flat assembler
Message board for the users of flat assembler.
Index
> Windows > Dll is using Absoult addressing |
Author |
|
okasvi 09 Sep 2006, 22:32
This could be what you're looking for, unless I got your problem totally wrong
a bit cryptic examples but I hope they work Code: ;at the entry of your dll call krnl32b push szApi ;ie. szApi db 'LoadLibraryA',0 push eax call getapiaddr mov [LoadLibrary], eax push szWs2_32 ; db 'ws2_32',0 call [LoadLibrary] push szWsastartup ; db 'WSAStartup',0 push eax call getapiaddr ;....now just find IAT of executable to hook and replace ;entries there to your hooked procs that will do what ever you want ;UNLESS you were thinking about detours... Code: krnl32b: mov eax, [fs:30h] test eax, eax js @f mov eax, [eax+0ch] mov eax, [eax+1ch] mov eax, [eax] mov eax, [eax+8] retn @@: mov eax, [eax+34h] lea eax, [eax+7ch] mov eax, [eax+3ch] retn getapiaddr: push ebp mov ebp, esp ;stack ;ebp+0Ch sz api ;ebp+08h mod handle push esi edi ebx mov esi, [ebp+08h] cmp word [esi], 'MZ' jnz .err add esi, [esi + 03ch] cmp dword [esi], 'PE' jnz .err mov edi, [ebp+0Ch] mov ecx, 200 xor al, al repnz scasb mov ecx, edi sub ecx, [ebp+0Ch] mov edx, [esi + 078h] add edx, [ebp+08h] mov ebx, [edx+20h] add ebx, [ebp+08h] xor eax, eax .l1: mov edi, [ebx] add edi, [ebp+08h] mov esi, [ebp+0Ch] push ecx repz cmpsb jz .l2 pop ecx add ebx, 4 inc eax cmp eax, [edx+18h] jz .l3 jmp .l1 .l2: add esp, 4 .l3: cmp eax, [edx+18h] je .err mov esi, [edx+24h] add esi, [ebp+08h] push edx mov ebx, 2 xor edx, edx mul ebx pop edx add eax, esi xor ecx, ecx mov word cx, [eax] mov edi, [edx+1Ch] xor edx, edx mov ebx, 4 mov eax, ecx mul ebx add eax, [ebp+08h] add eax, edi mov eax, [eax] add eax, [ebp+08h] jmp .ret .err: xor eax, eax .ret: pop ebx edi esi leave retn 2*04h |
|||
09 Sep 2006, 22:32 |
|
FrozenKnight 13 Sep 2006, 11:03
okasvi that is really neet i traced it to see what it was doing but i still don't understand it could you explain how it works to me? or point me to a resource that does?
|
|||
13 Sep 2006, 11:03 |
|
vid 13 Sep 2006, 11:11
wow, DLL without relocs, you are brave man
but if you synchronize it with all system32 dlls using rebase.exe from MSVC package, you have a good chance it will be still loaded |
|||
13 Sep 2006, 11:11 |
|
FrozenKnight 18 Sep 2006, 18:45
i found 2 ways to get it to load one was using reloc the other was to specify the address to load the DLL to. (the latter didnt always work)
|
|||
18 Sep 2006, 18:45 |
|
RedGhost 18 Sep 2006, 21:14
FrozenKnight wrote: okasvi that is really neet i traced it to see what it was doing but i still don't understand it could you explain how it works to me? or point me to a resource that does? First it's getting the base of kernel32.dll from the PEB (process enviroment block) the js is a 9x test where its located in a different location, then his code is enumerating the PE headers to locate the exports. _________________ redghost.ca |
|||
18 Sep 2006, 21:14 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.