Window without Imports

thomasantony · April 07, 2005, 04:14:03 PM

Hi,
This attached program displays a simple window without using an import table. The addresses are resolved at runtime and I have used a special GetProcAddress type function to get the addresses. There are two programs. One which imports by ordinal and another the imports by name. The ordinal one will probably work only on Win98SE. Plz test the other program. I have seen many NoImport programs. Most are very complex or fail to work. So are incomplete. The GetProcAddress clone made by me is smaller(I think) than the one made by Petroizki. It doesn't check for ForwarderChain and other crap and also the hint numbers.

[EDIT] Uploaded new version with one import table call(ExitProcess, so that the program works on NT-based Oses
Thomas

[attachment deleted by admin]

Faiseur · April 07, 2005, 04:38:29 PM

Hi thomasantony,

sorry, in Windows XP (SP1) and Windows 98ME the 2 examples do not function.

pbrennick · April 07, 2005, 05:25:13 PM

Thomas,

It does not work in Windows XP (SP2), either.

Paul

Vortex · April 07, 2005, 05:52:39 PM

Hi Thomas,

I tried both of them on Win Xp Sp2 , they crashed. Your executables should import at least one fuction.

The Dude of Dudes · April 07, 2005, 11:48:59 PM

Hi Thomas,

It crashes because kernel32.dll is not in the process' address space. Since LoadLibrary is a Kernel32 function, the only way (I know of) to load Kernel32 is by using an import table. I don't know about win98 memory management, so maybe Kernel32 is a public dll on that OS. In XP a process can't 'see' dll's loaded into other process' address space.

thomasantony · April 08, 2005, 06:31:55 AM

Hi,
I will add an exitprocess call and see. BTW What is the first element of stack at the beginning of a program in NT based Oses?

Thomas

Jibz · April 08, 2005, 08:36:48 AM

Win2K silently ignores executables without imports. The quick test is (fasm style):

Code Select

format PE GUI 4.0
xor eax, eax
mov [eax], edx

which does nothing on Win2K. Once you add a single import, you get the expected memory access violation dialog.

thomasantony · April 08, 2005, 10:30:50 AM

Hi,
See the new version in the first post

Thomas :U

Faiseur · April 08, 2005, 01:56:36 PM

Hi,

It does not work with Windows 98ME, Windows 2000 and Windows XP sp1

thomasantony · April 08, 2005, 03:02:31 PM

Hmm.
Whats wrong. :( It works well on my Win98SE. TOo bad I don't have WinXP anymore. Can someone run it in Ollydbg or something and tell me where it is not working.

Thomas :tdown

wizzra · April 08, 2005, 04:54:47 PM

Code Select


00401239  |. 8BEC           MOV EBP,ESP
0040123B  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
0040123E  |. 83C0 04        ADD EAX,4
00401241  |> 83E8 04        /SUB EAX,4
00401244  |. 8138 50450000  |CMP DWORD PTR DS:[EAX],4550
0040124A  |.^75 F5          \JNZ SHORT NoImpWin.00401241

CMP DWORD PTR DS:[EAX],4550 gives:
DS:[77E5FFFE]=???

at your code it is:

Code Select


InitAPI proc pKernel:DWORD
	mov eax,pKernel			; get the return address of program
	add eax,4				; search for 'PE'
@@:	sub eax,4
	cmp dword ptr[eax],00004550h	; Check for 'PE' <--- here

Vortex · April 08, 2005, 04:59:08 PM

Hi Thomas,

Not to disencourage you but no result with the new attachment.

pbrennick · April 08, 2005, 05:56:48 PM

Thomas,
It looks like your search for 'PE' is failing because DS is improperly initialized (according to ollydbg), you might want to check this, although there may still be import table issues. It would be good to, at least, rule out this problem first.

Paul

roticv · April 09, 2005, 02:54:14 AM

Hello Thomas,

The problem with your code is that it fails to find "PE" in the address. Yes, [esp] at the start of the code contain an address in the kernel32.dll, but it just fails to find. I think it is because you are searching by dword.

ie

Code Select


@@:
sub eax, 4
cmp dword ptr[eax], 'EP"

I would recommend you to use the following code:

Code Select


	assume	fs:nothing
	mov		eax,fs:[30h]
	mov		edx,0B8h
	mov		ecx,[eax+30h]
	test	eax,eax
	jns		KI_1
	mov		ebx,[eax+34h]
	or		ecx,ecx
	jnz		KI_2
KI_1:
	mov		eax,[eax+0Ch]
	sub		edx,0B0h
	mov		eax,[eax+1Ch]
	mov		ebx,[eax]
KI_2:
	mov		eax,[ebx+edx] ; eax=kernel32 base

thomasantony · April 09, 2005, 04:12:20 AM

Hi,
I will try that. But I can't under stand what u are doing with that code. fs holds something to do with SEH right? Can you explain what you are doing there?. As with my program. kernel32.dll HAS to have the chars PE somewhere right, cuz it is also a PE DLL

Thomas :(

News:

Window without Imports

pbrennick

The Dude of Dudes

Jibz

wizzra

pbrennick

roticv