The MASM Forum Archive 2004 to 2012

General Forums => The Campus => Topic started by: anuradha on July 17, 2007, 06:26:49 AM

Title: Self modifying code
Post by: anuradha on July 17, 2007, 06:26:49 AM
Hi guys!

can any one tell me how to write a self modifying Code????

Thanks :bg
Title: Re: Self modifying code
Post by: Draakie on July 17, 2007, 09:28:02 AM
Hi anuradha,

SelfModifying code is generally used for either
A) Virus or Trojan etc. creation
B) RunTime code obfoscation - anti-debugging methods

and rarely for :

Highly optimized code specific algorithmic implimentations....

I think I saw some examples of the latter here on the board. In principle it boils down to the generic nature (opcode based) of
assembler instructions or their machine based opcode mnenomonics thingies. :P

(I'am probably gonna get spanked for such a crappy answer)
Draakie :P
Title: Re: Self modifying code
Post by: TNick on July 17, 2007, 10:11:43 AM
Hello! Maybe, if you tell us why you need to write such code, we can provide proper help. Not to mention that, if you play for a while with Assembly, it will became obvious... :)

Nick
Title: Re: Self modifying code
Post by: anuradha on July 17, 2007, 01:54:26 PM
Hi
First thank you all for the replies

It has been 6 moths passed since I start to learn assembly
There is lot of things that I don't know. The goal of this question is not to
Do above things but to get a general knowledge. If I really need to do those things
I know exactly where to ask. Any way it is a bad idea to put such a question after all.

Any way once again thank you all for replies. :boohoo:
Title: Re: Self modifying code
Post by: Jimg on July 17, 2007, 01:59:21 PM
Don't let these guys scare you off.  It's a valid technique and lots of fun.  See this link http://www.masm32.com/board/index.php?topic=2785.0
Title: Re: Self modifying code
Post by: Draakie on July 18, 2007, 05:08:42 AM
Hi Jimg,   ::) was'nt trying to scare anyone. TNick and I were merely trying to find out the WHAT,WHERE, & HOW....

Did I not mention that it can & is used, but rarely, for valid persuits
Even so, Polymorphic code should however be used carefully IMHO - and is not for the novice - and as you
mentioned is quite alot of "FUN" - especially when it goes wrong. :bdg 

Thanks for the link though  :green

(I imagine I also mentioned that there was examples here someplace - was hinting at the SEARCH function - and
obviously missed the mark (spank).........)
Title: Re: Self modifying code
Post by: TNick on July 18, 2007, 06:47:37 AM
Quote from: Draakie on July 18, 2007, 05:08:42 AM
Thanks for the link though  :green
:bdg

Yap, didn't want to scare anyone. Just want to point that you need a certain stack of knowledge to do this. And, when you have that knowledge, it will became obvious (some methods, at least). After all, there are just 0's and 1's, some memory and some instructions.   :toothy
So, what's the logical step, then?! :green2

Regards,
Nick
Title: Re: Self modifying code
Post by: hutch-- on July 18, 2007, 07:34:32 AM
Just a nopte on this topic, Sluggy's comment on the topic that Jim has posted is still a valid one here. Keep the questions and data on topic and legal or see it disappear faster than Haley's comet.
Title: Re: Self modifying code
Post by: evlncrn8 on July 18, 2007, 08:28:05 AM
haleys comet returns every 75/76 years though :)
Title: Re: Self modifying code
Post by: hutch-- on July 18, 2007, 09:08:54 AM
Does it mean that the person who made the offending posting will hold their breath for 75 years ?  :bg
Title: Re: Self modifying code
Post by: evlncrn8 on July 18, 2007, 11:07:46 AM
naw, i think you'd ban them before that wouldnt you?  :bdg
Title: Re: Self modifying code
Post by: hutch-- on July 18, 2007, 12:32:04 PM
Not if they really and truly held their breath.  :bg
Title: Re: Self modifying code
Post by: P1 on July 18, 2007, 01:18:42 PM
Vista has made improvements against SMC.

So it's going to be very limited as a current usable coding technique.

Regards,  P1   :8)
Title: Re: Self modifying code
Post by: Jimg on July 18, 2007, 02:11:17 PM
I've always felt that the difference between a computer and a glorified calculator is the ability to change it's own code.  But I have have no doubt that Microsoft would prefer that everyone just have MS calculators rather than real computers.
Title: Re: Self modifying code
Post by: anunitu on July 18, 2007, 03:56:21 PM
I remember this was comman in 6502 asm coding, I saw it a lot in the commadore64, mostly because of lack of memory. with 64k, you had to find a way to tighten your code. Even early PC coding memory was tight.


Anunitu
Title: Re: Self modifying code
Post by: lingo on July 18, 2007, 04:57:52 PM
QuoteVista has made improvements against SMC.
So it's going to be very limited as a current usable coding technique.

Would you be so kind to explain more?
Have you some small example?  :wink
Title: Re: Self modifying code
Post by: hutch-- on July 19, 2007, 12:04:40 AM
DEP.
Title: Re: Self modifying code
Post by: lingo on July 19, 2007, 01:44:59 AM
DEP was introduced in Windows XP Service Pack 2 and is included in  Windows Server 2003 Service Pack 1 and Windows Vista, hence it is before Vista... :wink
Title: Re: Self modifying code
Post by: hutch-- on July 19, 2007, 02:08:35 AM
We all know that but the front line of anti-smf is DEP and that is certainly available in Vista.
Title: Re: Self modifying code
Post by: Tedd on July 19, 2007, 12:19:09 PM
DEP only stops you from executing code in a non-executable section (i.e. data) not from modifying the code section.
However, the code section shouldn't have write access - thus stopping you from modifying the code within (without modifying the access first). Whether or not this is the default windows case is down to the policy of a particular version; but the reason these problems exist is down to a bad first decision (e.g. including execute access in the data section by default, just in case) and then sticking with it purely for compatibility reasons.
Title: Re: Self modifying code
Post by: lingo on July 19, 2007, 04:07:05 PM
Quote"DEP only stops you from executing code in a non-executable section (i.e. data) not from modifying the code section"
That's correct but my question was about new
"improvements against SMC" in Vista .
DEP is old and IMHO, unusual staff in the struggle against SMC...
Working Example (tested under my Vista Ultimate):

.data
szStack        db  "Stack",0
OldProtect     dd  0

.code
Start:
    mov    ebx, offset L2
    mov    esi, offset L1
    sub    ebx, esi  ; ebx->size of code
    push   0           ; for ExitProcess
    mov    ecx, ebx
    sub    esp, ebx
    mov    edi, esp
@@:
    movsb
    loop   @b
    mov    eax, esp
    invoke VirtualProtect, eax, ebx, PAGE_EXECUTE_READWRITE, OldProtect
    mov    eax, offset MessageBox
    mov    ecx, esp
    call   ecx
    mov    eax, esp
    invoke VirtualProtect, eax, ebx, OldProtect, OldProtect
    add    esp, ebx
    call   ExitProcess
L1:
    push    0
    push    0
    push    offset szStack
    push    0
    call    eax
    ret
    nop
    nop
L2:
End   Start

For me is easier to assume that still no one can't answer my question rather than to argue with someone for stupid things... :lol

Regards,
Lingo
Title: Re: Self modifying code
Post by: P1 on July 19, 2007, 11:03:38 PM
Quote from: lingo on July 18, 2007, 04:57:52 PM
Would you be so kind to explain more?
Have you some small example?  :wink
No sample as of yet.  But I have done it for pieces of my code.  A hassle just to get a some executable security for happy go lucky users who will click on anything that tickles their fancy off the internet.  In the end, better than being Hacked.

There will be managed code, i.e. security signed code, with a local or network certificate.  It will run normal of a local computer or one attached to an AD domain with certificate server running.  ( AD = Active Directory )  Even Java and VBS can be signed now.

Any normal 32bit MASM code can be signed, then counted as managed code.  But once signed it is not modifiable.  Think DRM for executables as well.  Once in memory code section is locked, will throw GPF if code section is modified.

I am an network engineer, who now has the option to limit any workstation on our network to run ONLY managed code, which in theory will prevent any unmanaged code from running.  With options to run selected security certificates.  And to deny all local self certified certificates from Group Policy.

In the end, a new wave of secured bloated software.

Regards,  P1   :8)