flat assembler
Message board for the users of flat assembler.

Index > Windows > Understanding basic code

Author
Thread Post new topic Reply to topic
JohnCal



Joined: 18 Sep 2008
Posts: 4
JohnCal
Hi everyone.
Im attempting to have dynamically import every API by finding the kernel32.dll base address then exporting the API into my program.
I received this code.

Code:
find_kernel32:                                            ; 
  push esi                                                ; preserve the esi register.
        push ecx                                                ; preverse the ecx register.
        xor ecx, ecx                                    ; zero ecx so that it can be used as the
                                                                    ;   offset to obtain the first entry in the SEH list.
       mov esi, fs:[ecx]                           ; grab the first entry in the SEH list and store it in esi.
 not ecx                                                 ; flip all the bits in ecx so that it can be used in the
                                                                    ;   comparison later to determine if the last exception
                                                                     ;   handler has been hit.
find_kernel32_seh_loop:                                ; 
  lodsd                                                   ; load the next entry in the SEH list and store it in eax.
  mov esi, eax                                    ; initialize esi to the next entry in the list so that it’s
                                                                       ;   ready should the code need to loop again.
       cmp [eax], ecx                                  ; compare the value at eax to see if its set to 0xFFFFFFFF.
                                                                 ;   if it is, the last entry in the list has been reached and
                                                                       ;   it’s function pointer should be inside kernel32.dll.
  jne find_kernel32_seh_loop              ; if the values are not equal then the base address has not
                                                                 ;   been found. Loop again.
find_kernel32_seh_loop_done:         ; 
  mov eax, [eax + 0x04]                   ; if the next entry in the list was equal to 0xFFFFFFFF, one
                                                                        ;   knows the end has been hit. As such one can extract the
                                                                 ;   function pointer for this entry and store it in eax.
find_kernel32_base_loop:                        ; 
  dec eax                                                 ; decrement eax. If the previous value was aligned to a 64Kb
                                                                        ;   boundary, this will set us the low 16 bits of eax to
                                                                    ;   0xFFFF. if this is not the case it will simply decrement
                                                                        ;   eax to an undetermined value.
   xor ax, ax                                              ; zero the low 16 bits of eax to align the address on a
                                                                     ;   64Kb boundary.
  cmp word ptr [eax], 0x5A4D              ; check to see if the 2 byte value at eax is ’MZ’.
      jne find_kernel32_base_loop             ; if the values do not match, loop again and go to the next
                                                                 ;   lower 64Kb boundary. if they do match, drop down as the
                                                                 ;   base address of kernel32.dll has been successfully found.
find_kernel32_base_finished:               ; 
  pop ecx                                                 ; restore ecx to its original value.
        pop esi                                                 ; restore esi to its original value.
        ret                                                             ; return address to the caller.
    


I assume it is in NASM syntax but I have converted it to FASM.

Code:
GetKernelBase:
        find_kernel32:
            push esi
            push ecx

            xor ecx, ecx

            mov esi, [fs:ecx] ;How exactly does this work

            not ecx        

        find_kernel32_seh_loop:
            lodsd                                                
            mov esi, eax                            

            cmp [eax], ecx ;Why does it crash here, the debugger views this as cmp dword ptr ds:[eax], ecx, why? What is ds and why is it there?
            jne find_kernel32_seh_loop

        find_kernel32_seh_loop_done:
            mov eax, [eax + 4h] ;Crashes, same thing happens here, debugger: mov eax, dword ptr ds:[eax + 4h] 

        find_kernel32_base_loop:
            dec eax     
            xor ax, ax
            cmp word [eax], 0x5A4D ;Crashes, same thing also happens here

            jne find_kernel32_base_loop

        find_kernel32_base_finished:
            pop ecx   
            pop esi
            ret
    


I have commented what I need help with.
Basically what are the segment registers, why would you use them, when would you use them, and why does it crash?

Thanks a lot.

-JohnCal
Post 18 Sep 2008, 04:10
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system
revolution
Why can't you use LoadLibrary and GetProcAddress like everyone else? What you are trying to do is not guaranteed to work in all situations and it looks like the sort of thing that virus code does to try and hide itself from AVs.
Post 18 Sep 2008, 04:28
View user's profile Send private message Visit poster's website Reply with quote
iic2



Joined: 26 Jun 2008
Posts: 123
iic2
Quote:
Im attempting to have dynamically import every API by finding

the kernel32.dll base


I have not check your code yet but can it match this little Rocket.

Win95 --- Xp sp3

Code:
;----  Get
;----  Kernel Base  M Z

         mov  eax, [fs:30h]
         mov  edx, 0B8h
         mov  ecx, [eax+30h]
         test eax,  eax
     jns KI_1
         mov  ebx, [eax+34h]
         test ecx,  ecx
     jnz KI_2

 KI_1:
         mov  eax, [eax+0Ch]
         sub  edx, 0B0h
         mov  eax, [eax+1Ch]
         mov  ebx, [eax]
 KI_2:
         mov  eax, [ebx+edx]
         mov [BUFFER_0], eax

     xor  eax, eax
     mov  eax, [fs:00h]    

revolution, ... It's fun. You beat me by seconds. I been using this for years. Forget about the bad guys. We need to learn and to help ourselfs also instead of getting a bag full of suprizes. The bad guy will pay in the long run because I will seek, find and destroy.
...
...
Post 18 Sep 2008, 04:42
View user's profile Send private message Reply with quote
iic2



Joined: 26 Jun 2008
Posts: 123
iic2
revolution, knows better than most of us anyway by law. But now that i read what you are trying to do, you do sound like our asmcoder which some of us is beginning to have a little faith in.

OK, simply find some code that works, like above. Use messagebox as your debugger to see what you get... surf the web for all of those 1000 questions in a row. Than ask a few that you did not read understand while searching... Good luck and no homework please.

It's all about what you find or come up with to make it efficient, better and faster so all can enjoy.
....
....
Post 18 Sep 2008, 05:15
View user's profile Send private message Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 294
Alphonso
Your code is probably crashing because it is trying to access inaccessible memory. Try this
Code:
find_kernel32:
        push esi
        push ecx
        xor ecx, ecx
        mov eax, [fs:ecx]            ;exchanged for mov esi, [fs:ecx]
        not ecx

find_kernel32_seh_loop:
        mov  esi,eax                 ;instead of destroying pointer esi with mov esi, eax
        lodsd
        cmp eax, ecx                 ;not [eax]
        jne find_kernel32_seh_loop

find_kernel32_seh_loop_done:
        mov eax, [esi]               ;esi has already been incremented by lodsd

find_kernel32_base_loop:
        dec eax
        xor ax, ax
        cmp word [eax], 0x5A4D
        jne find_kernel32_base_loop

find_kernel32_base_finished:
        pop ecx
        pop esi
        ret    

But why don't you simply use...
Code:
invoke GetModuleHandle,'Kernel32'    
...since you need to have an import table anyway, unless your maybe trying to inject code into another process Confused
Post 18 Sep 2008, 09:07
View user's profile Send private message Reply with quote
JohnCal



Joined: 18 Sep 2008
Posts: 4
JohnCal
Thanks iic2 and Alphonso for those code snippets and anyone else who helped. No this is not viral code, I'm just trying to understand how this works. Thanks again guys Very Happy
Post 19 Sep 2008, 01:06
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.