K32B.INC

[Synfire]

I wasn't sure where the best place to post this was on here, so I figured a Miscellaneous area
would fit. This is a simple include file I made which simplifies development of applications which
don't use an import library. The GetProcAddr routine was given to me by EvilHomer2k as a
replacement for my simple Hash search routine (ProcSearch) which didn't support searching
by name or ordinal. The reset is basically the delta method of obtaining the kernel32 base
address and calling the API routines you load. This simplifies the process of developing the
applications without imports greatly, fact is if you know the actual name of the procedure
and the dll in which it resides then you can empliment this include. If anyone has any comments,
suggestions, and/or critisizm please post here,the win32asm thread or email me at
webmaster[at]malcode.ath.cx

Regards,
Bryant Keller

Download Here

PS: example source included.

[Mark Jones]

Hello Bryant, I'm a little confused, is this just for obfuscating the import table? i.e., why use this instead of INVOKE? Thanks.

Edit: Because this is verbatim what Olly reports just after loading k32btest.exe:

Code Select Expand


004010B5 > $  E8 00000000   CALL K32BTEST.004010BA
004010BA   $  5D            POP EBP                                  ;  kernel32.7C816D4F
004010BB   .  81ED BA104000 SUB EBP,K32BTEST.004010BA                ;  Entry address
004010C1   .  E8 3AFFFFFF   CALL K32BTEST.00401000
004010C6   .  A3 00204000   MOV DWORD PTR DS:[402000],EAX
004010CB   .  68 13204000   PUSH K32BTEST.00402013                   ;  ASCII "LoadLibraryA"
004010D0   .  FF35 00204000 PUSH DWORD PTR DS:[402000]
004010D6   .  E8 40FFFFFF   CALL K32BTEST.0040101B
004010DB   .  A3 20204000   MOV DWORD PTR DS:[402020],EAX
004010E0   .  68 24204000   PUSH K32BTEST.00402024                   ;  ASCII "FreeLibrary"
004010E5   .  FF35 00204000 PUSH DWORD PTR DS:[402000]
004010EB   .  E8 2BFFFFFF   CALL K32BTEST.0040101B
004010F0   .  A3 30204000   MOV DWORD PTR DS:[402030],EAX
004010F5   .  68 34204000   PUSH K32BTEST.00402034                   ;  ASCII "ExitProcess"
004010FA   .  FF35 00204000 PUSH DWORD PTR DS:[402000]
00401100   .  E8 16FFFFFF   CALL K32BTEST.0040101B
00401105   .  A3 40204000   MOV DWORD PTR DS:[402040],EAX
0040110A   .  68 08204000   PUSH K32BTEST.00402008                   ;  ASCII "USER32.DLL"
0040110F   .  FF15 20204000 CALL NEAR DWORD PTR DS:[402020]
00401115   .  A3 04204000   MOV DWORD PTR DS:[402004],EAX
0040111A   .  68 44204000   PUSH K32BTEST.00402044                   ;  ASCII "MessageBoxA"
0040111F   .  FF35 04204000 PUSH DWORD PTR DS:[402004]
00401125   .  E8 F1FEFFFF   CALL K32BTEST.0040101B
0040112A   .  A3 50204000   MOV DWORD PTR DS:[402050],EAX
0040112F   .  6A 40         PUSH 40
00401131   .  68 54204000   PUSH K32BTEST.00402054                   ;  ASCII "No Imports!"
00401136   .  68 60204000   PUSH K32BTEST.00402060                   ;  ASCII "Hello World in 1.50KBs!"
0040113B   .  6A 00         PUSH 0
0040113D   .  FF15 50204000 CALL NEAR DWORD PTR DS:[402050]
00401143   .  FF35 04204000 PUSH DWORD PTR DS:[402004]
00401149   .  FF15 30204000 CALL NEAR DWORD PTR DS:[402030]
0040114F   .  6A 00         PUSH 0
00401151   .  FF15 40204000 CALL NEAR DWORD PTR DS:[402040]


[Synfire]

Thanks for the reply Mark,

This is basically a last resort method to knock about 1K off of your program's final size. It doesn't
obfuscate the import table, it gets rid of it. Applications using this trick don't have an import section,
so you have to load them yourself. This include is just a wrapper for one of the many methods of
doing this called the Delta Method. I was thinking of continuing with this, but due to the very low
interest in it, I figured I'd just leave it as a gem on my site.

Regards,
Bryant Keller