flat assembler
Message board for the users of flat assembler.

Index > Windows > Section writable at runtime?

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Oh. Whenever I see that error I think it is 16-bit. Sorry.

So it means it won't work on anything except DOS? Damn. I guess that's even worse lol.
Post 17 Feb 2009, 11:59
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
pal



Joined: 26 Aug 2008
Posts: 227
pal
The code which revolution posted is 32 bit, and wont work in DOS (you can tell this because it has the PE headers).

As for your question, I am no expert by a long shot, but if you have no imports, which I have seen before, you can still call all the APIs you want to. You do something called kernel walking. Basically the kernel is mapped into every process which is started up so that addresses in the IAT can be retrieved. The kernel will always be loaded in to all processes. What you do is you get an offset to the kernels memory address, and you can do one of a few things.

1. You can find the API which you want to call, and so every time you want to call an API you will have to walk the kernel.

2. You can find an offset to GetProcAddress which you can reference back to a variable in your program, and use that to load the relevant APIs.

Correct me if I am wrong about any of that stuff by the way guys, it may not be all 100% correct.

Also to me it sounds a bit like you are programming malware... In my main forums we see it a lot; people asking for ways to defeat anti-virus heuristics using. Not saying you are doing that, but its generally what people with these sorts of questions are doing...
Post 21 Feb 2009, 18:23
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17271
Location: In your JS exploiting you and your system
revolution
Here is the topic I started with the no-import source code.

It is not much use for anything, and won't help any virus code to avoid detection from an AV. But it might be instructive for something.
Post 21 Feb 2009, 18:33
View user's profile Send private message Visit poster's website Reply with quote
pal



Joined: 26 Aug 2008
Posts: 227
pal
Thats very impressive revolution, works for me fine.

By the way revolution, how long have you been programming ASM for (as in all ASM if you did stuff before x86 too).
Post 21 Feb 2009, 19:37
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17271
Location: In your JS exploiting you and your system
revolution
I've programmed a few different CPUs: 8085, Z80, 6802, 1802, x86, ARM and also some custom built mainframe CPUs a long time ago.
Post 22 Feb 2009, 01:57
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
pal wrote:
The code which revolution posted is 32 bit, and wont work in DOS (you can tell this because it has the PE headers).
Oh. I thought that message should only come up if it isn't a valid EXE for the OS it is opened on.

pal wrote:
As for your question, I am no expert by a long shot, but if you have no imports, which I have seen before, you can still call all the APIs you want to. You do something called kernel walking.
Yes that is what I meant by importing functions at runtime. I save the addresses so I need a writable section first.. unless I want to save them on the stack which I don't..

pal wrote:
Also to me it sounds a bit like you are programming malware... In my main forums we see it a lot; people asking for ways to defeat anti-virus heuristics using. Not saying you are doing that, but its generally what people with these sorts of questions are doing...


No, I could obviously just make a special case in my import loop for VirtualProtect (like I already have to do with LoadLibrary Sad ) if my goal was to make some malware easily.

I want to make the smallest program for win32/win64 possible, though. So I'm trying to find a smaller way. I was hoping there might be a few opcodes I could just use instead.

Or a way to make a writable section in the PE without adding 512 bytes..
Post 22 Feb 2009, 06:23
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
pal



Joined: 26 Aug 2008
Posts: 227
pal
You can make the code section of your program writable if you want to, not too sure if it will help you achieve much here though.

There is a topic from a while ago which talks about the smallest PE file possible, here is the link:

Code:
http://board.flatassembler.net/topic.php?t=5957&postdays=0&postorder=asc&start=0    


Also, you don't have to save the addresses. What you do is you program a function which will do the following:

Before you call the function push the variables for the API to the stack.
1. Find the kernels offset in memory.
2. Find the offset to the function you want (maybe GetProcAddress, but you'll need to push more parameters for that).
3. Call the API using the offset.

But you will need to find a way to store the APIs aliases in the file without using a data section, you may be able to in the code section I dunno.

I've seen things like this done before, so don't give up.

And if it says "Is not a valid Win32 application", it could mean that the headers are wrong and so it wont work.
Post 22 Feb 2009, 13:00
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
pal wrote:
You can make the code section of your program writable if you want to, not too sure if it will help you achieve much here though.
Ya like I said that's how I have it right now, that's not allowed by any sane AVs though :/


pal wrote:
There is a topic from a while ago which talks about the smallest PE file possible, here is the link:
Code:
http://board.flatassembler.net/topic.php?t=5957&postdays=0&postorder=asc&start=0    
Hmm, your file crashes on startup for me. Is it win16/win32 only?

pal wrote:

Also, you don't have to save the addresses. What you do is you program a function which will do the following:

Before you call the function push the variables for the API to the stack.
Like I said, I don't want them saved in the stack.

pal wrote:

1. Find the kernels offset in memory.
2. Find the offset to the function you want (maybe GetProcAddress, but you'll need to push more parameters for that).
3. Call the API using the offset.

But you will need to find a way to store the APIs aliases in the file without using a data section, you may be able to in the code section I dunno.
Ya that's basically what I'm doing, but with hashes and no GetProcAddress.

I've seen things like this done before, so don't give up.

pal wrote:
And if it says "Is not a valid Win32 application", it could mean that the headers are wrong and so it wont work.
Oh oky. Well if you know of any examples of small windows programs that have headers right, a linky would be really appreciated so I can take a look and try to figure out how it's done ^^


P.S. thanks for the suggestions..
Post 22 Feb 2009, 15:18
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
pal



Joined: 26 Aug 2008
Posts: 227
pal
You can have more than one section, but if you build the PE headers yourself you enable yourself the option to realign the sections. By standard PE sections (i.e. data, code, imports etc.) are aligned to a minimum of 512 bytes, hence the minimum file size of a PE file is meant to be 512 bytes, but you can change this by manually building the PE file.

What OS are you running; a 64-bit OS? The codes (apart from the last one; the 207 byte one) on that link I gave you all run fine on 32-bit Windows Vista SP1.

Also you should note that any EXE without imports will fail on Win2K. This I believe is because the kernel wont be loaded into the file unless a function from it is needed.

One more thing, to my knowledge you wont be able to call any APIs if you don't push your variables to the stack; otherwise what arguments would it be using.
Post 22 Feb 2009, 20:02
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
pal wrote:
You can have more than one section, but if you build the PE headers yourself you enable yourself the option to realign the sections. By standard PE sections (i.e. data, code, imports etc.) are aligned to a minimum of 512 bytes, hence the minimum file size of a PE file is meant to be 512 bytes, but you can change this by manually building the PE file.

What OS are you running; a 64-bit OS? The codes (apart from the last one; the 207 byte one) on that link I gave you all run fine on 32-bit Windows Vista SP1.
I'm making it on Win7 x64 but it's going to be a 32-bit program. I just want it to be able to work on all 32bit and 64bit versions of Windows. I thought that the examples were failing because they were 16bit or something.

pal wrote:
Also you should note that any EXE without imports will fail on Win2K. This I believe is because the kernel wont be loaded into the file unless a function from it is needed.
It is getting the address of the kernel from whatever process starts it though.. so isn't it okay?
If anyone can say how to get an import section without adding extra 512 bytes I will use it instead.. but so far nothing I've found runs for me..

pal wrote:
One more thing, to my knowledge you wont be able to call any APIs if you don't push your variables to the stack; otherwise what arguments would it be using.
Thanks, I meant I don't want to save the addresses of the functions to the stack. I can make the code a lot smaller with it saving to the same address it read the function hash from.
Post 25 Feb 2009, 09:52
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.