Which component patches code to the MASM compiled executable

[guro]

Hi, i write a simple dummy MASM program, like:

Code Select Expand

.386
.model flat, stdcall
option casemap:none

.data
szName db "MASM", 0

.code
start:
mov eax, DWORD PTR [szName]
ret
end start

But then when i use the OllyDbg to 'see' the code, i get:

Code Select Expand

Address   Hex dump          Command             
00401005  /. /E9 06000000   JMP 00401010
0040100A  |  |CC            INT3
0040100B  |  |CC            INT3
0040100C  |  |CC            INT3
0040100D  |  |CC            INT3
0040100E  |  |CC            INT3
0040100F  |  |CC            INT3
<actual code starts here>

So as you can see there are 11 bytes that i have not written in my code. My question is which component (MASM, loader, other?) add this code to the executable? Why?

[jj2007]

You must have caught a virus. I see only this:

Code Select Expand

CPU Disasm
Address         Hex dump                     Command                           Comments
<ModuleEntryPoi Ú. A1 00204000               mov eax, [402000]                 ; ASCII "MASM"
00401005        À. C3                        retn
00401006           00                        db 00


[hutch--]

Use a disassembler to get decent results.

Code Select Expand


.text:00401000 ;
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ; ¦     This file is generated by The Interactive Disassembler (IDA)        ¦
.text:00401000 ; ¦     Copyright (c) 2002 by DataRescue sa/nv, <ida@datarescue.com>        ¦
.text:00401000 ; ¦                      Licensed to: Freeware version                      ¦
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ;
.text:00401000 ; File Name   : H:\asm7\guro\guro.exe
.text:00401000 ; Format      : Portable executable for IBM PC (PE)
.text:00401000 ; Section 1. (virtual address 00001000)
.text:00401000 ; Virtual size                  : 0000000B (     11.)
.text:00401000 ; Section size in file          : 00000200 (    512.)
.text:00401000 ; Offset to raw data for section: 00000200
.text:00401000 ; Flags 60000020: Text Executable Readable
.text:00401000 ; Alignment     : 16 bytes ?
.text:00401000
.text:00401000                 model flat
.text:00401000
.text:00401000 ; ---------------------------------------------------------------------------
.text:00401000
.text:00401000 ; Segment type: Pure code
.text:00401000 _text           segment para public 'CODE' use32
.text:00401000                 assume cs:_text
.text:00401000                 ;org 401000h
.text:00401000                 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.text:00401000
.text:00401000 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00401000
.text:00401000
.text:00401000                 public start
.text:00401000 start           proc near
.text:00401000                 mov     eax, dword_402000
.text:00401005                 mov     eax, offset dword_402000
.text:0040100A                 retn
.text:0040100A start           endp
.text:0040100A
.text:0040100A ; ---------------------------------------------------------------------------
.text:0040100B                 align 200h
.text:0040100B _text           ends


[guro]

This should not be true (got a virus!) since every time i assemble+link a new executable i get this group of instruction in front of the actual instructions.

Code Select Expand

CPU Disasm
Address   Hex dump          Command                                  Comments
00401004      CC            INT3
00401005  /.  E9 06000000   JMP 00401010
0040100A  |   CC            INT3
0040100B  |   CC            INT3
0040100C  |   CC            INT3
0040100D  |   CC            INT3
0040100E  |   CC            INT3
0040100F  |   CC            INT3
00401010  |>  A1 00404000   MOV EAX,DWORD PTR DS:[404000]            ; ASCII "MASM"
00401015  \.  C3            RETN
00401016      A1            DB A1
00401017      90            NOP
00401018      1F            DB 1F

What you suggest is that a virus has patch'ed the MASM assembler to add this 'stub' code in front of any newly created executable?? I don't say that is impossible (i don't know if it is possible either: )  but i don't think so...something else maybe happens here...any ideas?

[hutch--]

Check your computer for a virus or trojan, if your binary code is being modified you have something wrong.

[guro]

@hutch

You propose to use another debugger like IDA, and that the Ollydbg inserts the code to the executable ?

p.s: i have Windows XP SP3, and OllyDbg is version 2.00.
p.s.2: + i have sent the file to virustotal and it's clean!
p.s.3: I have downloaded the IDA Pro 5.0 Free version and i get the following output:

Code Select Expand


.text:00401000 ;
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ; ¦     This file is generated by The Interactive Disassembler (IDA)        ¦
.text:00401000 ; ¦     Copyright (c) 2010 by Hex-Rays SA, <support@hex-rays.com>           ¦
.text:00401000 ; ¦                      Licensed to: Freeware version                      ¦
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ;
.text:00401000 ; Input MD5   : 49BEB6B27558C787D89F615EECE5801A
.text:00401000
.text:00401000 ; File Name   : C:\Documents and Settings\Giorgos\My Documents\Education Code\Assembly\Test\test.exe
.text:00401000 ; Format      : Portable executable for 80386 (PE)
.text:00401000 ; Imagebase   : 400000
.text:00401000 ; Section 1. (virtual address 00001000)
.text:00401000 ; Virtual size                  : 00001061 (   4193.)
.text:00401000 ; Section size in file          : 00001200 (   4608.)
.text:00401000 ; Offset to raw data for section: 00000400
.text:00401000 ; Flags 60000020: Text Executable Readable
.text:00401000 ; Alignment     : default
.text:00401000
.text:00401000                 .686p
.text:00401000                 .mmx
.text:00401000                 .model flat
.text:00401000
.text:00401000 ; ---------------------------------------------------------------------------
.text:00401000
.text:00401000 ; Segment type: Pure code
.text:00401000 ; Segment permissions: Read/Execute
.text:00401000 _text           segment para public 'CODE' use32
.text:00401000                 assume cs:_text
.text:00401000                 ;org 401000h
.text:00401000                 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.text:00401000                 dd 0CCCCCCCCh
.text:00401004                 db 0CCh
.text:00401005 ; [00000005 BYTES: COLLAPSED FUNCTION start. PRESS KEYPAD "+" TO EXPAND]
.text:0040100A                 align 10h
.text:00401010
.text:00401010 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00401010
.text:00401010
.text:00401010 _start          proc near               ; CODE XREF: startj
.text:00401010                 mov     eax, szName
.text:00401015                 retn
.text:00401015 _start          endp
.text:00401015
.text:00401015 ; ---------------------------------------------------------------------------

[hutch--]

Ida is a disassembler and the result answers your question, entry point is 00401000 like normal. Remember that when you use a debugger as against a disassembler that a debugger must add debug code so it runs. The INT3's and JMP show the additional debug code.

[guro]

hmm...but even the IDA disassembler 'finds out' the series of INT 3's (db CCh) instructions and at 00401005 contains this : [00000005 BYTES: COLLAPSED FUNCTION start. PRESS KEYPAD "+" TO EXPAND] which seems to me as a directive to generate a JMP +5 to current EIP to go to program entry start label. So it seems that OllyDbg does not introduce the extra 11 bytes to the executable, since IDA also finds this extra code. Does this mean that it's part of executable? Do you verify this?

[hutch--]

What is missing is youur build data, both my own and others doing a normal release build get the correct start address, if you are getting debug code then you are doing a different build.

[guro]

 :U

I use the WinAsm Studio and when i change the build options to Release, i also get correct results! Just a last question, why in the debug version the jmp instruction is used?

[dedndave]

they are just filler bytes - until the next aligned section, which is probably where the IAT is

[guro]

Why someone wants to use as filler bytes the JMP instruction? i mean for the INT 3 instructions is more suitable to be used as filler bytes...Anyway, you said "until the next aligned section, which is probably where the IAT is", so do you think that after these 11 bytes (JMP+INT_3 x 6) the IAT is located?

[dedndave]

not really sure - i have seen them before after ExitProcess and just assumed that's what i was seeing
they may be there for the debugger to trap on
NOP's would just let the debugger continue, of course

[jj2007]

Why someone wants to use as filler bytes the JMP instruction?

Because 40000h that's where execution starts, so jmp must be the first instruction, otherwise the code would run into the int 3's and raise an exception.

Congrats that you got rid so quickly of your virus :bg

[guro]

I have to admit that for a moment you terrified me  :eek !! Thanks for helping guys, i'm coming from linux+nasm and i want to make the transition as quick as possible!

@dedndave

Regarding your statement about the location of IAT after the filler bytes, did you mean the 'filler' bytes i told (JMP+INT_3) ? Or something else? Because after the 'filler' bytes i told there is the start of the actual code, not the IAT right?