API's not linked when compiling

[halsten]

Hey all,

I have converted a small snippet of code from TASM to MASM, but the linker won't link all the API's, therefor, the application won't run. Here's what I have, tell me if am doing something wrong.

P.S: I get the following error:
LINK : warning LNK4089: all references to "kernel32.dll" discarded by /OPT:REF
LINK : warning LNK4089: all references to "user32.dll" discarded by /OPT:REF

Code Select Expand


.586
.model flat, stdcall
option casemap :none

include windows.inc
include user32.inc
include kernel32.inc

includelib kernel32.lib
includelib user32.lib


.data
Tls dd     offset Tls1
                    dd     offset Tls2
                    dd     offset Tls3
                    dd     offset TlsCallBack
                    dd     0
                    dd     0

Tls1                dd     0
Tls2                dd     0
Tls3                dd     0
TlsCallBack         dd     offset TLSproc
                    dd     0
                    dd     0
       
TLSproc              proc
                     push   40h
                     push   offset mTitle
                     push   offset mText
                     push   0
                     call   far ptr MessageBoxA
                     
                     push   0
                     call   far ptr ExitProcess
TLSproc              endp
mText                db     "Nope, there is no code at entry point", 0
mTitle               db     "TLS", 0

.code
start:
ret
end start


I wrote the "far ptr" cause that's the only solution I found on the web that enables me to call functions from within the .data section, maybe I am mistaken?

Thanks in advance.

Regards,
halsten

[hutch--]

The obvious is that you only have RET as your runtime code. Nothing is calling the two procedures and they are not within or called from between the "start" label and the "end start" directive.

[BogdanOntanu]

However this is a technique often used by malware authors in order to "trick" AV analyzers.

Of course it does not trick AV analyzers anymore but the poor child has found some old TLS related Vx tutorials in TASM somewhere in a corner of the net and he is not capable enough to make them run in the "new" MASM world...

Unless the OP shows a decent purpose for his line of questioning (IMHO there is none)  I suggest removing this thread.

[halsten]

@BogdanOntanu: No, I didn't find that in an old VX tutorial. The goal was that I use TASM, and I wanted to conert to MASM, but I had lots of issues when I was converting from TASM to MASM. And I wanted to know what was wrong. Maybe you can visit my blog and see for yourself that I don't do that anyways. (http://iamhalsten.thecoderblogs.com). Thanks though.

@hutch: Thanks for your reply, but that works fine in MASM, however, if I removed the code from the data section and put it in the code section it will work fine. Any ideas why?

Regards,
halsten

[xmetal]

Use the "l2extia" utility provided in the MASM32 package to generate include files in the EXTERNDEF format.

Then make calls like this:

Code Select Expand


Call dword ptr [MessageBoxA]


[halsten]

Thank you for the help!

[hutch--]

halsten,

Again the problem is an obvious one, the DATA section is for DATA, not ASCII format source code. You can in fact put code in the DATA section but not as source code, only in biary form using HEX notation. There is of course another problem for late version Windows that has DEP so that code in the DATA section is blocked by the OS from running.

It is not an unknown capacity to store binary code in the data section then copy it to allocated memory with the execute flag set and run it from that memory but after having a look at your blog, I get the impression that your interests lie in areas that we do not allow in this forum. This forum is for assembler programing, not malware analysis as we have no way of diferentiating the good from the bad.