Hey all,
I have converted a small snippet of code from TASM to MASM, but the linker won't link all the API's, therefor, the application won't run. Here's what I have, tell me if am doing something wrong.
P.S: I get the following error:
LINK : warning LNK4089: all references to "kernel32.dll" discarded by /OPT:REF
LINK : warning LNK4089: all references to "user32.dll" discarded by /OPT:REF
.586
.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
include kernel32.inc
includelib kernel32.lib
includelib user32.lib
.data
Tls dd offset Tls1
dd offset Tls2
dd offset Tls3
dd offset TlsCallBack
dd 0
dd 0
Tls1 dd 0
Tls2 dd 0
Tls3 dd 0
TlsCallBack dd offset TLSproc
dd 0
dd 0
TLSproc proc
push 40h
push offset mTitle
push offset mText
push 0
call far ptr MessageBoxA
push 0
call far ptr ExitProcess
TLSproc endp
mText db "Nope, there is no code at entry point", 0
mTitle db "TLS", 0
.code
start:
ret
end start
I wrote the "far ptr" cause that's the only solution I found on the web that enables me to call functions from within the .data section, maybe I am mistaken?
Thanks in advance.
Regards,
halsten
The obvious is that you only have RET as your runtime code. Nothing is calling the two procedures and they are not within or called from between the "start" label and the "end start" directive.
However this is a technique often used by malware authors in order to "trick" AV analyzers.
Of course it does not trick AV analyzers anymore but the poor child has found some old TLS related Vx tutorials in TASM somewhere in a corner of the net and he is not capable enough to make them run in the "new" MASM world...
Unless the OP shows a decent purpose for his line of questioning (IMHO there is none) I suggest removing this thread.
@BogdanOntanu: No, I didn't find that in an old VX tutorial. The goal was that I use TASM, and I wanted to conert to MASM, but I had lots of issues when I was converting from TASM to MASM. And I wanted to know what was wrong. Maybe you can visit my blog and see for yourself that I don't do that anyways. (http://iamhalsten.thecoderblogs.com). Thanks though.
@hutch: Thanks for your reply, but that works fine in MASM, however, if I removed the code from the data section and put it in the code section it will work fine. Any ideas why?
Regards,
halsten
Use the "l2extia" utility provided in the MASM32 package to generate include files in the EXTERNDEF format.
Then make calls like this:
Call dword ptr [MessageBoxA]
Thank you for the help!
halsten,
Again the problem is an obvious one, the DATA section is for DATA, not ASCII format source code. You can in fact put code in the DATA section but not as source code, only in biary form using HEX notation. There is of course another problem for late version Windows that has DEP so that code in the DATA section is blocked by the OS from running.
It is not an unknown capacity to store binary code in the data section then copy it to allocated memory with the execute flag set and run it from that memory but after having a look at your blog, I get the impression that your interests lie in areas that we do not allow in this forum. This forum is for assembler programing, not malware analysis as we have no way of diferentiating the good from the bad.