News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Instruction chunk analyze

Started by Wheet, August 02, 2005, 04:32:05 PM

Previous topic - Next topic

Wheet

I am working on a project to where I need to store the first 8 bytes of a procedure into memory, but if the first 8 bytes were to cut off part of an instruction I would need to store the whole final instruction.

I would like to know what the best way to analayze the machine code at the procedure would be to make sure I am not cutting off part of an instruction,  so I may store the rest of the instruction if needed.  :U

~ Steve

Jimg

Hey!  That would be a nifty way to make a virus!

Randall Hyde

Quote from: Wheet on August 02, 2005, 04:32:05 PM
I am working on a project to where I need to store the first 8 bytes of a procedure into memory, but if the first 8 bytes were to cut off part of an instruction I would need to store the whole final instruction.

I would like to know what the best way to analayze the machine code at the procedure would be to make sure I am not cutting off part of an instruction,  so I may store the rest of the instruction if needed.  :U

~ Steve

Grab a copy of Olef's "disassembler engine" that he used for writing OllyDbg with. One thing the disassembler engine has to do is to compute the length of an instruction (so it knows where the next instruction begins, for example).
Look here:
http://www.ollydbg.de/

Cheers,
Randy Hyde

Mark Jones

"To deny our impulses... foolish; to revel in them, chaos." MCJ 2003.08

Wheet

You have got to be l33t to use the smilies as well as I do.  :dazzled: :dazzled: :dazzled: :dazzled: :dazzled:


I am not making a virus, but a security program to hook APIs. It would be a good way to make a virus though also.

Wheet

Origionally my idea was to make a array map table of each byte possibility for an opcode then the value would be the size

i.e.
                ;0 0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
dbbytesize db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

;1 0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
db 0, 0, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

;2 0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

etc...

Coming up with byte ptr [dbbytesize+opcode] then the value would be the size of opcode, this was cool until I encountered a mnemonic with the same hex value opcode and a different amount of byte length (damn x86!  :boohoo:). Then I decided to make a register table try and check the length of instruction src and/or dest in bytes. It turned into a mess and I decided to see if there way any easier way to go about. The 'disassemblers' I am finding seem to be long and bulky, also in C  :naughty:! I will see what I can get out of this Olly source though, thanks Randall, z0mbie also had a good disassembler engine source.

~ Steve

PBrennick

hmmmm, security program...  I wonder if I have ever heard any claim like that before?  I, for one, will go on record as saying you will get no help from me.

Paul
The GeneSys Project is available from:
The Repository or My crappy website

Wheet

Actually, I am trying to create a program to keep records of processes/components/process size and deny unknown processes access to certain APIs unless granted by the user. Would be a good defence against spyware or a vius you're trying to unpack and accidently run. Not everything has to be a virus, but you may jump to all the conclusions you would like...  Most 'cleaner' methods of API hooking seem to involve the IAT and may lack flexibility under certain conditions.

~ Steve

hutch--

Wheet,

Exercise a little caution here, we support low level coding but nothing that even looks vaguely like viral/trojan coding will see the light of day here. Security based programming is a viable activity but it will not be used as an inverse vehicle for illegal coding.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

QvasiModo

Quote from: Wheet on August 03, 2005, 02:03:57 AM
Actually, I am trying to create a program to keep records of processes/components/process size and deny unknown processes access to certain APIs unless granted by the user. Would be a good defence against spyware or a vius you're trying to unpack and accidently run. Not everything has to be a virus, but you may jump to all the conclusions you would like...  Most 'cleaner' methods of API hooking seem to involve the IAT and may lack flexibility under certain conditions.

~ Steve

I think you could accomplish this with a system service. That would be a cleaner approach, and poses no legal problems at all.

Wheet

I will look into that, I don't have a whole lot of knowledge on system services and what influence they have over other applications so it hadn't even crossed my mind.

Wheet

I haven't been able to find too much on service programming in regards to access to certain system calls. If anyone has links to any documents or anything that could help me out in this regard it would be appreciated. Thanks.

~ Steve

PBrennick

Wheet,
I think people may be able to help you if you tell them what 'certain system calls' you are interested in hooking.
Paul
The GeneSys Project is available from:
The Repository or My crappy website

sluggy

Wheet,
i will give you a clue about this, because there are some uses for this, and because you are asking a question that i have been meaning to research for some time. What you are trying to do has a name: trampolining. This name was given to it by an intern who did some work for Microsoft Research and then published the techniques. Check out the Detours project. I see the author has released a new version since i last surfed there.

That's all the help you get from me for now. That should keep you busy for some time  :P  If you look through the Detours source and see what method is used to determine the length of instructions, then be nice and post back here explaining the method used, that saves me (and possibly others) from having to do the same research over again.

But before i finish, let me reiterate what hutch and Paul have already said: be very careful what you do with this knowledge. We abhor anyone who makes malware, especially if they try to gain some of that knowledge here. </friendly warning>