flat assembler
Message board for the users of flat assembler.

Index > Windows > NtDelayExecution

Author
Thread Post new topic Reply to topic
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 08 Feb 2008, 15:16
how sould be made call to NtDelayExecution?
I tried many ways - didnt work.
Post 08 Feb 2008, 15:16
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 08 Feb 2008, 15:21
Check out my website for info on NtDelayExecution
Post 08 Feb 2008, 15:21
View user's profile Send private message Visit poster's website Reply with quote
smoke



Joined: 16 Jan 2006
Posts: 42
smoke 09 Feb 2008, 10:36
Doesnt like this work ?
Code:
push 1000000 ; delay in microseconds: 1000000 = 1 second
push 0 ; if this value is set to 1, the thread becomes alertable (however I have no idea what this means)
call [NtDelayExecution]
    
Post 09 Feb 2008, 10:36
View user's profile Send private message Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 10 Feb 2008, 01:03
2nt argument is a pointer

Code:
format pe console
section '.code' code readable executable writeable
push large_integer
push 0
call [NtDelayExecution] 
retn
large_integer dq -1
section '.idata' import data readable
dd 0,0,0,RVA ntdll_name,RVA ntdll_table
dd 5 dup 0
ntdll_table:
NtDelayExecution dd RVA _NtDelayExecution
dd 0
ntdll_name db 'ntdll.dll',0
_NtDelayExecution db 0,0,'NtDelayExecution',0    


return 0x80000002 and no sleep
Post 10 Feb 2008, 01:03
View user's profile Send private message Reply with quote
Goplat



Joined: 15 Sep 2006
Posts: 181
Goplat 10 Feb 2008, 03:07
0x80000002 is STATUS_DATATYPE_MISALIGNMENT in ntstatus.h. Try aligning your LARGE_INTEGER to 8 bytes. (Windows NT used to run on multiple kinds of processors and some of them required data alignment, so it's likely that there is still some alignment-checking code in the kernel.)
Post 10 Feb 2008, 03:07
View user's profile Send private message Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 295
Alphonso 10 Feb 2008, 08:01
asmrox wrote:
2nt argument is a pointer

Code:
format pe console
section '.code' code readable executable writeable
push large_integer
push 0
call [NtDelayExecution] 
retn
large_integer dq -1
section '.idata' import data readable
dd 0,0,0,RVA ntdll_name,RVA ntdll_table
dd 5 dup 0
ntdll_table:
NtDelayExecution dd RVA _NtDelayExecution
dd 0
ntdll_name db 'ntdll.dll',0
_NtDelayExecution db 0,0,'NtDelayExecution',0    


return 0x80000002 and no sleep


Having a bit of a guess here, but it seems to me...

1. Delay appears to be in 100nS units, a windows thing ?

2. You need to use Two's Complement Negation for your 'large_integer', sounds like fun ! Rolling Eyes

3. You appear to want an infinite wait (-1), for that you need 8000000000000000h unlike -1 used with SleepEx.

4. Data needs to be aligned. Thanks Goplat.

so...

Code:
  neg     dword [large_integer]
  adc     dword [large_integer+4],0
  neg     dword [large_integer+4]       ;Two's Complement Negation of large_integer
 
  push large_integer
  push 0
  call [NtDelayExecution] 
  retn                                  ;I used   invoke  NtDelayExecution,0,large_integer
                                        ;to test

etc...

align 4                             ;might be better to use Goplat's Align 8 here
large_integer    dq 50000000            ;5 seconds in 100nS units
;large_integer    dq 8000000000000000h  ;if you want infinite
    
As I said, only guessing so might be wrong. See documented SleepEx for more info. Hope it helps.

EDIT: Should add if your going to use a constant delay ie 2 Secs you can just get fasm to do the work for you..
Code:
delay=20000000     ;2 seconds
large_integer        dq (not delay)+1 
    
Try not to use a negative number, I don't think It'll make things execute quicker Wink besides 8000000000000000h should give you more than 29,227 years delay Twisted Evil
Post 10 Feb 2008, 08:01
View user's profile Send private message Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 10 Feb 2008, 19:28
it work, thx. But its soo complicated, i think i stay with kernel32.
Post 10 Feb 2008, 19:28
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 10 Feb 2008, 19:36
asmrox wrote:
it work, thx. But its soo complicated, i think i stay with kernel32.


Why did you even consider the ntdll version?

_________________
Image - carpe noctem
Post 10 Feb 2008, 19:36
View user's profile Send private message Visit poster's website Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack 10 Feb 2008, 21:47
f0dder wrote:
asmrox wrote:
it work, thx. But its soo complicated, i think i stay with kernel32.


Why did you even consider the ntdll version?


it's more imba Laughing
hehehe
Post 10 Feb 2008, 21:47
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 10 Feb 2008, 23:07
"imba"?
Post 10 Feb 2008, 23:07
View user's profile Send private message Visit poster's website Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack 10 Feb 2008, 23:31
imbalanced
Post 10 Feb 2008, 23:31
View user's profile Send private message Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 11 Feb 2008, 01:10
1. why i have to use alginment
2. why if i place it in another section i dont have to use alginment
3. wy i have to set CF (adc)?
Post 11 Feb 2008, 01:10
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 11 Feb 2008, 01:55
1. you should always align data on address divisible by it's size (eg dwords on 4, qwords on 8).

2. because sections in memory are automatically aligned to some pretty high value

3. ADC doesn't set CF. Grab CPU manual (http://x86asm.net/links/) and study what ADC does. You might also want to read my recent article to understand working with 64bit numbers: http://x86asm.net/articles/working-with-big-numbers-using-x86-instructions/index.html
Post 11 Feb 2008, 01:55
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.