Writing "portable" code

[deepzero]

Hey,

I was analyzing an interesting piece of malware, where code, data & IAT where all mixed together in one section.

IE, text string and dwords with imported addresses where pasted just in the middle of the code:

Note how the "call 40100d" calls past the OpenProcess-DWORD, effectively pushing the address to that DOWRD to the stack.

So after the "Pop eax", eax contains a pointer to the address of OpenProcess...and can be called via "call dword [eax]".

Which is exactly what happens.

This is part of the runtime importing, again the calls call past a text string, pushing a pointer to the string to the stack.

Later this is used to build the import table.

The big advantage of this is, that the malware can now simply copy&paste the code into other processes and files.

How can i write portable code like this in C++?

deep0

Edited October 26, 2010 by CodeRipper

[What]

Generally, in C++, you don't. The general way under a compiler is to use inline asm and emit under a naked function. I suppose you can set up macros to make it more C like if you prefer. During certain situations writing code with a lot of 'goto' and '__emit' could work, but it is unreliable do to optimization by the compiler.

Edited October 26, 2010 by What

[deepzero]

The general way under a compiler is to use inline asm and emit under a naked function

Ok, that would explain the useless nops in the code...

SO i wrote a mini example function, which simply displays a messagebox - title: "3", content: "3":

int main(){
DWORD msg = (DWORD)GetProcAddress(LoadLibraryA("user32.dll"), "MessageBoxA");
DWORD port = (DWORD)&portable;__asm{
mov eax,port
add eax,17
mov ebx,msg
mov dword ptr[eax],ebx
}
}void portable (){
	__asm{
		call getcur
getcur:
		pop eax
		add eax,8
		mov ebx,eax
		jmp reser
		nop
		nop
		nop
		nop
reser:
		push 0
		call str1
		__asm _emit 0x33
		__asm _emit 0x00
str1:
		call str2
		__asm _emit 0x33
		__asm _emit 0x00
str2:
		push 0
		call dword ptr[ebx]
	}
}

It doest work, because the code section (.text) in MSVS08, is not writable.

The code works, though, if i modify the access rights in olly on runtime.

Is this what you meant?

And do you happen to know how i can force the code section`s characteristics to writable at compile time?

thanks for your reply,

deep0

[BoB]

What is the point in writing Asm code in C++? Just use one of the many Assemblers out there!

Anyway, does C++ automatically save the registers in Asm blocks? Cos I don't see you using PushAD or anything here..

BoB

[Aguila]

look here: http://msdn.microsoft.com/en-us/library/50bewfwa%28VS.80%29.aspx

and use this: http://msdn.microsoft.com/en-us/library/h5w10wxs%28v=VS.80%29.aspx

[What]

Anyway, does C++ automatically save the registers in Asm blocks? Cos I don't see you using PushAD or anything here..

This is true. You can only modify the eax, ecx, and edx registers without worry. You have to save the others by some means. And k11 gave the rest of the links. I'm not sure why you would call the code through your own app though. I guess for testing purposes? You only need to worry about the protection where you inject the code (VirtualProtectEx).

[atom0s]

What is the point in writing Asm code in C++? Just use one of the many Assemblers out there!

Anyway, does C++ automatically save the registers in Asm blocks? Cos I don't see you using PushAD or anything here..

BoB

Nope. Naked functions are fully upto the user to handle everything. You completely strip prologue and epilogue code using naked.