flat assembler
Message board for the users of flat assembler.
Index
> Windows > win32 api creation == ? |
Author |
|
revolution 26 Mar 2008, 10:00
API emulation is an advanced topic with little relevance to fasm specifically.
But basically if you simply duplicate the code the the API would have executed in to your app then you have "emulated" the API. It can be a lot of work or it can be easy, depending upon the specific API that you want to emulate. If you have administrator access then I suppose accessing the registry might be possible without an API but it would be very difficult. The registry is a core function of the kernel and not typically directly implemented by a DLL. Using the int 0x2e (or sysenter) interface directly is a possibly path but it is very OS version specific and likely to fail unless the target OS exactly matches the development OS. |
|||
26 Mar 2008, 10:00 |
|
FrozenKnight 25 Apr 2008, 13:19
Viruses can and will use anything available to them. some viruses even go as far as to use no visible api at all. (yes, there are ways of calling the api with an empty imports table.) a good way of faking api returns (that may even allow you to edit out harmful code) would be to make a DLL that contains every api used by your code and name it the same as the system dll you are using and place it in the same directory as your program. you can even call real API inside the DLL. (though i'm not sure if you have to use some trick when doing this)
|
|||
25 Apr 2008, 13:19 |
|
AlexP 25 Apr 2008, 13:23
or just use the import or export tables of Kernel32(or was it ntdll?) to get the address of the function you want, that's what I've seen in a lot of copy protection.
I have an example program if you would like, plus a lot of virii just require their host to import functions ilke GetProcessAddress or something. Then that function is called to get all the API's the virus needs. I have quite many examples of that if you would like also. |
|||
25 Apr 2008, 13:23 |
|
vid 25 Apr 2008, 13:50
Look into API code, and check what it does. But i think you'd have to use hardcoded kernel API numbers and interrupts/SYSCALL, and that is not portable across different windowses.
|
|||
25 Apr 2008, 13:50 |
|
bitRAKE 25 Apr 2008, 15:38
Code: HANDLE.CurrentProcess = -1 HANDLE.CurrentThread = -2 Code: macro HANDLE.STD_OUTPUT_HANDLE { mov eax,[fs:$30] ; PEB mov eax,[eax+$10] ; ProcessParameters mov eax,[eax+$1C] ; output } _________________ ¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup |
|||
25 Apr 2008, 15:38 |
|
bitRAKE 26 Apr 2008, 06:05
Rereading, the above post seems like half a post.
Normally, the Windows API must be called to get these handles. (The first of which are just constants used internally by windows - I'll bet they are defined as constants in the Windows source code. The second example is access to internal Windows variables to obtain the standard output handle - the same thing done by the API code.) With a large library of such shortcuts the use of Windows code can be minimized (for any number of good/bad reasons). _________________ ¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup |
|||
26 Apr 2008, 06:05 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.