Macro szCmp help !

[theunknownguy]

Hey all, i got a little question is macro able to compare 2 strings? (i think yes)

Been searching and the most close i get its INSTR macro.

Also i check hutch $case implementation and i got a curiosity in this:

Code Select Expand


;; --------------------------------
        ;; Start a new .IF block and update the state global.
        .IF FUNC(szCmp, $test_val$, chr$(quoted_text)) != 0

FUNC(szCmp) means that will be done by preprocessor?

I want to make this:

_Invoke <GetModuleHandle>

Making _Invoke macros search for GetModuleHandle string into a buffer and returns me the address (of the string) so i can do other calculations, is this possible in preprocessor?

Thanks.

[qWord]

Macros are expand while assembling the code. They help you to create code, but they did not exist at runtime. If you want to compare a string at runtime, use the szcmp function from the masmlib or write your own peach of code.

[theunknownguy]

Macros are expand while assembling the code. They help you to create code, but they did not exist at runtime. If you want to compare a string at runtime, use the szcmp function from the masmlib or write your own peach of code.

Yes, but isnt possible then to compare 2 strings by macros?

[qWord]

yes, using IFIDN
e.g.:

Code Select Expand

; returns 1, if strings are equal
cmplit macro lit1,lit2
IFIDN <lit1>,<lit2>   ; strings are equal ?
EXITM <1>
ELSE
EXITM <0>
ENDIF
endm

[theunknownguy]

yes, using IFIDN
e.g.:

Code Select Expand

; returns 1, if strings are equal
cmplit macro lit1,lit2
IFIDN <lit1>,<lit2>   ; strings are equal ?
EXITM <1>
ELSE
EXITM <0>
ENDIF
endm

I tryed this but i use 1 literal string that want to compare agaisnt an already defined string in .Data section example:

Code Select Expand

.Data
   Test DB "Hello", 0

_Invoke <Hello>

I dont want to use any runtime for make the cmp, is possible?

PS: The original idea involves a list of define strings:

Code Select Expand

.Data
   Test DB "Hello", 0, 0
          DB "Hello2", 0

_Invoke <Hello>

All stings aligned just in case. Also if the string is found i need to know the address of where it was found so i can do some other calculations.

[qWord]

you cant read data that has once written to the data section (using db, dw, dd ...). Could you more detailed descripe what are you tyring to do?

[theunknownguy]

you cant read data that has once written to the data section (using db, dw, dd ...). Could your more detailed descripe what are you tyring to do?

I got several procedures that are mapped in memory from a file (relocs fixed) i name those procedures by an algorithm and set them into a struct.

Code Select Expand

MappedProcs Struct
   pProcAddr:Dword
   pProcSize:Dword    ;JUST FOR INFO
MappedProcs EndS

.Data?
  pMappedProcs DB 3*SizeOf MappedProcs Dup(?)

.Data

ProcList  DB "Test1", 0, 1
          DB  "Test2", 0, 2
          DB "Test3", 0, 3

.Code

_Invoke <Test1>, 1, 5, 7

So in the macros i should compare literal Test1 with one of the ProcList and if founded then return me the address so i can read the next byte after the end of string and make:

Code Select Expand


_Invoke Macro String:REQ, ARGS:VARARG
   LOCAL X, Y
;COMPARE STRING WITH PROCLIST
;RETURN FOUNDED STRING ADDRESS ON X LOCAL
X = X+1
Y = [X]*SizeOf MappedProcs + Offset pMappedProcs
InvokeThis Y, ARGS
EndM

I got a macros for emulate the invoke (InvokeThis). But the problem is i want to calculate the address of my procedure mapped without using runtime. I thought by comparing strings + indexed byte of struct i could do it.

Problem is i dont know how compare 1 literal agaisnt memory with macros.

PS: I use the string list since i want to threat them the most "flexible possible" i dont want to use the index order of each procedure for invoke like this:

Code Select Expand

mov eax, Index
imul eax, eax, SizeOf MappedProcs
add eax,  pMappedProcs
InvokeThis [eax], 1, 2, 3

[qWord]

yes, it may be possible, but is there an special reason not using a normal DLL or lib?

[theunknownguy]

yes, it may be possible, but is there an special reason not using a normal DLL?

I got a security company and i am researching this idea i have in my mind.

So i want to develop this idea in the most "flexible way" in source code and spend has less runtime possible.

But my interest over macros was never the best, now i can see i was wrong  :(

But the idea is possible isnt? i just need the literal cmp agaisnt memory and get the addr of founded string in list.

PS: About the file is not a DLL or a lib, its kind of a mix of things, so we do kind of a "Just in time compilator" and map the procedures in our soft

[qWord]

i just need the literal cmp agaisnt memory and get the addr of founded string in list.

well as said, memory access isn't possible.
However, if you declare the ProcList as text macros and constants, it is possible to find the right function.
This only assumes, that the load order of your procs are the same as the order of declaring the proc list.
Give some minutes to show what I've meant.

[theunknownguy]

i just need the literal cmp agaisnt memory and get the addr of founded string in list.

well as said, memory access isn't possible.
However, if you declare the ProcList as text macros and constants, it is possible to find the right function.
This only assumes, that the load order of your procs are the same as the order of declaring the proc list.
Give some minutes to show what I've meant.

Thanks so much, has i say i am NULL macros knowledge

Code Select Expand

This only assumes, that the load order of your procs are the same as the order of declaring the proc list.

You read my mind, at first we try to make a sort of "random load" for procedure mapped order, but finally found that is no possible to use any approach for "flexible" code witht his idea...

[qWord]

just one short question: why not simply declaring function pointer, which can be used with invoke?

[theunknownguy]

just one short question: why not simply declaring function pointer, which can be used with invoke?

We use virtual memory alloc for map the procs, so we will have to set them into a pointer list and call them in a non flexible way.
(We threat this procs has APIs and we use them many time)

So remembering the pointer list order without a name its not so much fun or practical to do.

At least with string like <MyTestProc> we can remember them, the order and do much practical. (If its fully without runtime)

[qWord]

you can declare function pointers with names:

Code Select Expand


.data
;pr0 is defined in windows.inc as an stdcall function with zero parameters.
; typedef function pointer
PFNC0 typedef ptr pr0
...
;decleare the function pointers
MyFunction1 PFNC0 ?
MyFunction2 PFNC0 ?
...
invoke MyFunction1

[theunknownguy]

you can declare function pointers with names:

Code Select Expand


.data
;pr0 is defined in windows.inc as an stdcall function with zero parameters.
; typedef function pointer
PFNC0 typedef ptr pr0
...
;decleare the function pointers
MyFunction1 PFNC0 ?
MyFunction2 PFNC0 ?
...

Would have to set the VirtualAlloc addr returned of maped space inside of those pointers and do some kind of:

Code Select Expand


mov eax, MyFuction1
call [eax]

Or

InvokeThis MyFuction1 (and make the macros do inside the trick)

Also each pointer holder is not dinamical, meaning if they know the address will go direct to it (attackers).
If we allocate the struct for hold the pointers that are already done by VirtualAlloc then each time soft is opened they will change (at least in theory)

Seems like a pain in the ass to do, but its the price of the idea.