Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Writing "portable" code

Featured Replies

Posted

Hey,

I was analyzing an interesting piece of malware, where code, data & IAT where all mixed together in one section.

IE, text string and dwords with imported addresses where pasted just in the middle of the code:

42501207.jpg

Note how the "call 40100d" calls past the OpenProcess-DWORD, effectively pushing the address to that DOWRD to the stack.

So after the "Pop eax", eax contains a pointer to the address of OpenProcess...and can be called via "call dword [eax]".

Which is exactly what happens.

14729407.jpg

This is part of the runtime importing, again the calls call past a text string, pushing a pointer to the string to the stack.

Later this is used to build the import table.

The big advantage of this is, that the malware can now simply copy&paste the code into other processes and files.

How can i write portable code like this in C++?

deep0 :)

Edited by CodeRipper

Generally, in C++, you don't. The general way under a compiler is to use inline asm and emit under a naked function. I suppose you can set up macros to make it more C like if you prefer. During certain situations writing code with a lot of 'goto' and '__emit' could work, but it is unreliable do to optimization by the compiler.

Edited by What

  • Author
The general way under a compiler is to use inline asm and emit under a naked function

Ok, that would explain the useless nops in the code...

SO i wrote a mini example function, which simply displays a messagebox - title: "3", content: "3":

int main(){
DWORD msg = (DWORD)GetProcAddress(LoadLibraryA("user32.dll"), "MessageBoxA");
DWORD port = (DWORD)&portable;__asm{
mov eax,port
add eax,17
mov ebx,msg
mov dword ptr[eax],ebx
}
}void portable (){
__asm{
call getcur
getcur:
pop eax
add eax,8
mov ebx,eax
jmp reser
nop
nop
nop
nop
reser:
push 0
call str1
__asm _emit 0x33
__asm _emit 0x00
str1:
call str2
__asm _emit 0x33
__asm _emit 0x00
str2:
push 0
call dword ptr[ebx]
}
}

It doest work, because the code section (.text) in MSVS08, is not writable.

The code works, though, if i modify the access rights in olly on runtime. :)

Is this what you meant?

And do you happen to know how i can force the code section`s characteristics to writable at compile time? :)

thanks for your reply,

deep0 :)

What is the point in writing Asm code in C++? Just use one of the many Assemblers out there!

Anyway, does C++ automatically save the registers in Asm blocks? Cos I don't see you using PushAD or anything here..

BoB

Anyway, does C++ automatically save the registers in Asm blocks? Cos I don't see you using PushAD or anything here..

This is true. You can only modify the eax, ecx, and edx registers without worry. You have to save the others by some means. And k11 gave the rest of the links. I'm not sure why you would call the code through your own app though. I guess for testing purposes? You only need to worry about the protection where you inject the code (VirtualProtectEx).

What is the point in writing Asm code in C++? Just use one of the many Assemblers out there!

Anyway, does C++ automatically save the registers in Asm blocks? Cos I don't see you using PushAD or anything here..

BoB

Nope. Naked functions are fully upto the user to handle everything. You completely strip prologue and epilogue code using naked.

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.