flat assembler
Message board for the users of flat assembler.

Index > Windows > Section writable at runtime?

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu
How do I make a section writable at runtime? Or make make a section executable at runtime? Google has failed me (or I just don't know how to word the search).. Crying or Very sad


P.S. if that is impossible, how can I add a section with some initialized data without making the exe 512 bytes bigger? Putting "align 4" doesn't work for some reason. Confused
Post 17 Feb 2009, 08:38
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17669
Location: In your JS exploiting you and your system
revolution
Look at VirtualProtectEx in the Win32 help. You can change access permissions of the process.
Post 17 Feb 2009, 09:02
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu
Thanks.. I meant BEFORE my code that imports Win32 functions, though. Basically before anything else is ran. Is there no way to do it in asm?
Post 17 Feb 2009, 09:12
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17669
Location: In your JS exploiting you and your system
revolution
You can make your own import table and give the OS a minimal import table to use. Clearly you need at least one imported function else the OS loader cannot load your exe, but the remaining functions can be located at runtime. Requires a bit of coding though and I don't think it would be worth the effort.

Of course you do know about the section directive right?
Post 17 Feb 2009, 09:18
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu
revolution wrote:
You can make your own import table and give the OS a minimal import table to use. Clearly you need at least one imported function else the OS loader cannot load your exe, but the remaining functions can be located at runtime. Requires a bit of coding though and I don't think it would be worth the effort.

Of course you do know about the section directive right?
Yes but every section I add takes 512 bytes unless it is only uninitialized data.. so I want to just have one section.. or find a way around the 512 byte problem. I think if I can have the code section writable then this won't be a problem. I can't set it to be writable by default because this makes AVs very angry. So I want to know how to do it at runtime. Or how to make additional sections without taking so much space. If you don't want to tell me how okay but could you give me a hint what to search for at least please? Confused
Post 17 Feb 2009, 09:24
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17669
Location: In your JS exploiting you and your system
revolution
At runtime is the VirtualProtectEx I wrote above. You can allocate memory with VirtualAlloc also and set the permissions at that time.
Post 17 Feb 2009, 09:27
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17669
Location: In your JS exploiting you and your system
revolution
I'm not 100% sure about what you mean. But here goes ...

IIRC the 512 byte thing is an OS fixed parameter. You must have your sections aligned in the file at 512 bytes. The only way to get a smaller section is with a native exe (format PE native) which has an alignment of 0x20 for both the file and the memory (1:1 mapping) generally used for drivers though so maybe not useful for a normal app.
Post 17 Feb 2009, 09:33
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17669
Location: In your JS exploiting you and your system
revolution
Azu wrote:
Is there a way to do it before importing win32 apis though?
Here is how the loader does its thing (simplified):
  1. load each section from file into memory
  2. do the import relocations (if any)
  3. set the section permissions
  4. jump to your start point
You can't do anything in between these steps. Only at the last step can you then change permissions and do allocations etc.
Post 17 Feb 2009, 09:36
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu
revolution wrote:
At runtime is the VirtualProtectEx I wrote above. You can allocate memory with VirtualAlloc also and set the permissions at that time.
I think I asked my question wrong.

Okay basically here is how I have it now


~~~
executable writable section:

get the win32 functions I need

store them here

code which uses win32 functions
~~~

It won't work without the section being writable, but if it's set in the header as writable it triggers heuristics. So I thought maybe something like this

~~~
executable section:

change section to be writable

get the win32 functions I need

store them here

code which uses win32 functions
~~~

But I don't know how to do that before I get the win32 functions



revolution wrote:
I'm not 100% sure about what you mean. But here goes ...

IIRC the 512 byte thing is an OS fixed parameter. You must have your sections aligned in the file at 512 bytes. The only way to get a smaller section is with a native exe (format PE native) which has an alignment of 0x20 for both the file and the memory (1:1 mapping) generally used for drivers though so maybe not useful for a normal app.


I tried using "format PE native" instead of "format PE" but it still adds 512 bytes for each section, and the align command doesn't work either. Sad
Post 17 Feb 2009, 09:41
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17669
Location: In your JS exploiting you and your system
revolution
You can always change the executable section permissions (after step 4) with VitualProtectEx, no problem. Then you can write whatever you want to that section. It just becomes another data section (and an executable section).

But like I mentioned, you will need at least one import for the loader to recognise your exe. That part you cannot avoid if you want reliable operation.

Actually I have a thread here somewhere about a program with no imports. Although it only works on some versions of Windows. Search for it if you are interested.


Last edited by revolution on 17 Feb 2009, 09:46; edited 1 time in total
Post 17 Feb 2009, 09:44
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu
So it's impossible to do it before I have got the win32 function table set up?
Post 17 Feb 2009, 09:46
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17669
Location: In your JS exploiting you and your system
revolution
Azu wrote:
So it's impossible to do it before I have got the win32 function table set up?
Your code doesn't get runtime execution until all the imports, relocations and permissions are resolved. So, no, you can't change anything before the imports are done.
Post 17 Feb 2009, 09:50
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu
revolution wrote:
Azu wrote:
So it's impossible to do it before I have got the win32 function table set up?
Your code doesn't get runtime execution until all the imports, relocations and permissions are resolved. So, no, you can't change anything before the imports are done.
I do the imports later in runtime, I need the section writable to do them.. adding a data section to write to or a import section to let windows do the imports always takes up 512 bytes when I try.. Embarassed



Is it then impossible to make a 1KB program for windows without setting off heuristics?
Post 17 Feb 2009, 09:53
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17669
Location: In your JS exploiting you and your system
revolution
Azu wrote:
Is it then impossible to make a 1KB program for windows without setting off heuristics?
Perhaps true. The AVs are very conservative and trigger on anything out of the ordinary.
Post 17 Feb 2009, 09:56
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu
So no ways to set it writable without win32, and no ways to make section below 512byte? Sad

Okay.. well thanks for your time. You saved me a lot of headache trying to find a way.




Edit: wait the format PE native does work, my mistake. I didn't know it would make the file as .sys instead of .exe so I was looking at the old .exe and seeing it not get smaller.

I can't figure out how to run the .sys though. I tried renaming it to .exe and .com but it won't run.. Confused can't run it in dosbox either.. hmm.. I'll post back here if I find a way to run it.
Post 17 Feb 2009, 09:58
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Grom PE



Joined: 13 Mar 2008
Posts: 114
Location: i@grompe.org.ru
Grom PE
Azu, keep in mind that by reducing your file by 511 bytes (at best) won't reduce disk space usage, since the smallest cluster size is 512 bytes. It won't save much when archived, either, because it's only zero block.

But if you really want, nothing stops you from writing PE in binary mode like this:
http://board.flatassembler.net/topic.php?t=8632
Or maybe modifying fasm so it won't align the last section physical size.
Post 17 Feb 2009, 11:02
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu
Grom PE wrote:
Azu, keep in mind that by reducing your file by 511 bytes (at best) won't reduce disk space usage, since the smallest cluster size is 512 bytes. It won't save much when archived, either, because it's only zero block.

But if you really want, nothing stops you from writing PE in binary mode like this:
http://board.flatassembler.net/topic.php?t=8632
Or maybe modifying fasm so it won't align the last section physical size.
Thanks. It will since that is for the whole file instead of per section. None of the raw PE examples I could find on this forum are 32bit though Sad the one you linked to is also 16bit. I try changing use16 to use32 but it still won't work. 64bit OS can run 32bit code but not 16bit (I'm not sure why this is, shouldn't whatever 32bit OSs use to run 16bit code, run fine on what the 64bit OS uses to run 32bit code? Ah well)..

Guess I will keep looking ^^ thanks anyways.
Post 17 Feb 2009, 11:10
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17669
Location: In your JS exploiting you and your system
revolution
I posted this somewhere previously, but here it is again:
Code:
 format  binary
      BaseAddress=0x400000
        SectionAlignment=0x1000
     FileAlignment=0x200
 org     BaseAddress
 RVA     equ -BaseAddress+

curr_file_offset=0
curr_section_num equ 0
Section0_start=$
curr_checksum=0
section@virtualLength=0

macro file_align v* {
   local a
     virtual
     align   v
   a=$-$$
      end virtual
 times   a db 0
}

DOS_Header:
     .e_magic        dw      'MZ'
      .e_cblp         dw      0x0080
      .e_cp           dw      0x0001
      .e_crlc         dw      0x0000
      .e_cparhdr      dw      0x0004
      .e_minalloc     dw      0x0008
      .e_maxalloc     dw      0x0008
      .e_ss           dw      0x0004
      .e_sp           dw      0x0080
      .e_csum         dw      0x0000
      .e_ip           dw      0x0000
      .e_cs           dw      0x0000
      .e_lfarlc       dw      0x0040
      .e_ovno         dw      0x0000
      .e_res          rw      4
   .e_oemid        dw      0x0000
      .e_oeminfo      dw      0x0000
      .e_res2         rw      10
  .e_lfanew       dd      RVA PE_header

DOS_stub:
  use16
       push    cs
  pop     ds
  mov     ah,9
        mov     dx,.message-DOS_stub
        int     21h
 mov     ax,4cffh
    int     21h
    .message:
    db      'Minimum - Win95',0dh,0ah,'$'
   use32

   file_align 4

PE_header:
  .Signature              dd      'PE'

FileHeader:
       .Machine                dw      0x014c
      .NumberOfSections       dw      NumberOfSections
    .TimeDateStamp          dd      %t 
 .PointerToSymbolTable   dd      0 
  .NumberOfSymbols        dd      0 
  .SizeOfOptionalHeader   dw      SectionTable-OptionalHeader
 .Characteristics        dw      0x010f

OptionalHeader:
   .Magic                          dw      0x010b
      .MajorLinkerVersion             db      0
   .MinerLinkerVersion             db      0
   .SizeOfCode                     dd      0
   .SizeOfInitializedData          dd      0
   .SizeOfUnInitializedData        dd      0
   .AddressOfEntryPoint            dd      RVA Entry@Start
     .BaseOfCode                     dd      0
   .BaseOfData                     dd      0
   .ImageBase                      dd      BaseAddress
 .SectionAlignment               dd      SectionAlignment
    .FileAlignment                  dd      FileAlignment
       .MajorOSVersion                 dw      1
   .MinorOSVersion                 dw      0
   .MajorImageVersion              dw      0
   .MinorImageVersion              dw      0
   .MajorSubSystemVersion          dw      4
   .MinorSubSystemVersion          dw      0
   .Win32VersionValue              dd      0
   .SizeOfImage                    dd      SizeOfImage
 .SizeOfHeaders                  dd      Section0_length
     .CheckSum                       dd      0
   .SubSystem                      dw      2       ;GUI
        .DLLCharacteristics             dw      0
   .SizeOfStackReserve             dd      0x1000
      .SizeOfStackCommit              dd      0x1000
      .SizeOfHeapReserve              dd      0x10000
     .SizeOfHeapCommit               dd      0
   .LoaderFlags                    dd      0
   .NumberOfDataDirectories        dd      (SectionTable-Data_Directories)shr 3

Data_Directories:
   .Export_Table           dd      0,0
 .Import_Table           dd      RVA ImportSection,ImportSection.length
    if 1
  .Resource_Table         dd      0,0
 .Exception_Table        dd      0,0
 .Certificate_Table      dd      0,0
 .Relocation_Table       dd      0,0
 .Debug_Data             dd      0,0
 .Architecture           dd      0,0
 .Global_PTR             dd      0,0
 .TLS_Table              dd      0,0
 .Load_Config_Table      dd      0,0
 .BoundImportTable       dd      0,0
 .ImportAddressTable     dd      0,0
 .DelayImportDescriptor  dd      0,0
 .COMplusRuntimeHeader   dd      0,0
 .Reserved               dd      0,0
    end if

SectionTable:

rept 32 num {
  if num<=NumberOfSections
    Section#num:
       .Name                   dq      Section#num#_name
   .VirtualSize            dd      Section#num#_length
 .VirtualAddress         dd      RVA Section#num#_start
      .SizeOfRawData          dd      Section#num#_file_length
    .PointerToRawData       dd      Section#num#_file_start
     .PointerToRelocations   dd      0
   .PointerToLinenumbers   dd      0
   .NumberOfRelocations    dw      0
   .NumberOfLinenumbers    dw      0
   .Characteristics        dd      Section#num#_characteristics
  end if
}

      file_align FileAlignment

macro update_checksum {
        local j
     repeat ($-$$)/2
             load j word from (%-1)*2+$$
         curr_checksum=curr_checksum+j
               curr_checksum=(curr_checksum and 0xffff)+(curr_checksum shr 16)
     end repeat
  if curr_section_num=0
               store dword final_checksum at OptionalHeader.CheckSum
       end if
}
macro .section_finish {
    match num,curr_section_num\{
  Section\#num\#_length=($+section@virtualLength)-Section\#num\#_start
    file_align FileAlignment
    update_checksum
     Section\#num\#_file_length=$-Section\#num\#_start
       curr_file_offset=curr_file_offset+$-Section\#num\#_start
  if Section\#num\#_length=0
                org (($+section@virtualLength)+SectionAlignment)and(not(SectionAlignment-1))
        else
                org (($+section@virtualLength)+SectionAlignment-1)and(not(SectionAlignment-1))
      end if
      section@virtualLength=0
    \}
}
macro .section name*,characteristics* {
    .section_finish
    match s,curr_section_num\{rept 2 n:s\\{curr_section_num equ n\\}\}
    match num,curr_section_num\{
  Section\#num\#_start=$
    Section\#num\#_file_start=curr_file_offset
        Section\#num\#_characteristics=characteristics
    Section\#num\#_name=name
    \}
}
macro .end start* {
    .section_finish
     SizeOfImage=RVA $
   NumberOfSections=curr_section_num
   Entry@Start=start
   final_checksum=curr_checksum+curr_file_offset
}

.section '.text',0xe0000020       ;read write execute

Start:        pushd   0
   pushd   Caption
     pushd   Text
        pushd   0
   call    [MessageBox]
        pushd   0
   call    [ExitProcess]

.section '.data',0xc0000040         ;read write

Caption   db      'Caption',0
Text   db      'Text',0

.section '.udata',0xc0000040           ;read write
virtual

       rd      1280

section@virtualLength=$-$$
end virtual
.section '.idata',0xc0000040    ;read write

ImportSection:
                    dd      0,0,0,RVA kernel_name,RVA kernel_table
                      dd      0,0,0,RVA user_name,RVA user_table
                  dd      0,0,0,0,0

       _ExitProcess    db      0,0,'ExitProcess',0
       _MessageBox     db      0,0,'MessageBoxA',0

   kernel_name     db      'KERNEL32.DLL',0
  user_name       db      'USER32.DLL',0

        file_align 4

    kernel_table:
   ExitProcess     dd      RVA _ExitProcess
                    dd      0
   user_table:
     MessageBox      dd      RVA _MessageBox
                     dd      0

ImportSection.length=$-ImportSection

.end Start    
Post 17 Feb 2009, 11:47
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu
Thanks.. I guess it is impossible. If I change the FileAlignment (the SectionAlignment doesn't do anything) to anything besides 0x200 I get the "is not a valid Win32 application" error. I think that means it is a 16bit program whenever the sections aren't 512 byte aligned. Oh well..
Post 17 Feb 2009, 11:53
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Grom PE



Joined: 13 Mar 2008
Posts: 114
Location: i@grompe.org.ru
Grom PE
Azu wrote:
None of the raw PE examples I could find on this forum are 32bit though :( the one you linked to is also 16bit.

There's no PE format with 16-bit code, you're confusing it with DOS stub.
Post 17 Feb 2009, 11:55
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.