Jump to content
Tuts 4 You

Writing "portable" code


deepzero

Recommended Posts

Posted (edited)

Hey,

I was analyzing an interesting piece of malware, where code, data & IAT where all mixed together in one section.

IE, text string and dwords with imported addresses where pasted just in the middle of the code:

42501207.jpg

Note how the "call 40100d" calls past the OpenProcess-DWORD, effectively pushing the address to that DOWRD to the stack.

So after the "Pop eax", eax contains a pointer to the address of OpenProcess...and can be called via "call dword [eax]".

Which is exactly what happens.

14729407.jpg

This is part of the runtime importing, again the calls call past a text string, pushing a pointer to the string to the stack.

Later this is used to build the import table.

The big advantage of this is, that the malware can now simply copy&paste the code into other processes and files.

How can i write portable code like this in C++?

deep0 :)

Edited by CodeRipper
Posted (edited)

Generally, in C++, you don't. The general way under a compiler is to use inline asm and emit under a naked function. I suppose you can set up macros to make it more C like if you prefer. During certain situations writing code with a lot of 'goto' and '__emit' could work, but it is unreliable do to optimization by the compiler.

Edited by What
Posted
The general way under a compiler is to use inline asm and emit under a naked function

Ok, that would explain the useless nops in the code...

SO i wrote a mini example function, which simply displays a messagebox - title: "3", content: "3":

int main(){
DWORD msg = (DWORD)GetProcAddress(LoadLibraryA("user32.dll"), "MessageBoxA");
DWORD port = (DWORD)&portable;__asm{
mov eax,port
add eax,17
mov ebx,msg
mov dword ptr[eax],ebx
}
}void portable (){
__asm{
call getcur
getcur:
pop eax
add eax,8
mov ebx,eax
jmp reser
nop
nop
nop
nop
reser:
push 0
call str1
__asm _emit 0x33
__asm _emit 0x00
str1:
call str2
__asm _emit 0x33
__asm _emit 0x00
str2:
push 0
call dword ptr[ebx]
}
}

It doest work, because the code section (.text) in MSVS08, is not writable.

The code works, though, if i modify the access rights in olly on runtime. :)

Is this what you meant?

And do you happen to know how i can force the code section`s characteristics to writable at compile time? :)

thanks for your reply,

deep0 :)

Posted

What is the point in writing Asm code in C++? Just use one of the many Assemblers out there!

Anyway, does C++ automatically save the registers in Asm blocks? Cos I don't see you using PushAD or anything here..

BoB

Posted

Anyway, does C++ automatically save the registers in Asm blocks? Cos I don't see you using PushAD or anything here..

This is true. You can only modify the eax, ecx, and edx registers without worry. You have to save the others by some means. And k11 gave the rest of the links. I'm not sure why you would call the code through your own app though. I guess for testing purposes? You only need to worry about the protection where you inject the code (VirtualProtectEx).

Posted

What is the point in writing Asm code in C++? Just use one of the many Assemblers out there!

Anyway, does C++ automatically save the registers in Asm blocks? Cos I don't see you using PushAD or anything here..

BoB

Nope. Naked functions are fully upto the user to handle everything. You completely strip prologue and epilogue code using naked.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...