Window without Imports

[Petroizki]

Hello,

The forward stuff may seem useless, but at least in Windows XP, many functions such as HeapAlloc are forwarded to NTDLL.DLL, so checking the forwarder may be necessary...

You can use this to get the base address of kernel32 (no loops):  :8)

Code Select Expand

assume fs:nothing
mov eax, dword ptr fs:[30h]
mov eax, dword ptr [eax + 0Ch]
mov eax, dword ptr [eax + 1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax + 8h]

..and my function was made very fast, so why not just use it?  :P

[thomasantony]

Hi Petroizki,
I just wanted to learn more about the PE file and export tables. BTW, I still don't understand what you are doing in that code with fs[30] etc.

Thomas

[pbrennick]

Thomas,
kernel32.dll does contain PE at offset e8h as you can verify with any hex editor.

Paul

[Petroizki]

BTW, I still don't understand what you are doing in that code with fs[30] etc.

The fs:[0] is pointer to the Thread Information Block, there you can find some not so much documented stuff for the thread. The snippet i posted goes trough some pointers in the PDB, and returns the kernel base, but you would need kernel source code to fully understand how it works.. :dazzled:
All we need to know is that it works with all Windowses, and that's it.

We had some discussion about this in the other board: http://217.160.247.193/index.php?topic=18797.0

[roticv]

Hi,
  I will try that. But I can't under stand what u are doing with that code. fs holds something to do with SEH right? Can you explain what you are doing there?. As with my program. kernel32.dll HAS to have the chars PE somewhere right, cuz it is also a PE DLL

Thomas :(

It has but the value in [esp] does not have to be aligned to 4 (Assuming that the "PE" thing is located at 0e8h.). That's the fallacy of your code.

The code that both Petroizki and I pasted makes use of PEB (Process environment block).PEB is fully undocumentated by Microsoft so no one has a complete idea how the struct is like except for them. PEB is located at fs:[30h] http://217.160.247.193/index.php?topic=14185.0

Petroizki ,

Does your code work for 9x?

[thomasantony]

Hi,
  It works for me under win98SE. How about if I AND the value I get from ESP with 0FFFFFFF0h. Then I will get a value on DWORD boundry. New version in first post.

Thomas

[roticv]

Now it works on my xp machine.  :green

[thomasantony]

Anybody else? :U

[Xor Stance]

The only one that doesn't work is NoImpWindow_Ordinal in my Windows Xp Sp2+later updates.

[Petroizki]

The ordinal version will only work in the OS that it has been designed in.

roticv,
Yes it will work in 98, but i'm not sure about Win 95..

[Faiseur]

Hi,

with Windows XP Pro SP1:

NoImpWindow_Ordinal.exe error
NoImpWindow.exe ok !


with Windows 98 ME:

NoImpWindow_Ordinal.exe error
NoImpWindow.exe error

[Xor Stance]

Doesn't the PlatformSDK was for that? To be able to write programs for all oses by Windows in listed?

[thomasantony]

Hi,
   The Ordinal program imports the functions using an ordinal number. I looked up the ordinal numbers of the function in my OS (Win98SE) and used them. So it will not work in other versions of windows because of probable change in number of functions. But both of my programs seem to have some problem with Win ME (What the hell is Win '98' ME)? And XOR, I didn't write it according to the Platform SDK. I wrote in my own way by finding the names of the functions from kernel32.dll without using import libraries. This is an undocumented way of doing this.

Thomas :U

[pbrennick]

Hi Thomas,

(What the hell is Win '98' ME)?

This is probably a typo, just change the 'M' to an 'S'

Of course, I could be wrong, I think I was once before.  Anywho, that is my take, any others?  :wink

Paul

[AeroASM]

How about this? Works fine on MSWXPSP2.

[attachment deleted by admin]