flat assembler
Message board for the users of flat assembler.

Index > Windows > [Win32 imports] maybe find FASM BUG !!!

Author
Thread Post new topic Reply to topic
zjlcc



Joined: 23 Jul 2003
Posts: 32
Location: china
zjlcc 10 Aug 2003, 01:13
Question
maybe [section '.idata' import data readable writeable] have error

EDIT 2008-11-28 by DOS386 : enhanced subject and moved to Windows


Description:
Download
Filename: no import.zip
Filesize: 6.32 KB
Downloaded: 441 Time(s)

Post 10 Aug 2003, 01:13
View user's profile Send private message Reply with quote
zjlcc



Joined: 23 Jul 2003
Posts: 32
Location: china
zjlcc 12 Aug 2003, 16:54
Shocked Privalov:no questions?
Post 12 Aug 2003, 16:54
View user's profile Send private message Reply with quote
gorshing



Joined: 27 Jul 2003
Posts: 72
Location: Okla, US
gorshing 12 Aug 2003, 18:56
I believe he is on vacation for a while.

And needless to say doesn't have much time to check this board out.

Give him a few days and I bet he will let you know.
Post 12 Aug 2003, 18:56
View user's profile Send private message Visit poster's website Reply with quote
pelaillo
Missing in inaction


Joined: 19 Jun 2003
Posts: 878
Location: Colombia
pelaillo 13 Aug 2003, 07:03
zjlcc,
there is no error on fasm.

The windows loader seems that do not like PE without any imports, this is the reason for your working version. Look the comrade's comment in their masm version.

It is interesting to know a way to bypass loader....

Best Regards,
Post 13 Aug 2003, 07:03
View user's profile Send private message Yahoo Messenger Reply with quote
scientica
Retired moderator


Joined: 16 Jun 2003
Posts: 689
Location: Linköping, Sweden
scientica 13 Aug 2003, 10:53
Do need to say more then, that some AV apps makes a bit of a fuss when it sees an exe with "unorthodox" import sections? (Heuristic search funciton)
I see no use for this "import hack", since it may not work on all windows versions.
Why would one use this kind of import section bypass? For what purposes? Rolling Eyes

_________________
... a professor saying: "use this proprietary software to learn computer science" is the same as English professor handing you a copy of Shakespeare and saying: "use this book to learn Shakespeare without opening the book itself.
- Bradley Kuhn
Post 13 Aug 2003, 10:53
View user's profile Send private message Visit poster's website Reply with quote
pelaillo
Missing in inaction


Joined: 19 Jun 2003
Posts: 878
Location: Colombia
pelaillo 13 Aug 2003, 11:52
The knowledge Wink

small is beautiful...
Post 13 Aug 2003, 11:52
View user's profile Send private message Yahoo Messenger Reply with quote
roticv



Joined: 19 Jun 2003
Posts: 374
Location: Singapore
roticv 13 Aug 2003, 13:01
You still need to import at least one function. If not the exe loader will give a nasty error.
Post 13 Aug 2003, 13:01
View user's profile Send private message Visit poster's website MSN Messenger Reply with quote
Smarty



Joined: 15 Aug 2003
Posts: 2
Smarty 15 Aug 2003, 09:19
roticv wrote:
You still need to import at least one function. If not the exe loader will give a nasty error.


You are quite right if we say about W2K(and W9x). But in WinXP EXE-file may be totally free from 'import' section. And it will be no problem with load such file to execute.

_________________
Sorry for my Not So Clear English
Post 15 Aug 2003, 09:19
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8354
Location: Kraków, Poland
Tomasz Grysztar 16 Aug 2003, 14:33
There is no problem with running a PE program without any imports, but in this particular case the problem is that when you don't import any function from KERNEL32, this module is not neccesarily loaded/mapped into your address space. And since you are searching for that module in the way to get LoadLibrary function address, you need to have at least one import from KERNEL32.DLL to make sure it is in memory. In my tests, it was working even without imports very well on WinXP (so this system seems to always load kernel module), but not on Win95.
Post 16 Aug 2003, 14:33
View user's profile Send private message Visit poster's website Reply with quote
zjlcc



Joined: 23 Jul 2003
Posts: 32
Location: china
zjlcc 16 Aug 2003, 16:13
Embarassed
Privalov:
please run this my Example exe on win9x [no tested in other win32 OS]
it was working without imports very well ,you can analyzing it with eXeScope,Ollydbg or other tools.

and source code,i have not put to right, wait for a while.


Description:
Download
Filename: True no imports.zip
Filesize: 410 Bytes
Downloaded: 427 Time(s)

Post 16 Aug 2003, 16:13
View user's profile Send private message Reply with quote
zjlcc



Joined: 23 Jul 2003
Posts: 32
Location: china
zjlcc 17 Aug 2003, 15:22
source code


Description:
Download
Filename: test.zip
Filesize: 803 Bytes
Downloaded: 415 Time(s)

Post 17 Aug 2003, 15:22
View user's profile Send private message Reply with quote
roticv



Joined: 19 Jun 2003
Posts: 374
Location: Singapore
roticv 18 Aug 2003, 12:43
One problem is that you hardcoded the dll address of kernel32.dll. It differs on different os. For example:

Win98 (1st and 2nd editions) - 0xBFF70000
WinME - 0xBFF60000
WinNT (service pack 4 and 5) - 0x77F00000

If you want you can try searching for kernel32.dll by
Code:
mov eax, [esp]
xor ax, ax
@@:
sub eax, 1000
cmp word ptr[eax],'ZM'
    

or
Code:
 mov             eax,fs:[30h]
    mov             edx,0B8h
    mov             ecx,[eax+30h]
       test    eax,eax
     jns             KI_1
        mov             ebx,[eax+34h]
       or              ecx,ecx
     jnz             KI_2
KI_1:
   mov             eax,[eax+0Ch]
       sub             edx,0B0h
    mov             eax,[eax+1Ch]
       mov             ebx,[eax]
KI_2:
      mov             eax,[ebx+edx]    


Just to say that your code does not work on 2ksp4.
Post 18 Aug 2003, 12:43
View user's profile Send private message Visit poster's website MSN Messenger Reply with quote
zjlcc



Joined: 23 Jul 2003
Posts: 32
Location: china
zjlcc 18 Aug 2003, 13:59
Very Happy Very Happy Very Happy

thank roticv very much!!!! i will install win2003 in a while

and thank everyone Smile
Post 18 Aug 2003, 13:59
View user's profile Send private message Reply with quote
roticv



Joined: 19 Jun 2003
Posts: 374
Location: Singapore
roticv 18 Aug 2003, 14:39
You are welcome. Glad to help.
Post 18 Aug 2003, 14:39
View user's profile Send private message Visit poster's website MSN Messenger Reply with quote
Smarty



Joined: 15 Aug 2003
Posts: 2
Smarty 21 Aug 2003, 10:33
Privalov wrote:
There is no problem with running a PE program without any imports, but in this particular case the problem is that when you don't import any function from KERNEL32, this module is not neccesarily loaded/mapped into your address space. And since you are searching for that module in the way to get LoadLibrary function address, you need to have at least one import from KERNEL32.DLL to make sure it is in memory. In my tests, it was working even without imports very well on WinXP (so this system seems to always load kernel module), but not on Win95.


This moment always amaze me. So the fact is: in Win9x family KERNEL32.DLL(and other system DLLs) loaded in COMMON address space above 2Gb and any process in this system certain has that DLL in it's address space. On the other hand in W2k family system DLL loaded in PERSONAL address space of each process, so KERNEL32.DLL may be or may be NOT loaded in process's address space. It is all well-known facts but only one question remain without answer: why in Win9x exe-file must have import section if main dll-libraries ALREADY loaded?? Shocked

_________________
Sorry for my Not So Clear English
Post 21 Aug 2003, 10:33
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 27 Jul 2008, 12:30
Smarty wrote:
On the other hand in W2k family system DLL loaded in PERSONAL address space of each process, so KERNEL32.DLL may be or may be NOT loaded in process's address space.

AFAIK, there are two internal functions in KERNEL32.DLL, namely BaseProcessStart and BaseThreadStart, used to call your main thread and others, respectively. By the way, because of this you can simply ret from any of your threads (provided your stack is balanced), and simple exception handler allows to debug faulty program without any efforts (again, if you set up AeDebug properly).

So it's probably the reason that KERNEL32.DLL is mapped in every process' address space.
Post 27 Jul 2008, 12:30
View user's profile Send private message Reply with quote
asmcoder



Joined: 02 Jun 2008
Posts: 784
asmcoder 27 Jul 2008, 13:46
[content deleted]
Post 27 Jul 2008, 13:46
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.