flat assembler
Message board for the users of flat assembler.

Index > Windows > Position Independent Code

Author
Thread Post new topic Reply to topic
DBS2007



Joined: 09 Dec 2007
Posts: 4
DBS2007 09 Dec 2007, 13:21
Hey ASM Freaks. Smile

My first steps on FASM. Wink
I am doing Codeinjection of some Position independent Code i work on.
So i call VirtualAllocEx and then CreateRemoteThread.
This means, that i have no idea (pre-execution) at which address my code will end up. So i have to use the delta-call trick.

This is some of the code i inject:

Code:
injection:
        JMP injstart

        dwSleep                    dd 00000000h  ; [EBP - 169h]
        pe32b                      PROCESSENTRY32; [EBP - 165h]
        hsnap2                     dd 00000000h  ; [EBP - 3Dh]
        psstr                      db '12.exe',0 ; [EBP - 39h]
        psPID                      dd 00000000h  ; [EBP - 32h]
        newPID                     dd 00000000h  ; [EBP - 2Eh]
      ; Functions
      ; =============
        dwRtlZeroMemory            dd 00000000h  ; [EBP - 2Ah]
        dwlstrcmpi                 dd 00000000h  ; [EBP - 26h]
        dwProcess32Next            dd 00000000h  ; [EBP - 22h]
        dwProcess32First           dd 00000000h  ; [EBP - 1Eh]
        dwCreateToolhelp32Snapshot dd 00000000h  ; [EBP - 1Ah]
        dwDebugActiveProcess       dd 00000000h  ; [EBP - 16h]
        dwWaitForDebugEvent        dd 00000000h  ; [EBP - 12h]
        dwGetThreadContext         dd 00000000h  ; [EBP - 0Eh]
        dwSetThreadContext         dd 00000000h  ; [EBP - 0Ah]


injstart:
        CALL delta  ;Delta-Call, getting current position in image
delta:
        POP EBP
        INC EBP
     ; Wait for '12.exe'
     ; =======================
again:
        stdcall DWORD [EBP - 1Ah],2,0 ; dwCreateToolhelp32Snapshot
        MOV [EBP - 3Dh], EAX  ; hsnap2
        MOV DWORD [EBP - 165h], sizeof.PROCESSENTRY32 ; p32b.dwSize
        LEA EDX, [EBP - 165h]
        stdcall DWORD [EBP - 1Eh] ,[EBP - 3Dh], EDX ; dwProcess32First, hsnap2, p32b
loopj:    

        LEA EDX, [EBP - 165h]
        stdcall DWORD [EBP - 22h],[EBP - 3Dh], EDX ; dwProcess32Next, hsnap2, p32b
        CMP EAX, 0
        JE nope2
        LEA EAX, [EBP - 141h] ; p32b.szExeFile
        PUSH EAX
        LEA EAX,  [EBP - 39h] ; psstr
        PUSH EAX
        CALL DWORD [EBP - 26h] ; lstrcmpi
        CMP EAX, 0
        JNE loopj
        MOV EAX, [EBP - 15Dh] ; p32b.th32ProcessID
        MOV [EBP - 32h], EAX ; psPID
        JMP exi
nope2:
        stdcall DWORD [EBP - 169h], 120d ; dwSleep
        JMP again
exi:
     ; Cleanup
        LEA EDX, [EBP - 165h]
        stdcall DWORD [EBP - 2Ah], EDX, sizeof.PROCESSENTRY32 ; dwRtlZeroMemory, p32b
 ;[...] More Stuff   
    


It works fine..except, its a pain in the ASS%$%§%$§%, referencing every variable over EBP. I have to keep on calculating the whole time, if i add a new var, and the readability sucks. With comments it's barely bearable. (lol)
So i thought, maybe you guys know some trick or something, that would make life easier. Smile

Thanks in advance, for any useful help.
Post 09 Dec 2007, 13:21
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 09 Dec 2007, 13:33
Code:
delta:
...
var dd ?
...
mov [ebp + (var-delta)], 10
    
Post 09 Dec 2007, 13:33
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
DBS2007



Joined: 09 Dec 2007
Posts: 4
DBS2007 09 Dec 2007, 13:40
Nice. Let the assembler do the calculating.
I think this is as good as it can get.

Thanks vid. Wink
Post 09 Dec 2007, 13:40
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 09 Dec 2007, 14:13
You're welcome.

I just hope you aren't writing something as lame as malware, to annoy few thousand of people...
Post 09 Dec 2007, 14:13
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
DBS2007



Joined: 09 Dec 2007
Posts: 4
DBS2007 09 Dec 2007, 14:16
Nah, im writin hacks for games. Razz
Post 09 Dec 2007, 14:16
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 09 Dec 2007, 15:23
If the things starts to be too much complicated you can inject a DLL instead. http://www.edgeofnowhere.cc/viewtopic.php?p=2483118
Post 09 Dec 2007, 15:23
View user's profile Send private message Reply with quote
DBS2007



Joined: 09 Dec 2007
Posts: 4
DBS2007 09 Dec 2007, 16:02
Dlls are too easy to detect.
Injected Code like this, would look like a bunch of allocated unrelated data, that could origin from any Module in the process or the main module itslf.
I have written a simple Metamorphic engine in Delphi, which will alter the Opcodes of the code to inject, so my hack is not prone to Signature-Scanning.

The AntiCheat will have a hard time to detect this at all. Very Happy
Post 09 Dec 2007, 16:02
View user's profile Send private message Reply with quote
Ehtyar



Joined: 26 Sep 2006
Posts: 51
Ehtyar 09 Dec 2007, 20:10
You might want to have a google for "shellcode", there are some nice external links on wikipedia, but most of them are for malicious purposes. It should teach you some good tricks though.

Ehtyar.
Post 09 Dec 2007, 20:10
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.