deepzero Posted October 26, 2010 Posted October 26, 2010 (edited) Hey, I was analyzing an interesting piece of malware, where code, data & IAT where all mixed together in one section. IE, text string and dwords with imported addresses where pasted just in the middle of the code: Note how the "call 40100d" calls past the OpenProcess-DWORD, effectively pushing the address to that DOWRD to the stack. So after the "Pop eax", eax contains a pointer to the address of OpenProcess...and can be called via "call dword [eax]". Which is exactly what happens. This is part of the runtime importing, again the calls call past a text string, pushing a pointer to the string to the stack. Later this is used to build the import table. The big advantage of this is, that the malware can now simply copy&paste the code into other processes and files. How can i write portable code like this in C++? deep0 Edited October 26, 2010 by CodeRipper
What Posted October 26, 2010 Posted October 26, 2010 (edited) Generally, in C++, you don't. The general way under a compiler is to use inline asm and emit under a naked function. I suppose you can set up macros to make it more C like if you prefer. During certain situations writing code with a lot of 'goto' and '__emit' could work, but it is unreliable do to optimization by the compiler. Edited October 26, 2010 by What
deepzero Posted October 27, 2010 Author Posted October 27, 2010 The general way under a compiler is to use inline asm and emit under a naked function Ok, that would explain the useless nops in the code... SO i wrote a mini example function, which simply displays a messagebox - title: "3", content: "3": int main(){DWORD msg = (DWORD)GetProcAddress(LoadLibraryA("user32.dll"), "MessageBoxA");DWORD port = (DWORD)&portable;__asm{mov eax,portadd eax,17mov ebx,msgmov dword ptr[eax],ebx}}void portable (){ __asm{ call getcurgetcur: pop eax add eax,8 mov ebx,eax jmp reser nop nop nop nopreser: push 0 call str1 __asm _emit 0x33 __asm _emit 0x00str1: call str2 __asm _emit 0x33 __asm _emit 0x00str2: push 0 call dword ptr[ebx] }} It doest work, because the code section (.text) in MSVS08, is not writable. The code works, though, if i modify the access rights in olly on runtime. Is this what you meant? And do you happen to know how i can force the code section`s characteristics to writable at compile time? thanks for your reply, deep0
BoB Posted October 27, 2010 Posted October 27, 2010 What is the point in writing Asm code in C++? Just use one of the many Assemblers out there!Anyway, does C++ automatically save the registers in Asm blocks? Cos I don't see you using PushAD or anything here..BoB
Aguila Posted October 27, 2010 Posted October 27, 2010 look here: http://msdn.microsoft.com/en-us/library/50bewfwa%28VS.80%29.aspxand use this: http://msdn.microsoft.com/en-us/library/h5w10wxs%28v=VS.80%29.aspx
What Posted October 27, 2010 Posted October 27, 2010 Anyway, does C++ automatically save the registers in Asm blocks? Cos I don't see you using PushAD or anything here..This is true. You can only modify the eax, ecx, and edx registers without worry. You have to save the others by some means. And k11 gave the rest of the links. I'm not sure why you would call the code through your own app though. I guess for testing purposes? You only need to worry about the protection where you inject the code (VirtualProtectEx).
atom0s Posted October 28, 2010 Posted October 28, 2010 What is the point in writing Asm code in C++? Just use one of the many Assemblers out there!Anyway, does C++ automatically save the registers in Asm blocks? Cos I don't see you using PushAD or anything here..BoBNope. Naked functions are fully upto the user to handle everything. You completely strip prologue and epilogue code using naked.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now