,1,PAGE_EXECUTE_READWRITE,Old_Protect
                 jz  exit ;failed

                 invoke GetDesktopWindow
                 mov [wHandle],eax




                  call modify
                  xor eax,eax
hack_me:           ;gets replaced
                   invoke MessageBox,wHandle,string,captioN,MB_OK


modify:

                 mov edi, to_write      ;load address of code-to-write in EDI
                 mov [hack_me], edi    ;write code to location 'hack_me:'
                 ret                   ;return from call
to_write:


                  jmp hacked

exit:
      invoke   ExitProcess,eax


    

_________________
Plez xcuce mi spelng
Post 30 Nov 2003, 18:46
View user's profile Send private message Reply with quote
roticv



Joined: 19 Jun 2003
Posts: 374
Location: Singapore
roticv 30 Nov 2003, 19:01
GetDesktopWindow is found in user32.dll.

Code:
Begin: 
                 invoke GetCurrentProcessId 
                 invoke VirtualProtectEx,eax,hack_me,1,PAGE_EXECUTE_READWRITE,Old_Protect 
                 jz  exit ;failed 
    

May I ask, what code sets the flag in your zero flag. What are you testing for zero flag specifically? If you are testing whether the return value is 0, where is your test eax, eax/or eax,eax/cmp eax,0 ?
Post 30 Nov 2003, 19:01
View user's profile Send private message Visit poster's website MSN Messenger Reply with quote
silkodyssey



Joined: 02 Oct 2003
Posts: 198
Location: St.Vincent & the Grenadines
silkodyssey 30 Nov 2003, 19:17
Paul6253,

Maybe GetCurrentProcess in the function you need to use instead of GetCurrentProcessId.

api reference wrote:

GetCurrentProcess

The GetCurrentProcess function retrieves a pseudo handle for the current process.


HANDLE GetCurrentProcess(void);

Parameters
This function has no parameters.
Return Values
The return value is a pseudo handle to the current process.

Remarks
A pseudo handle is a special constant, currently (HANDLE)-1, that is interpreted as the current process handle. For compatibility with future operating systems, it is best to call GetCurrentProcess instead of hard-coding this constant value. The calling process can use a pseudo handle to specify its own process whenever a process handle is required. Pseudo handles are not inherited by child processes.

This handle has the maximum possible access to the process object. For systems that support security descriptors, this is the maximum access allowed by the security descriptor for the calling process. For systems that do not support security descriptors, this is PROCESS_ALL_ACCESS. For more information, see Process Security and Access Rights.

A process can create a "real" handle to itself that is valid in the context of other processes, or that can be inherited by other processes, by specifying the pseudo handle as the source handle in a call to the DuplicateHandle function. A process can also use the OpenProcess function to open a real handle to itself.

The pseudo handle need not be closed when it is no longer needed. Calling the CloseHandle function with a pseudo handle has no effect. If the pseudo handle is duplicated by DuplicateHandle, the duplicate handle must be closed.


_________________
silkodyssey
Post 30 Nov 2003, 19:17
View user's profile Send private message MSN Messenger Reply with quote
Paul6253



Joined: 19 Oct 2003
Posts: 31
Location: NY
Paul6253 30 Nov 2003, 19:29
ok very good-- I missed that one, I put the decalration in wrong lib import
also, for some reason I thought the function set a flag...silly me.
So I guess must always check eax then.
So now works with handle for Desktop...but STILL! no output,no MessageBox Sad

I have go to work now...sux
Thanks for responding so soon.
So whats up with this Message box?

later

_________________
Plez xcuce mi spelng
Post 30 Nov 2003, 19:29
View user's profile Send private message Reply with quote
silkodyssey



Joined: 02 Oct 2003
Posts: 198
Location: St.Vincent & the Grenadines
silkodyssey 30 Nov 2003, 19:36
Code:
 

mov edi, to_write      ;load address of code-to-write in EDI
mov [hack_me], edi    ;write code to location 'hack_me:'
ret                   ;return from call 
    


It seems like you're copying the address of the code aren't you supposed to copy the actual code?

_________________
silkodyssey
Post 30 Nov 2003, 19:36
View user's profile Send private message MSN Messenger Reply with quote
silkodyssey



Joined: 02 Oct 2003
Posts: 198
Location: St.Vincent & the Grenadines
silkodyssey 30 Nov 2003, 23:26
Paul6253,

After looking at your code I became fascinated with the self modifying code idea and I think I've finally got it to work. Smile

Code:
 
format PE GUI 4.0
entry start

include '%include%\win32ax.inc'


section '.data' data readable writeable
wHandle     dd ?
Old_Protect dd ?
string     db 'normal execution',0
hstring    db 'I am modified!',0
captioN    db 'SMC example',0

data import

library kernel32,'KERNEL32.DLL',\
         user32,'USER32.DLL',\
         winmm,'WINMM.DLL'

import kernel32,\
        ExitProcess,'ExitProcess',\
        GetCurrentProcessId,'GetCurrentProcessId',\
        GetCurrentProcess,'GetCurrentProcess',\
        VirtualProtectEx,'VirtualProtectEx',\
        GetDesktopWindow,'GetDesktopWindow'

import user32,\
        MessageBox,'MessageBoxA'

import winmm,\
        mciSendString,'mciSendStringA'

end data


section '.code' code readable executable

start:

jmp Begin

hacked: ;the hook

                 invoke MessageBox,0,hstring,captioN,MB_OK
                 jmp exit
Begin:
                 invoke GetCurrentProcess; Id
                 invoke VirtualProtectEx,eax,hack_me,4,PAGE_EXECUTE_READWRITE,Old_Protect
                 or  eax, eax
                 jz  exit ;failed

                 call modify
                 xor eax,eax
hack_me:           ;gets replaced
                 invoke MessageBox,0,string,captioN,MB_OK
modify:
                 ; 0EBh is the first
                 ; byte for the jmp instruction
                 ; The next byte for the
                 ; instruction is the number of
                 ; bytes to jmp.This is calculated by
                 ; subtracting the address of the code
                 ; that begins the call to the message box
                 ; function by the address of the code
                 ; that jumps to that address.2 has to be added
                 ; since the jmp is a two bye instruction

                 mov esi, hack_me
                 mov byte [esi], 0EBh    ;write code to location 'hack_me:'
                 mov al, hacked - hack_me - 2
                 mov byte [esi + 1], al

                 ret                   ;return from call
to_write:
                 jmp hacked

exit:
                invoke   ExitProcess,eax 
    

_________________
silkodyssey
Post 30 Nov 2003, 23:26
View user's profile Send private message MSN Messenger Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8353
Location: Kraków, Poland
Tomasz Grysztar 30 Nov 2003, 23:29
You don't really have to use VirtualProtect, you can just add the "writeable" flag in the attributes of code section.
Post 30 Nov 2003, 23:29
View user's profile Send private message Visit poster's website Reply with quote
silkodyssey



Joined: 02 Oct 2003
Posts: 198
Location: St.Vincent & the Grenadines
silkodyssey 30 Nov 2003, 23:34
LOL thats why I like fasm. It makes everything so much easier Smile

_________________
silkodyssey
Post 30 Nov 2003, 23:34
View user's profile Send private message MSN Messenger Reply with quote
roticv



Joined: 19 Jun 2003
Posts: 374
Location: Singapore
roticv 01 Dec 2003, 03:25
Possible on other assemblers too. Just that you need to know them well enough
Post 01 Dec 2003, 03:25
View user's profile Send private message Visit poster's website MSN Messenger Reply with quote
silkodyssey



Joined: 02 Oct 2003
Posts: 198
Location: St.Vincent & the Grenadines
silkodyssey 01 Dec 2003, 10:36
Really? You mean I can set the code section to writeable with other assemblers? Can you show me some examples? Smile

_________________
silkodyssey
Post 01 Dec 2003, 10:36
View user's profile Send private message MSN Messenger Reply with quote
Paul6253



Joined: 19 Oct 2003
Posts: 31
Location: NY
Paul6253 01 Dec 2003, 11:54
SilkOdyssey! whoa man ...(I'm not worthy) damn dude that was good.
I thought there mighta been sumthin weird about mov [esi],adrress
in my original code,
cuz, I'm surprised it didnt crash-- I doubt the 'address' was legal opcode.
The calulatiing offsets was what was needed, very good job!
okay so let me go over what you did(which is a programming miracle and
no-no by itself--surprised Norton didnt flare up cuz this is the roots
of virul code )
you wrote opcode ,a jmp, to first byte at hack_me then you had to figure out the 'where are we jumping part' so tHAT WAS simple: just subtract the
offsets from where the the code is that we want to replace from the new code location and then subtract that jmp instruction.Then put that at
byte two of replaced code. Way cool man..
Now we have a stub for modification...maybe we can get thaT size down a
bit as well Wink
oh and gee...I like this writable flag bit. Fasm kicks ass.
later

_________________
Plez xcuce mi spelng


Last edited by Paul6253 on 01 Dec 2003, 12:11; edited 1 time in total
Post 01 Dec 2003, 11:54
View user's profile Send private message Reply with quote
silkodyssey



Joined: 02 Oct 2003
Posts: 198
Location: St.Vincent & the Grenadines
silkodyssey 01 Dec 2003, 12:09
No problem Paul, it was a fun exercise Smile. You should be able to get the size of the program down I guess since we know now that you don't need to call to the VirtualProtectEx function. Do you have olly debug? That helped a lot Smile

_________________
silkodyssey
Post 01 Dec 2003, 12:09
View user's profile Send private message MSN Messenger Reply with quote
Betov



Joined: 17 Jun 2003
Posts: 98
Betov 01 Dec 2003, 12:10
silkodyssey, it would be a bit strange if an Assembly would not allow you to set this Flag.

Betov.
Post 01 Dec 2003, 12:10
View user's profile Send private message Visit poster's website Reply with quote
silkodyssey



Joined: 02 Oct 2003
Posts: 198
Location: St.Vincent & the Grenadines
silkodyssey 01 Dec 2003, 12:12
Why?

_________________
silkodyssey
Post 01 Dec 2003, 12:12
View user's profile Send private message MSN Messenger Reply with quote
Paul6253



Joined: 19 Oct 2003
Posts: 31
Location: NY
Paul6253 01 Dec 2003, 12:14
oh yeah, Ollydbg is quite nice-- I was wondering how you figured out the jmp opcode cuz it's different for any given situation I think...
I'm guessing you patched the jmp in ollydbg.
...

_________________
Plez xcuce mi spelng
Post 01 Dec 2003, 12:14
View user's profile Send private message Reply with quote
roticv



Joined: 19 Jun 2003
Posts: 374
Location: Singapore
roticv 01 Dec 2003, 12:28
The most important thing is the switch to the linker. I did not use Radasm because it screws that switch up.


Description:
Download
Filename: smc.zip
Filesize: 1.22 KB
Downloaded: 516 Time(s)

Post 01 Dec 2003, 12:28
View user's profile Send private message Visit poster's website MSN Messenger Reply with quote
silkodyssey



Joined: 02 Oct 2003
Posts: 198
Location: St.Vincent & the Grenadines
silkodyssey 01 Dec 2003, 12:30
paul,

I tried copying the 2 bytes at the to_write address the hack_me address but the program crashed and when I looked at with ollydebug I saw that it wasn't jumping where I wanted it to so I guessed that it just jumped some number of bytes from the current address.

betov,

I looked at RosAsm and saw that there is an option to make the code writeable Smile. I don't know of of any statements in masm to do this but I looked at some of the options for link and saw that its done at the linking stage. Assemblers like RosAsm and Fasm can have directives for doing this because they do their own linking whereas other assemblers like masm require a separate linker.

_________________
silkodyssey
Post 01 Dec 2003, 12:30
View user's profile Send private message MSN Messenger Reply with quote
Betov



Joined: 17 Jun 2003
Posts: 98
Betov 01 Dec 2003, 15:47
Yes, of course, with a Linker in the build Process, this is a Linker option.


Betov.
Post 01 Dec 2003, 15:47
View user's profile Send private message Visit poster's website Reply with quote
Ralph



Joined: 04 Oct 2003
Posts: 86
Ralph 02 Dec 2003, 04:12
Hey,
I mostly just skimmed this thread so excuse me if I'm repeating anything. Just some comments:
-You can use jqwerty's pewrsec tool to set the write bit in any section. The default is the code section. This would let you use smc in any PE application.
-If you plan on going into PE hackage, I suggest you try some virus tutorials. A lot of them are complete shit, but the odd one can be quite good. If I remember correctly, Lord Julus published some decent information in his single issue VX-Tasy ezine. Polymorphism and the much overhyped metamorphism can get quite interesting, especially if you don't get caught up in the bullshit and actually try to write something novel.
-I found SoftIce to be another very useful tool when dealing with smc code. With the right breakpoints set it can make debugging a lot simpler. It's not free, but I'm sure google can be your friend here.
Post 02 Dec 2003, 04:12
View user's profile Send private message Reply with quote
eet_1024



Joined: 22 Jul 2003
Posts: 59
eet_1024 04 Dec 2003, 05:55
Last time something like this came up, I heard that setting ".code" as writeable is not enough.

Though it seems to work under 98. Can someone run this under 2000?


Description:
Download
Filename: Morph.zip
Filesize: 895 Bytes
Downloaded: 300 Time(s)

Post 04 Dec 2003, 05:55
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.