Hi guys!
can any one tell me how to write a self modifying Code????
Thanks :bg
Hi anuradha,
SelfModifying code is generally used for either
A) Virus or Trojan etc. creation
B) RunTime code obfoscation - anti-debugging methods
and rarely for :
Highly optimized code specific algorithmic implimentations....
I think I saw some examples of the latter here on the board. In principle it boils down to the generic nature (opcode based) of
assembler instructions or their machine based opcode mnenomonics thingies. :P
(I'am probably gonna get spanked for such a crappy answer)
Draakie :P
Hello! Maybe, if you tell us why you need to write such code, we can provide proper help. Not to mention that, if you play for a while with Assembly, it will became obvious... :)
Nick
Hi
First thank you all for the replies
It has been 6 moths passed since I start to learn assembly
There is lot of things that I don't know. The goal of this question is not to
Do above things but to get a general knowledge. If I really need to do those things
I know exactly where to ask. Any way it is a bad idea to put such a question after all.
Any way once again thank you all for replies. :boohoo:
Don't let these guys scare you off. It's a valid technique and lots of fun. See this link http://www.masm32.com/board/index.php?topic=2785.0
Hi Jimg, ::) was'nt trying to scare anyone. TNick and I were merely trying to find out the WHAT,WHERE, & HOW....
Did I not mention that it can & is used, but rarely, for valid persuits
Even so, Polymorphic code should however be used carefully IMHO - and is not for the novice - and as you
mentioned is quite alot of "FUN" - especially when it goes wrong. :bdg
Thanks for the link though :green
(I imagine I also mentioned that there was examples here someplace - was hinting at the SEARCH function - and
obviously missed the mark (spank).........)
Quote from: Draakie on July 18, 2007, 05:08:42 AM
Thanks for the link though :green
:bdg
Yap, didn't want to scare anyone. Just want to point that you need a certain stack of knowledge to do this. And, when you have that knowledge, it will became obvious (some methods, at least). After all, there are just 0's and 1's, some memory and some instructions. :toothy
So, what's the logical step, then?! :green2
Regards,
Nick
Just a nopte on this topic, Sluggy's comment on the topic that Jim has posted is still a valid one here. Keep the questions and data on topic and legal or see it disappear faster than Haley's comet.
haleys comet returns every 75/76 years though :)
Does it mean that the person who made the offending posting will hold their breath for 75 years ? :bg
naw, i think you'd ban them before that wouldnt you? :bdg
Not if they really and truly held their breath. :bg
Vista has made improvements against SMC.
So it's going to be very limited as a current usable coding technique.
Regards, P1 :8)
I've always felt that the difference between a computer and a glorified calculator is the ability to change it's own code. But I have have no doubt that Microsoft would prefer that everyone just have MS calculators rather than real computers.
I remember this was comman in 6502 asm coding, I saw it a lot in the commadore64, mostly because of lack of memory. with 64k, you had to find a way to tighten your code. Even early PC coding memory was tight.
Anunitu
QuoteVista has made improvements against SMC.
So it's going to be very limited as a current usable coding technique.
Would you be so kind to explain more?
Have you some small example? :wink
DEP.
DEP was introduced in Windows XP Service Pack 2 and is included in Windows Server 2003 Service Pack 1 and Windows Vista, hence it is before Vista... :wink
We all know that but the front line of anti-smf is DEP and that is certainly available in Vista.
DEP only stops you from executing code in a non-executable section (i.e. data) not from modifying the code section.
However, the code section shouldn't have write access - thus stopping you from modifying the code within (without modifying the access first). Whether or not this is the default windows case is down to the policy of a particular version; but the reason these problems exist is down to a bad first decision (e.g. including execute access in the data section by default, just in case) and then sticking with it purely for compatibility reasons.
Quote"DEP only stops you from executing code in a non-executable section (i.e. data) not from modifying the code section"
That's correct but my question was about new
"improvements against SMC" in Vista .
DEP is old and IMHO, unusual staff in the struggle against SMC...
Working Example (tested under my Vista Ultimate):
.data
szStack db "Stack",0
OldProtect dd 0
.code
Start:
mov ebx, offset L2
mov esi, offset L1
sub ebx, esi ; ebx->size of code
push 0 ; for ExitProcess
mov ecx, ebx
sub esp, ebx
mov edi, esp
@@:
movsb
loop @b
mov eax, esp
invoke VirtualProtect, eax, ebx, PAGE_EXECUTE_READWRITE, OldProtect
mov eax, offset MessageBox
mov ecx, esp
call ecx
mov eax, esp
invoke VirtualProtect, eax, ebx, OldProtect, OldProtect
add esp, ebx
call ExitProcess
L1:
push 0
push 0
push offset szStack
push 0
call eax
ret
nop
nop
L2:
End Start
For me is easier to assume that still no one can't answer my question rather than to argue with someone for stupid things... :lol
Regards,
Lingo
Quote from: lingo on July 18, 2007, 04:57:52 PM
Would you be so kind to explain more?
Have you some small example? :wink
No sample as of yet. But I have done it for pieces of my code. A hassle just to get a some executable security for happy go lucky users who will click on anything that tickles their fancy off the internet. In the end, better than being Hacked.
There will be managed code, i.e. security signed code, with a local or network certificate. It will run normal of a local computer or one attached to an AD domain with certificate server running. ( AD = Active Directory ) Even Java and VBS can be signed now.
Any normal 32bit MASM code can be signed, then counted as managed code. But once signed it is not modifiable. Think DRM for executables as well. Once in memory code section is locked, will throw GPF if code section is modified.
I am an network engineer, who now has the option to limit any workstation on our network to run ONLY managed code, which in theory will prevent any unmanaged code from running. With options to run selected security certificates. And to deny all local self certified certificates from Group Policy.
In the end, a new wave of secured bloated software.
Regards, P1 :8)