flat assembler
Message board for the users of flat assembler.
Index
> Windows > [Win32 imports] maybe find FASM BUG !!! |
Author |
|
zjlcc 10 Aug 2003, 01:13
maybe [section '.idata' import data readable writeable] have error EDIT 2008-11-28 by DOS386 : enhanced subject and moved to Windows
|
|||||||||||
10 Aug 2003, 01:13 |
|
zjlcc 12 Aug 2003, 16:54
Privalov:no questions?
|
|||
12 Aug 2003, 16:54 |
|
pelaillo 13 Aug 2003, 07:03
zjlcc,
there is no error on fasm. The windows loader seems that do not like PE without any imports, this is the reason for your working version. Look the comrade's comment in their masm version. It is interesting to know a way to bypass loader.... Best Regards, |
|||
13 Aug 2003, 07:03 |
|
scientica 13 Aug 2003, 10:53
Do need to say more then, that some AV apps makes a bit of a fuss when it sees an exe with "unorthodox" import sections? (Heuristic search funciton)
I see no use for this "import hack", since it may not work on all windows versions. Why would one use this kind of import section bypass? For what purposes? _________________ ... a professor saying: "use this proprietary software to learn computer science" is the same as English professor handing you a copy of Shakespeare and saying: "use this book to learn Shakespeare without opening the book itself. - Bradley Kuhn |
|||
13 Aug 2003, 10:53 |
|
pelaillo 13 Aug 2003, 11:52
The knowledge
small is beautiful... |
|||
13 Aug 2003, 11:52 |
|
roticv 13 Aug 2003, 13:01
You still need to import at least one function. If not the exe loader will give a nasty error.
|
|||
13 Aug 2003, 13:01 |
|
Smarty 15 Aug 2003, 09:19
roticv wrote: You still need to import at least one function. If not the exe loader will give a nasty error. You are quite right if we say about W2K(and W9x). But in WinXP EXE-file may be totally free from 'import' section. And it will be no problem with load such file to execute. _________________ Sorry for my Not So Clear English |
|||
15 Aug 2003, 09:19 |
|
Tomasz Grysztar 16 Aug 2003, 14:33
There is no problem with running a PE program without any imports, but in this particular case the problem is that when you don't import any function from KERNEL32, this module is not neccesarily loaded/mapped into your address space. And since you are searching for that module in the way to get LoadLibrary function address, you need to have at least one import from KERNEL32.DLL to make sure it is in memory. In my tests, it was working even without imports very well on WinXP (so this system seems to always load kernel module), but not on Win95.
|
|||
16 Aug 2003, 14:33 |
|
zjlcc 16 Aug 2003, 16:13
Privalov: please run this my Example exe on win9x [no tested in other win32 OS] it was working without imports very well ,you can analyzing it with eXeScope,Ollydbg or other tools. and source code,i have not put to right, wait for a while.
|
|||||||||||
16 Aug 2003, 16:13 |
|
zjlcc 17 Aug 2003, 15:22
source code
|
|||||||||||
17 Aug 2003, 15:22 |
|
roticv 18 Aug 2003, 12:43
One problem is that you hardcoded the dll address of kernel32.dll. It differs on different os. For example:
Win98 (1st and 2nd editions) - 0xBFF70000 WinME - 0xBFF60000 WinNT (service pack 4 and 5) - 0x77F00000 If you want you can try searching for kernel32.dll by Code: mov eax, [esp] xor ax, ax @@: sub eax, 1000 cmp word ptr[eax],'ZM' or Code: mov eax,fs:[30h] mov edx,0B8h mov ecx,[eax+30h] test eax,eax jns KI_1 mov ebx,[eax+34h] or ecx,ecx jnz KI_2 KI_1: mov eax,[eax+0Ch] sub edx,0B0h mov eax,[eax+1Ch] mov ebx,[eax] KI_2: mov eax,[ebx+edx] Just to say that your code does not work on 2ksp4. |
|||
18 Aug 2003, 12:43 |
|
zjlcc 18 Aug 2003, 13:59
thank roticv very much!!!! i will install win2003 in a while and thank everyone |
|||
18 Aug 2003, 13:59 |
|
roticv 18 Aug 2003, 14:39
You are welcome. Glad to help.
|
|||
18 Aug 2003, 14:39 |
|
Smarty 21 Aug 2003, 10:33
Privalov wrote: There is no problem with running a PE program without any imports, but in this particular case the problem is that when you don't import any function from KERNEL32, this module is not neccesarily loaded/mapped into your address space. And since you are searching for that module in the way to get LoadLibrary function address, you need to have at least one import from KERNEL32.DLL to make sure it is in memory. In my tests, it was working even without imports very well on WinXP (so this system seems to always load kernel module), but not on Win95. This moment always amaze me. So the fact is: in Win9x family KERNEL32.DLL(and other system DLLs) loaded in COMMON address space above 2Gb and any process in this system certain has that DLL in it's address space. On the other hand in W2k family system DLL loaded in PERSONAL address space of each process, so KERNEL32.DLL may be or may be NOT loaded in process's address space. It is all well-known facts but only one question remain without answer: why in Win9x exe-file must have import section if main dll-libraries ALREADY loaded?? _________________ Sorry for my Not So Clear English |
|||
21 Aug 2003, 10:33 |
|
baldr 27 Jul 2008, 12:30
Smarty wrote: On the other hand in W2k family system DLL loaded in PERSONAL address space of each process, so KERNEL32.DLL may be or may be NOT loaded in process's address space. AFAIK, there are two internal functions in KERNEL32.DLL, namely BaseProcessStart and BaseThreadStart, used to call your main thread and others, respectively. By the way, because of this you can simply ret from any of your threads (provided your stack is balanced), and simple exception handler allows to debug faulty program without any efforts (again, if you set up AeDebug properly). So it's probably the reason that KERNEL32.DLL is mapped in every process' address space. |
|||
27 Jul 2008, 12:30 |
|
asmcoder 27 Jul 2008, 13:46
[content deleted]
|
|||
27 Jul 2008, 13:46 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.