flat assembler
Message board for the users of flat assembler.
![]() |
Author |
|
StakFallT 16 Aug 2007, 05:38
I'm working on a new project of mine (the whole lcd with a sine_y text location while scrolling with music was just too much), something I had the idea for for a while now. More or less, it's a EncryptionAPI middleman, designed to see what encryption APIs are being called (by any process, aka: global or system) display the parameters and the result of the api call on the screen to the user, and in-between allowing the call to go through.
I've read through pages and pages of all the different methods and techniques of how to intercept API calls and from what I've seen Patching the API in the DLL sitting in memory seems to have the best elegancy to difficulty ratio.. One of the pages I read was: http://www.internals.com/articles/apispy/apispy.htm I even worked a bit with a delphi mouse hook, which was eh.. it started out looking like it would do what I needed it to, except it only hooked messages /events not the actual APIs. When I looked into doing an API memory-patch with Delphi the code looked pretty horrific lots of ^ptr stuff, really nasty looking things. I hate symbols (no phun intended), that's why I try to stay away from C like the plague. Seemed like asm oddly enough is easier to accomplish, as it seems to have a better knack for working with numbers just as they are, no -> or ^ or & or any of that other whacky stuff.. Problem is, GetProcAddress always seems to return back all 0s in the eax register, which according to the msdn site, 0 means it failed. Now my first instinct is that the GetModuleHandle isn't completing right, but it is, at least from what I can tell. I have my code output the module_handle after it retrieves it, and it's always the same no matter how many times I run it (Haven't tried a reboot yet), so I know it's not random which kind'of implies to me it's working.. Anyhow I've attached the code. Now granted, I'm sure there's about a billion ways to rewrite the code, I've found coding to be like math in general, there's like a billion ways to arrive at the same answer. some things some may find bad, some things some may find good, which is why I'm not really too concerned with improving the layout of the code or anything, I just want it to work ![]() -- StakFallT
|
|||||||||||
![]() |
|
Yardman 16 Aug 2007, 06:25
[ Post removed by author. ]
Last edited by Yardman on 04 Apr 2012, 02:26; edited 1 time in total |
|||
![]() |
|
StakFallT 17 Aug 2007, 00:12
changing the dwords to double dwords didn't help any.. As for the line:
invoke GetProcAddress, [DLLHandle], "CryptAcquireContextA" As per http://allapi.mentalis.org/apilist/GetProcAddress.shtml, the reason that line exists, is to discover where that function's address is. It's not actually calling that CryptAcquireContext API. And yes, I've tried it without the Ansi postfix on the end ![]() -- StakFallT |
|||
![]() |
|
DOS386 17 Aug 2007, 00:55
> double dwords didn't help any
Works perfectly for me. Download: http://board.flatassembler.net/download.php?id=2843 and look at MNPEXX3.ASM. _________________ Bug Nr.: 12345 Title: Hello World program compiles to 100 KB !!! Status: Closed: NOT a Bug |
|||
![]() |
|
sinsi 17 Aug 2007, 01:41
If you change this line you will find that GetModuleHandle is returning 0
Code: cinvoke wsprintf, tmp_buf2, <"ADVAPI32.dll handle: %i",13,10>, [DLLHandle] This is because ADVAPI32.DLL isn't mapped (since you don't use any functions from it) - you need to use LoadLibrary first |
|||
![]() |
|
StakFallT 17 Aug 2007, 02:03
I'm a little confused.. I'm reading both allapi documents on LoadLibrary and GetProcAddr, and obviously I can see the difference in parameters, and obviously their using different descriptions for the APIs purpose, but I'm for some reason just not getting what the difference between the two are.
By the sounds of it, I'd use GetProcAddr if I we're actually using the CryptAcquireContext api since Windows will automatically load the dll it into memory, and I use loadlibrary when I'm not causing Windows to autoload it based on using the api. It sounds like LoadLibrary is a way to force Windows to load the dll into memory under circumstances when Windows would not have normally loaded it. Both situation's kind'of detract (if I'm correct in understanding what both of thoe APIs are for) from the main purpose of the prog, to display Encryption API parameters by patching the kernel's memory. The reason I'm bringing this up is because I have a small concern that if I'm "load"ing the module (dll) into memory, I'm now heading down a different road and not actaually working with the memory space of where advapi32 is loaded by the kernel when the OS is booted. -- StakFallT |
|||
![]() |
|
Yardman 17 Aug 2007, 04:23
[ Post removed by author. ]
Last edited by Yardman on 04 Apr 2012, 02:50; edited 1 time in total |
|||
![]() |
|
sinsi 17 Aug 2007, 04:53
Yardman: Here's the output from your code
Quote:
Notice how the ADVAPI32 handle is the same? It's because of this line Code: cinvoke wsprintf, tmp_buf2, <"ADVAPI32.dll handle: %i",13,10>, DLLHandle No brackets around DLLHandle passes the address of DLLHandle, not the contents, and the contents are 00000000 - GetModuleHandle fails with error 7E - ERROR_MOD_NOT_FOUND Replace GetModuleHandle with LoadLibrary and it works OK. |
|||
![]() |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2023, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.
Website powered by rwasa.