flat assembler
Message board for the users of flat assembler.

Index > Windows > Iczelion's PE Tutorial 2

Author
Thread Post new topic Reply to topic
Beowulf



Joined: 10 Jul 2003
Posts: 5
Location: Germany
Beowulf
-- Update --
Changed db 064h to [fs:
Thx to roticv
--

Code:
format PE GUI 4.0
entry start

include '%include%\win32a.inc'



MAXIMUM_SUPPORTED_EXTENSION     equ 512
SIZE_OF_80387_REGISTERS         equ 80
ExceptionContinueExecution      equ 0
IMAGE_NT_SIGNATURE              equ 00004550h
IMAGE_DOS_SIGNATURE             equ 5A4Dh


struc SEH
{
  .PrevLink       dd ?   
  .CurrentHandler dd ?    
  .SafeOffset     dd ?    
  .PrevEsp        dd ?   
  .PrevEbp        dd ?    
}

struc FLOATING_SAVE_AREA STRUCT
{

  .ControlWord   dd      ?
  .StatusWord    dd      ?
  .TagWord       dd      ?
  .ErrorOffset   dd      ?
  .ErrorSelector dd      ?
  .DataOffset    dd      ?
  .DataSelector  dd      ?
  .RegisterArea  rb  SIZE_OF_80387_REGISTERS
  .Cr0NpxState   dd      ?
}

struc IMAGE_DOS_HEADER
{
  .e_magic           dw      ?
  .e_cblp            dw      ?
  .e_cp              dw      ?
  .e_crlc            dw      ?
  .e_cparhdr         dw      ?
  .e_minalloc        dw      ?
  .e_maxalloc        dw      ?
  .e_ss              dw      ?
  .e_sp              dw      ?
  .e_csum            dw      ?
  .e_ip              dw      ?
  .e_cs              dw      ?
  .e_lfarlc          dw      ?
  .e_ovno            dw      ?
  .e_res             rw      4
  .e_oemid           dw      ?
  .e_oeminfo         dw      ?
  .e_res2            rw      10
  .e_lfanew          dd      ?
}

struc IMAGE_FILE_HEADER
{
  .Machine               dw    ?
  .NumberOfSections      dw    ?
  .TimeDateStamp         dd    ?
  .PointerToSymbolTable  dd    ?
  .NumberOfSymbols       dd    ?
  .SizeOfOptionalHeader  dw    ?
  .Characteristics       dw    ?
}

struc IMAGE_DATA_DIRECTORY
{
  .VirtualAddress    dd      ?
  .isize             dd      ?
}

struc CONTEXT
{
  .ContextFlags  dd      ?
  .iDr0          dd      ?
  .iDr1          dd      ?
  .iDr2          dd      ?
  .iDr3          dd      ?
  .iDr6          dd      ?
  .iDr7          dd      ?
  .FloatSave     FLOATING_SAVE_AREA
  .regGs         dd      ?
  .regFs         dd      ?
  .regEs         dd      ?
  .regDs         dd      ?
  .regEdi        dd      ?
  .regEsi        dd      ?
  .regEbx        dd      ?
  .regEdx        dd      ?
  .regEcx        dd      ?
  .regEax        dd      ?
  .regEbp        dd      ?
  .regEip        dd      ?
  .regCs         dd      ?
  .regFlag       dd      ?
  .regEsp        dd      ?
  .regSs         dd      ?
  .ExtendedRegisters rb MAXIMUM_SUPPORTED_EXTENSION
}

struc IMAGE_OPTIONAL_HEADER32
{
  .Magic                         dw     ?
  .MajorLinkerVersion            db     ?
  .MinorLinkerVersion            db     ?
  .SizeOfCode                    dd     ?
  .SizeOfInitializedData         dd     ?
  .SizeOfUninitializedData       dd     ?
  .AddressOfEntryPoint           dd     ?
  .BaseOfCode                    dd     ?
  .BaseOfData                    dd     ?
  .ImageBase                     dd     ?
  .SectionAlignment              dd     ?
  .FileAlignment                 dd     ?
  .MajorOperatingSystemVersion   dw     ?
  .MinorOperatingSystemVersion   dw     ?
  .MajorImageVersion             dw     ?
  .MinorImageVersion             dw     ?
  .MajorSubsystemVersion         dw     ?
  .MinorSubsystemVersion         dw     ?
  .Win32VersionValue             dd     ?
  .SizeOfImage                   dd     ?
  .SizeOfHeaders                 dd     ?
  .CheckSum                      dd     ?
  .Subsystem                     dw     ?
  .DllCharacteristics            dw     ?
  .SizeOfStackReserve            dd     ?
  .SizeOfStackCommit             dd     ?
  .SizeOfHeapReserve             dd     ?
  .SizeOfHeapCommit              dd     ?
  .LoaderFlags                   dd     ?
  .NumberOfRvaAndSizes           dd     ?
  .DataDirectory                 IMAGE_DATA_DIRECTORY
                                 rb     120
}

struc IMAGE_NT_HEADERS
{
  .Signature         dd                   ?
  .FileHeader        IMAGE_FILE_HEADER
  .OptionalHeader    IMAGE_OPTIONAL_HEADER32
}


section '.data' data readable writeable

ofn                        OPENFILENAME
seh                        SEH

FilterString               db 'Executable Files (*.exe, *.dll)',0,'*.exe;*.dll',0
                           db 'All Files',0,'*.*',0,0

AppName                    db 'PE tutorial no.2',0
FileOpenError              db 'Cannot open the file for reading',0
FileOpenMappingError       db 'Cannot open the file for memory mapping',0
FileMappingError           db 'Cannot map the file into memory',0
FileValidPE                db 'This file is a valid PE',0
FileInValidPE              db 'This file is not a valid PE',0

buffer                     rb 512
hFile                      dd ?
hMapping                   dd ?
pMapping                   dd ?
ValidPE                    dd ?


section '.code' code readable executable
        proc SEHHandler,pExcept,pFrame,pContext,pDispatch
        enter
        push edx

                mov edx,[pFrame]
                virtual at edx
                         sh   SEH
                end virtual
                mov eax,[pContext]
                virtual at eax
                         con   CONTEXT
                end virtual
                push [sh.SafeOffset]
                pop [con.regEip]
                push [sh.PrevEsp]
                pop [con.regEsp]
                push [sh.PrevEbp]
                pop [con.regEbp]
                mov [ValidPE], FALSE
                mov eax,ExceptionContinueExecution

        pop edx
        return

        PETrue:
                invoke MessageBox,0,FileValidPE,AppName,0
                jmp CleanUp
        PEFalse:
                invoke MessageBox,0,FileInValidPE,AppName,0
                jmp CleanUp
        LFileOpenError:
                invoke MessageBox,0,FileOpenError,AppName,0
                jmp FinalExit

        LFileOpenMappingError:
                invoke MessageBox,0,FileOpenMappingError,AppName,0
                jmp FinalExit

        LFileMappingError:
                invoke MessageBox,0,FileMappingError,AppName,0
                jmp EFileMappingError

        start:
                mov [ofn.lStructSize],88
                mov [ofn.lpstrFilter], FilterString
                mov [ofn.lpstrFile], buffer
                mov [ofn.nMaxFile],512
                mov [ofn.Flags], OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or OFN_LONGNAMES or OFN_EXPLORER or OFN_HIDEREADONLY
                invoke GetOpenFileName, ofn
                cmp eax,0
                je Finish

                        invoke CreateFile, buffer, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL
                        cmp eax,INVALID_HANDLE_VALUE
                        je LFileOpenError

                                mov [hFile],eax
                                invoke CreateFileMapping, [hFile], NULL, PAGE_READONLY,0,0,0
                                cmp eax,0
                                je LFileOpenMappingError

                                        mov [hMapping],eax
                                        invoke MapViewOfFile,[hMapping],FILE_MAP_READ,0,0,0
                                        cmp eax,0
                                        je LFileMappingError

                                                mov [pMapping],eax
                                                push dword[fs:0]
                                                pop [seh.PrevLink]
                                                mov [seh.CurrentHandler],SEHHandler
                                                mov [seh.SafeOffset],FinalExit
                                                lea eax, [seh]
                                                mov [fs:0], eax
                                                mov [seh.PrevEsp],esp
                                                mov [seh.PrevEbp],ebp
                                                mov edi, [pMapping]

                                                virtual at edi
                                                        idh   IMAGE_DOS_HEADER
                                                end virtual

                                                cmp  [idh.e_magic],IMAGE_DOS_SIGNATURE
                                                jne PEFalse

                                                        add edi,[idh.e_lfanew]
                                                        virtual at edi
                                                                inh IMAGE_NT_HEADERS
                                                        end virtual

                                                        cmp [inh.Signature], IMAGE_NT_SIGNATURE
                                                        mov [ValidPE], FALSE
                                                        jne FinalExit
                                                            mov [ValidPE], TRUE


                                                FinalExit:
                                                        cmp [ValidPE],TRUE
                                                        je PETrue
                                                        cmp [ValidPE],FALSE
                                                        je PEFalse

                                                CleanUp:
                                                        push [seh.PrevLink]
                                                        pop dword [fs:0]

                                        EFileMappingError:
                                                invoke UnmapViewOfFile, [pMapping]

                                EFileOpenMappingError:
                                        invoke CloseHandle,[hMapping]

                        EFileOpenError:
                                invoke CloseHandle, [hFile]

                Finish:
                        invoke ExitProcess,0


section '.idata' import data readable writeable

        library kernel32,'KERNEL32.DLL',\
                user32,'USER32.DLL',\
                gdi32,'GDI32.DLL',\
                advapi32,'ADVAPI32.DLL',\
                comctl32,'COMCTL32.DLL',\
                comdlg32,'COMDLG32.DLL',\
                shell32,'SHELL32.DLL',\
                wsock32,'WSOCK32.DLL'

        include '%include%/apia/kernel32.inc'
        include '%include%/apia/user32.inc'
        include '%include%/apia/gdi32.inc'
        include '%include%/apia/advapi32.inc'
        include '%include%/apia/comctl32.inc'
        include '%include%/apia/comdlg32.inc'
        include '%include%/apia/shell32.inc'
        include '%include%/apia/wsock32.inc'                                  
    


Last edited by Beowulf on 05 Nov 2003, 16:35; edited 1 time in total
Post 30 Oct 2003, 17:45
View user's profile Send private message ICQ Number Reply with quote
GuyonAsm



Joined: 27 Sep 2003
Posts: 45
GuyonAsm
Beowulf,

I like how you setup your import section, so that you dont have to define each and every function like i used to do, for now on im gonna use your method there at the bottom.

I have a question. When your reading the IMAGE_DOS_HEADER, and you get to e_lfanew, is that offset, from the beginning of the file, or from that position in the file to the IMAGE_NT_HEADER ?

_________________
I shall not evade what is predestined
because every battle, is another lesson
- GuyonAsm.

A Believer of The System.
Post 05 Nov 2003, 15:10
View user's profile Send private message Reply with quote
roticv



Joined: 19 Jun 2003
Posts: 374
Location: Singapore
roticv
Beginning of the file. Therefore usually it is "reg+3ch".

Anyway no need to add "64h" instead use something like mov [fs:0], esp
Post 05 Nov 2003, 16:15
View user's profile Send private message Visit poster's website MSN Messenger Reply with quote
GuyonAsm



Joined: 27 Sep 2003
Posts: 45
GuyonAsm
roticv,

Thanks for the reply, I was just wondering ,because I use a different method for walking through the file instead of mapping(CreateFile then using the ReadFile function). Okay last question pertaining to this.

You say its the offset from the beginning of the file, So for all other offsets in the other structures(IMAGE_OPTIONAL_HEADER32 for example), their based at the beginning of the file, or do different fields in the structure expect you to add from the structure base and on up?

_________________
I shall not evade what is predestined
because every battle, is another lesson
- GuyonAsm.

A Believer of The System.
Post 05 Nov 2003, 17:42
View user's profile Send private message Reply with quote
roticv



Joined: 19 Jun 2003
Posts: 374
Location: Singapore
roticv
GuyonAsm wrote:
roticv,

Thanks for the reply, I was just wondering ,because I use a different method for walking through the file instead of mapping(CreateFile then using the ReadFile function). Okay last question pertaining to this.


Yes, I have done that before. Making use of memory allocation and ReadFile.

Quote:
You say its the offset from the beginning of the file, So for all other offsets in the other structures(IMAGE_OPTIONAL_HEADER32 for example), their based at the beginning of the file, or do different fields in the structure expect you to add from the structure base and on up?


If I remmeber correctly, most are relative to the file offset. For example the address (If I did get the name correctly) of the section is relative to file offset. Seems so long since I last fooled with the PE format *grins*
Post 06 Nov 2003, 04:37
View user's profile Send private message Visit poster's website MSN Messenger Reply with quote
eet_1024



Joined: 22 Jul 2003
Posts: 59
eet_1024
GuyonAsm:

If you use the latest includes in the Win32GUI distro of fasm, you can:
Code:
include '%include%/win32ax.inc'
format PE GUI 4.0

.data
MyVar  dd 0
.code
proc Main
enter
   mov   eax, 0
return
.end Main
    
Post 06 Nov 2003, 07:12
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.