flat assembler
Message board for the users of flat assembler.
Index
> Windows > API problems Goto page 1, 2 Next |
Author |
|
roticv 30 Nov 2003, 19:01
GetDesktopWindow is found in user32.dll.
Code: Begin: invoke GetCurrentProcessId invoke VirtualProtectEx,eax,hack_me,1,PAGE_EXECUTE_READWRITE,Old_Protect jz exit ;failed May I ask, what code sets the flag in your zero flag. What are you testing for zero flag specifically? If you are testing whether the return value is 0, where is your test eax, eax/or eax,eax/cmp eax,0 ? |
|||
30 Nov 2003, 19:01 |
|
silkodyssey 30 Nov 2003, 19:17
Paul6253,
Maybe GetCurrentProcess in the function you need to use instead of GetCurrentProcessId. api reference wrote:
_________________ silkodyssey |
|||
30 Nov 2003, 19:17 |
|
Paul6253 30 Nov 2003, 19:29
ok very good-- I missed that one, I put the decalration in wrong lib import
also, for some reason I thought the function set a flag...silly me. So I guess must always check eax then. So now works with handle for Desktop...but STILL! no output,no MessageBox I have go to work now...sux Thanks for responding so soon. So whats up with this Message box? later _________________ Plez xcuce mi spelng |
|||
30 Nov 2003, 19:29 |
|
silkodyssey 30 Nov 2003, 19:36
Code: mov edi, to_write ;load address of code-to-write in EDI mov [hack_me], edi ;write code to location 'hack_me:' ret ;return from call It seems like you're copying the address of the code aren't you supposed to copy the actual code? _________________ silkodyssey |
|||
30 Nov 2003, 19:36 |
|
silkodyssey 30 Nov 2003, 23:26
Paul6253,
After looking at your code I became fascinated with the self modifying code idea and I think I've finally got it to work. Code: format PE GUI 4.0 entry start include '%include%\win32ax.inc' section '.data' data readable writeable wHandle dd ? Old_Protect dd ? string db 'normal execution',0 hstring db 'I am modified!',0 captioN db 'SMC example',0 data import library kernel32,'KERNEL32.DLL',\ user32,'USER32.DLL',\ winmm,'WINMM.DLL' import kernel32,\ ExitProcess,'ExitProcess',\ GetCurrentProcessId,'GetCurrentProcessId',\ GetCurrentProcess,'GetCurrentProcess',\ VirtualProtectEx,'VirtualProtectEx',\ GetDesktopWindow,'GetDesktopWindow' import user32,\ MessageBox,'MessageBoxA' import winmm,\ mciSendString,'mciSendStringA' end data section '.code' code readable executable start: jmp Begin hacked: ;the hook invoke MessageBox,0,hstring,captioN,MB_OK jmp exit Begin: invoke GetCurrentProcess; Id invoke VirtualProtectEx,eax,hack_me,4,PAGE_EXECUTE_READWRITE,Old_Protect or eax, eax jz exit ;failed call modify xor eax,eax hack_me: ;gets replaced invoke MessageBox,0,string,captioN,MB_OK modify: ; 0EBh is the first ; byte for the jmp instruction ; The next byte for the ; instruction is the number of ; bytes to jmp.This is calculated by ; subtracting the address of the code ; that begins the call to the message box ; function by the address of the code ; that jumps to that address.2 has to be added ; since the jmp is a two bye instruction mov esi, hack_me mov byte [esi], 0EBh ;write code to location 'hack_me:' mov al, hacked - hack_me - 2 mov byte [esi + 1], al ret ;return from call to_write: jmp hacked exit: invoke ExitProcess,eax _________________ silkodyssey |
|||
30 Nov 2003, 23:26 |
|
Tomasz Grysztar 30 Nov 2003, 23:29
You don't really have to use VirtualProtect, you can just add the "writeable" flag in the attributes of code section.
|
|||
30 Nov 2003, 23:29 |
|
silkodyssey 30 Nov 2003, 23:34
LOL thats why I like fasm. It makes everything so much easier
_________________ silkodyssey |
|||
30 Nov 2003, 23:34 |
|
roticv 01 Dec 2003, 03:25
Possible on other assemblers too. Just that you need to know them well enough
|
|||
01 Dec 2003, 03:25 |
|
silkodyssey 01 Dec 2003, 10:36
Really? You mean I can set the code section to writeable with other assemblers? Can you show me some examples?
_________________ silkodyssey |
|||
01 Dec 2003, 10:36 |
|
Paul6253 01 Dec 2003, 11:54
SilkOdyssey! whoa man ...(I'm not worthy) damn dude that was good.
I thought there mighta been sumthin weird about mov [esi],adrress in my original code, cuz, I'm surprised it didnt crash-- I doubt the 'address' was legal opcode. The calulatiing offsets was what was needed, very good job! okay so let me go over what you did(which is a programming miracle and no-no by itself--surprised Norton didnt flare up cuz this is the roots of virul code ) you wrote opcode ,a jmp, to first byte at hack_me then you had to figure out the 'where are we jumping part' so tHAT WAS simple: just subtract the offsets from where the the code is that we want to replace from the new code location and then subtract that jmp instruction.Then put that at byte two of replaced code. Way cool man.. Now we have a stub for modification...maybe we can get thaT size down a bit as well oh and gee...I like this writable flag bit. Fasm kicks ass. later _________________ Plez xcuce mi spelng Last edited by Paul6253 on 01 Dec 2003, 12:11; edited 1 time in total |
|||
01 Dec 2003, 11:54 |
|
silkodyssey 01 Dec 2003, 12:09
No problem Paul, it was a fun exercise . You should be able to get the size of the program down I guess since we know now that you don't need to call to the VirtualProtectEx function. Do you have olly debug? That helped a lot
_________________ silkodyssey |
|||
01 Dec 2003, 12:09 |
|
Betov 01 Dec 2003, 12:10
silkodyssey, it would be a bit strange if an Assembly would not allow you to set this Flag.
Betov. |
|||
01 Dec 2003, 12:10 |
|
silkodyssey 01 Dec 2003, 12:12
Why?
_________________ silkodyssey |
|||
01 Dec 2003, 12:12 |
|
Paul6253 01 Dec 2003, 12:14
oh yeah, Ollydbg is quite nice-- I was wondering how you figured out the jmp opcode cuz it's different for any given situation I think...
I'm guessing you patched the jmp in ollydbg. ... _________________ Plez xcuce mi spelng |
|||
01 Dec 2003, 12:14 |
|
roticv 01 Dec 2003, 12:28
The most important thing is the switch to the linker. I did not use Radasm because it screws that switch up.
|
|||||||||||
01 Dec 2003, 12:28 |
|
silkodyssey 01 Dec 2003, 12:30
paul,
I tried copying the 2 bytes at the to_write address the hack_me address but the program crashed and when I looked at with ollydebug I saw that it wasn't jumping where I wanted it to so I guessed that it just jumped some number of bytes from the current address. betov, I looked at RosAsm and saw that there is an option to make the code writeable . I don't know of of any statements in masm to do this but I looked at some of the options for link and saw that its done at the linking stage. Assemblers like RosAsm and Fasm can have directives for doing this because they do their own linking whereas other assemblers like masm require a separate linker. _________________ silkodyssey |
|||
01 Dec 2003, 12:30 |
|
Betov 01 Dec 2003, 15:47
Yes, of course, with a Linker in the build Process, this is a Linker option.
Betov. |
|||
01 Dec 2003, 15:47 |
|
Ralph 02 Dec 2003, 04:12
Hey,
I mostly just skimmed this thread so excuse me if I'm repeating anything. Just some comments: -You can use jqwerty's pewrsec tool to set the write bit in any section. The default is the code section. This would let you use smc in any PE application. -If you plan on going into PE hackage, I suggest you try some virus tutorials. A lot of them are complete shit, but the odd one can be quite good. If I remember correctly, Lord Julus published some decent information in his single issue VX-Tasy ezine. Polymorphism and the much overhyped metamorphism can get quite interesting, especially if you don't get caught up in the bullshit and actually try to write something novel. -I found SoftIce to be another very useful tool when dealing with smc code. With the right breakpoints set it can make debugging a lot simpler. It's not free, but I'm sure google can be your friend here. |
|||
02 Dec 2003, 04:12 |
|
eet_1024 04 Dec 2003, 05:55
Last time something like this came up, I heard that setting ".code" as writeable is not enough.
Though it seems to work under 98. Can someone run this under 2000?
|
|||||||||||
04 Dec 2003, 05:55 |
|
Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.