News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Register Contents on Entry

Started by johnsa, October 21, 2008, 06:45:35 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

johnsa

October 21, 2008, 06:45:35 PM
Hey all,

I was doing some reading up on no-import options and looking at ways to obtain the LoadLibrary and GetProcAddr functions from kernel32 by probing. The most reliable approach seemed to be to pop stuff off the stack right on entry to your application, but I noted that EBX seemed to contain the same value, So i was wondering what all the registers are set to on load.

Any ideas?
Thanks
John

Vortex

#1
October 21, 2008, 06:52:27 PM
Hi johnsa,

You need to be careful with the no-imports method as Windows 2000 will refuse silently to run an executable without an import section. You should have at least one reference to kernel32.dll ( for example terminating your application with ExitProcess )

johnsa

#2
October 21, 2008, 07:45:32 PM
Ok, perhaps thats not the best approach then.. basically I was looking at doing some "4kb" intro type code for fun.. so I started investigating all the options to get the thing as small as possible:

OpenGL and some Audio api, either win or directsound are requirements. OpenGL I'd probably just use to get a 2d drawing surface out of.
I had a look at FSG and MEW as executable packers, not keen on the whole bat file or cab dropping approach.

DoomyD

#3
October 21, 2008, 09:53:38 PM
As far as I know, windows uses a local structure to set the main thread, therefore this method might not always work.
Howerver, if I recall correct the return from the entry point will lead you to kernel32.dll, so you could mess with that.

johnsa

#4
October 22, 2008, 08:24:14 PM
Just in case anyone is interested here is what I found sofar... it landed up leading down some complete tangents and looking at anti-debugging, protector code:

Startup values for Windows 95/98/ME
EAX == Application Entry Point
EBX == 00530000h, a fixed value

Startup values for Windows NT/2000/XP/2003
EAX == NULL
EBX == 7FFDF000h, pointer to (PEB)

PEB =Process Environment Block...

Consequently FS seg register also allows access to PEB...
To access:

assume fs:nothing   ;needed for masm to be able to assemble
mov eax,fs:[30h]   .... eax points to PEB base ... and so on

http://www.securityfocus.com/infocus/1893  ----- this link includes some interesting anti-debugging code samples and ideas, as well as a description of the PEB structure.

Interesting....

Print
Go Up Pages1
User actions