EOF forum
You are not logged in.
Announcement
#1 2010-01-27 23:20:24
- hell0
- Member
- Registered: 2009-09-20
- Posts: 34
Terminate Program
hi, mdew..
i was trying to terminate a program by calling the api ExitProcess using its address.
The code below, is all that i could manage (copy), from its original full form. it compiles all right, an exe could be made, but the process freezes, it doesn’t work, i couldn't run it in a debugger to have a closer look at it.
would you please, look at the last 7 lines, the area i think where, i could be making some mistake ?
iam posting this in a hurry, without checking again, so as to catch you in time, before you could contemplate the repeating of your vanishing act, all over again.
Code:
.386
.model flat
.data
dummy dd 0
.code
VirusStart:
call delta
delta:
pop ebp
sub ebp,offset delta
mov eax,[esp]
or eax,00000fffh
xor eax,00000fffh
compare:
cmp word ptr[eax],'ZM'
je kernel32_found
sub eax,1000h
jmp compare
kernel32_found:
mov dword ptr[ebp+_kernel32],eax
lea esi,[ebp+_api_ExitProcess]
call GetFunctionAddress
mov [ebp+_addr_ExitProcess],eax
jmp EndVirus
GetFunctionAddress proc
mov ebx,[eax+3Ch]
add ebx,eax
add ebx,120
mov ebx,[ebx]
add ebx,eax ; ebx = exportTable VA
xor edx,edx
mov ecx,[ebx+32]
add ecx,eax ; ecx = namePointerTable VA
push esi
push edx
CompareNext:
pop edx
pop esi
inc edx
mov edi,[ecx]
add edi, eax
add ecx, 4
push esi
push edx
CompareName:
mov dl,[edi]
mov dh,[esi]
cmp dl,dh
jne CompareNext
inc edi
inc esi
cmp byte ptr [esi],0
je GetAddress
jmp CompareName
GetAddress:
pop edx
pop esi
dec edx
shl edx,1
mov ecx,[ebx+36]
add ecx, eax
add ecx, edx
xor edx, edx
mov dx, [ecx]
shl edx,2
mov ecx,[ebx+28]
add ecx, eax
add ecx, edx
add eax, [ecx]
ret
GetFunctionAddress endp
_api_ExitProcess db "ExitProcess",0
_addr_ExitProcess dd 0
_kernel32 dd 0
EndVirus:
push 0
call eax ;[ebp+_addr_ExitProcess]
end VirusStartregards...
Offline
#2 2010-01-28 01:03:09
- mdew
- Member
- From: Poland
- Registered: 2009-10-06
- Posts: 60
Re: Terminate Program
your code seems to work
maybe u forgot to add "/SECTION:.text,RWX" option to linker (link.exe) - it allows to write to .code section where u hold ur function address...
Offline
#3 2010-01-28 08:04:06
- hell0
- Member
- Registered: 2009-09-20
- Posts: 34
Re: Terminate Program
..it allows to write to .code section where u hold ur function address...
i recognize now,..of this requisite.
Code:
F:\tasm>tasm32 /ml abc.asm Turbo Assembler Version 5.0 Copyright (c) 1988, 1996 Borland International Assembling file: abc.asm Error messages: None Warning messages: None Passes: 1 ------------------------- F:\tasm>tlink32 /section:.text,RWX /c abc.obj,,,import32.lib Turbo Link Version 1.6.71.0 Copyright (c) 1993, 1996 Borland International comma expected -------------------------
Linker expects me to add a comma somewhere!!
i haven’t got it worked out yet, the right location for the comma.
i had tried any number of times earlier, but had failed every time , to make a correct executable, from an outwardly acceptable asm code. And, i had almost given up trying to learn this sacrosanct lingo, consoling myself that, probably this is not for mortals like me, with rather below average intellect.
But now, i recognize the situation is not that grave, there is still hope for me.
Thank you for being so supportive.
regards...
Last edited by hell0 (2010-01-28 08:11:52)
Offline
#4 2010-01-28 10:17:05
- mdew
- Member
- From: Poland
- Registered: 2009-10-06
- Posts: 60
Re: Terminate Program
I use ml.exe + link.exe (MASM package) and the "/SECTION:.text,RWX" is a valid option for link.exe... I don't know what is the option for tlink32.exe - try to execute it without any arguments and it should write all valid options...
I also changed .model flat to .model flat, stdcall try it maybe it will help...
Offline
#5 2010-01-28 15:18:42
- hell0
- Member
- Registered: 2009-09-20
- Posts: 34
Re: Terminate Program
To change the section attributes of an existing image, one can use a binary file editor, called editbin.exe.
So, after compiling abc.exe file, editbin is used to change the attribute of the code section of the abc.exe
Still, there seems to be some setback, because i get the error message, when i use the editbin to change the attribute.
Code:
F:\tasm>dir /b abc.asm F:\tasm>tasm32 /ml abc Assembling file: abc.ASM Error messages: None Warning messages: None Passes: 1 F:\tasm>tlink32 /c abc.obj,,,import32.lib F:\tasm>dir /b abc.asm abc.EXE abc.OBJ F:\tasm>editbin /section:code,w abc.exe F:\tasm>Microsoft (R) COFF Binary File Editor Version 5.12.8078 abc.exe : warning LNK4039: section "code" specified with /SECTION option does not exist.
abc.exe : warning LNK4039: section "code" specified with /SECTION option does not exist.
One gets a general area of the fault, but still i have no clue , how to get over it.
..
regards..
Last edited by hell0 (2010-01-28 15:22:02)
Offline
#6 2010-01-28 16:20:53
- mdew
- Member
- From: Poland
- Registered: 2009-10-06
- Posts: 60
Re: Terminate Program
try editbin /SECTION:text,rwe or /SECTION:.text,rwe
the code section is called ".text" in exe file...
".data" is ".data"
".data?" is i think ".bss"
Offline
#7 2010-01-29 08:42:38
- hell0
- Member
- Registered: 2009-09-20
- Posts: 34
Re: Terminate Program
Editbin
/SECTION:name[=newname][,attributes][,alignment]
this option changes the attributes of a section. ; (/section)
after the colon (: ), specify the name of the section. ; (code)
to change the section's attributes, specify a comma (,) ; (,)
follow this by one/more attributes characters. ; (w)
http://msdn.microsoft.com/en-us/library/ddxkx21d.aspx
----------------------------------------------------------
i tried to change the ATTRIBUTE OF OBJECT file (abc.obj), instead of that of exe.
F:\tasm>dir /b
abc.asm
abc.OBJ
F:\tasm>editbin /section:code,wr abc.obj
abc.obj : warning LNK4033: converting object format from OMF to COFF
abc.obj : warning LNK4039: section "code" specified with /SECTION option does not exist
Editbin doesn’t identify with (code) name for sections.
F:\tasm>editbin /section:text,wr abc.obj
abc.obj : warning LNK4039: section "text" specified with /SECTION option does not exist
Editbin doesn’t identify with (text) name for sections.
The name (.text) seems to be all right with it.
F:\tasm>editbin /section:.text,wr abc.obj
Editbin does seem to agree with(.text) name for sections.
----------------------------------------------------------
But, it doesn’t resolve the real issue.
Because now,
tlink32 doesn’t seem to accept this altered object file.
F:\tasm>tlink32 /c abc.obj,,, import32.lib
Fatal: Failed read from 'abc.obj'
How to get it done !!..
regards..
Last edited by hell0 (2010-01-29 08:48:51)
Offline
#8 2010-01-29 11:57:51
- izee
- Administrator
- Registered: 2007-07-09
- Posts: 185
Re: Terminate Program
TASM32 linker does not allows to change section attributes, there was a command-line tool called pewrsec by Jacky Qwerty (see 29A #2) which was used to set code section to writable. There is also new pewrsec coded by BlueOwl (see rRlf #5) which is 32bit. You can write an own tool, too, if you are going to use TASM. 
Additionally you can:
Set code section attributes to writable with PE editing tool of your choice.
Set PAGE_EXECUTE|PAGE_READWRITE access on needed memory region.
Allocate some memory and copy needed data there.
Use the stack.
Offline
#9 2010-01-30 12:06:24
- hell0
- Member
- Registered: 2009-09-20
- Posts: 34
Re: Terminate Program
.
.. Thank you for providing all the information, pertinent to the issue .
well,
i got the pewrsec downloaded, as an executable file.
av, in the system, doesn’t take kindly to this utility's presence, and i needed to disable the av.
but the hitch is...
i don’t know how to use it !
i have abc.asm, abc.obj, abc.exe, files made, using (tasm32)
how to use pewrsec, to change my file's section attribute?
A tiny clue with a simple example, could possibly be really supportive.
.. regards
Offline