Jump to content
Nytro

[ASM] Accessing API / no import, no PE, nothing

Recommended Posts

Posted

Credits :

HUTCH pour la fonction StringCompare

PHRACK pour le tips pour récuperer K32

Reference :

NEITSA pour la méthodo

Author: steve10120

        call    .hwndDelta

.hwndDelta:
pop ebp
sub ebp, .hwndDelta

.find_kernel:
mov eax, [fs:30h] ;EAX = PEB base
mov eax, [eax + 0ch] ;EAX = PEB_LDR_DATA


mov esi, [eax + 1ch] ;first entry in InInitializationOrderModuleList
lodsd ;forward to next LIST_ENTRY

mov ebx, [eax + 08h] ;EBX = Kernel32 base memory
mov [ebp + _kernelBase], ebx

mov esi, dword[ebx + 3Ch] ;ESI = PE MAGIC
add esi, [ebp + _kernelBase]

mov edx, [esi + 078h] ;EDX = RVA table export
add edx, [ebp + _kernelBase] ;EDX = VA table export


mov ecx, [edx + 018h] ;ECX = nombre d'export de la DLL
mov [ebp + _function_nb], ecx

mov ebx, [edx + 020h] ;EBX = VA du pointeur de nom

add ebx, 4
add ebx, [ebp + _kernelBase] ;EBX = VA table export




;A partir de la on a tous les éléments pour rechercher les fonctions



;Recuperation de GetProcAddress
pushad

lea edi, [ebp + _szGetProcAddress] ;EDI = GetProcAddress string
call .find_function
mov [ebp + _getProcAddress], eax

popad
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;




;Recuperation de LoadLibrary
pushad

lea edi, [ebp + _szLoadLibrary] ;EDI = GetProcAddress string
call .find_function
mov [ebp + _loadLibrary], eax

popad
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;


;TEST MESSAGEBOX
;
lea ebx,[ebp +_szUser32]
push ebx
call [ebp +_loadLibrary]


;
lea ebx,[ebp +_szMessageBox]
push ebx
push eax
lea edx, [ebp +_getProcAddress]
call dword[edx]


;
push 0

lea esi, [ebp +_szGetProcAddress]
push esi

lea edi, [ebp +_szGetProcAddress]
push edi

push 0
call eax
;;;;;;;;;;;;;;;;



ret


.find_function:


.find_function_loop:

mov esi, dword[ebx] ;ESI = RVA STRING FUNC
add ebx, 4
add esi, [ebp + _kernelBase] ;EBX = VA STRING FUNC

dec ecx ;ECX = ECX - 1

call .stringCompare


cmp eax, -1
je .find_function_loop

mov ebx, [edx + 01ch] ; ebx = export table address RVA
add ebx, [ebp + _kernelBase] ; pointeur vers table d'export
mov edx, dword[_function_nb]
sub edx, ecx
imul edx, edx, 4

add ebx, edx
mov eax, ebx
mov eax, dword[eax]
add eax, [ebp + _kernelBase]

ret





.stringCompare:

pushad
mov ecx, esi
mov edx, edi
.cmst:
mov al, [ecx]
cmp al, [edx]
jne .no_match
add ecx, 1
add edx, 1
test al, al
jne .cmst

popad
xor eax, eax
ret

.no_match:
popad
mov eax, -1

ret

_szGetProcAddress db "GetProcAddress",0
_szLoadLibrary db "LoadLibraryA",0

_kernelBase dd ?
_function_nb dd ?

_szMessageBox db "MessageBoxA",0
_szUser32 db "user32.dll",0

_getProcAddress dd ?
_loadLibrary dd ?

Posted

De unde se poate invata asm ? Nu vad nimic structurat sa zicem asa cum e ptr. celelalte limbaje si totusi vad ca sunt multi care stapanesc asm destul de bine...

Voi cum ati invatat asm ? (Prin invatat ma refer la stapnit bine acest limbaj nu numai sa intelegi un cod scris de altu'...)

Posted
Cel mai bine se invata din carti, dar sunt si tutoriale bune.

Eu fac ASM la facultate (la Arhitectura Sistemelor de Calcul - Universitatea Bucuresti, Informatica).

Nu poti posta cursurile in format electronic, te rog ?

Mi se pare ca mai usor as invata de pe ele plus ca sunt si in romana dar se exprima ptr. oameni si nu folosesc limbaj de ala de lemn de la urma te intrebi ce a vrut sa zica.

Multumesc anticipat !

Posted

@krisler12

Vezi pe aici:

ALastName

Nu e foarte usor, trebuie sa intelegi foarte bine cum lucreaza un procesor cu registrii si flaguri.

Prin invatat ma refer la stapnit bine acest limbaj nu numai sa intelegi un cod scris de altu'...

Ca sa intelegi un cod scris de altcineva in ASM trebuie sa sti bine, altfel nu prea ai sanse.Nu e ca si la limbajele de nivel inalt.

Mai bine invata java sau ceva de nivel inalt daca tot nu ai ce face cu timpul liber!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...