Hi,who can help me?
I want to write SMC "self-modifying code" for Win32 applications
code like this:
-------------------------------
START:
CALL MODIFY
BLAH:
MOV AH,09h
MOV DX,OFFSET HELLO
INT 21h
MODIFY:
MOV DI,OFFSET NEWBYTES
MOV WORD PTR ,DI
RET
NEWBYTES:
MOV AH,4Ch
HELLO DB "Hello World$"
--------------------------------
but I have a defficulties to write a SMC with MASM32:(
I want to write SMC "self-modifying code" for Win32 applications
code like this:
-------------------------------
START:
CALL MODIFY
BLAH:
MOV AH,09h
MOV DX,OFFSET HELLO
INT 21h
MODIFY:
MOV DI,OFFSET NEWBYTES
MOV WORD PTR ,DI
RET
NEWBYTES:
MOV AH,4Ch
HELLO DB "Hello World$"
--------------------------------
but I have a defficulties to write a SMC with MASM32:(
START:
CALL MODIFY
BLAH:
MOV AH, 09h
MOV DX, OFFSET HELLO
INT 21h
MODIFY:
MOV DI, WORD PTR [NEWBYTES]
MOV WORD PTR [BLAH], DI
RET
NEWBYTES:
MOV AH, 4Ch
HELLO DB "Hello World$"
Person who attempts to run when they do not know how to crawl will only flail about on the ground - except for the rug burns, it kind of looks like they are swimming. :)You mean something like
?
call delta
delta:
pop ebx
...
call finddebugger
finddebugger:
add ebx,offset;offset to Isdebuggerpresent
lea edi,callfunction
mov al,0ffh
stosb
mov al,0d3h
stosb
mov al,0C3h
stosb
callfunction:
nop
nop
nop
popad
popad
popad
ret
?
Sorry for my disastrous english.
I know what's the difference between win32 and dos apps,it's just a simple
dos example to explain you what I really need.
donkey,
------------------------------------------------------------
...Like where your moving the new OFFSET to,
it appears to overwrite you mov command.
------------------------------------------------------------
we call that SMC(replacing an instruction with another one),
and it's exactly what I need,I'm new to win32asm
and it seems that there'is a different approach for win32 apps.
thanks roticv for your interesting, :)
but pop ebx
and add ebx,offset ;offset to Isdebuggerpresent
not enough clear for me.
and this is a disastrous SMC code(masm32) that normally display a messagebox
but it didn't.
:confused:
I know what's the difference between win32 and dos apps,it's just a simple
dos example to explain you what I really need.
donkey,
------------------------------------------------------------
...Like where your moving the new OFFSET to,
it appears to overwrite you mov command.
------------------------------------------------------------
we call that SMC(replacing an instruction with another one),
and it's exactly what I need,I'm new to win32asm
and it seems that there'is a different approach for win32 apps.
thanks roticv for your interesting, :)
but pop ebx
and add ebx,offset ;offset to Isdebuggerpresent
not enough clear for me.
and this is a disastrous SMC code(masm32) that normally display a messagebox
but it didn't.
---------------------------------------------------------------------------------
.data
Titre db "anti-debug tricks",0
Texte db "example",0
.code
start:
invoke newcode
oldcode:
nop
nop
nop
nop
nop ;invoke MessageBox, NULL,addr Texte,addr Titre,MB_OK
invoke ExitProcess,NULL
newcode:
lea edi,oldcode
mov al,0e8h
stosb
mov al,007h
stosb
mov al,000h
stosb
mov al,000h
stosb
mov al,000h
stosb
mov al,000h
stosb
ret
end start
---------------------------------------------------------------------
:confused:
Balha, win32 doesn't like writing in code section (defaults to readonly) - I use the stack, but you could change the linker settings.
newcode:
lea edi,oldcode
mov al,0e8h
stosb
mov al,007h
stosb
mov al,000h
stosb
mov al,000h
stosb
mov al,000h
stosb
mov al,000h
stosb
ret
If the above code is supposed to generate the hex bytes equivalent the invoke MessageBox, NULL,addr Texte,addr Titre,MB_OK instruction, I would think that you are short quite a number of bytes. For instance, the MessageBox function needs 4 parameters which are expected to be on the stack. This means 4 push instructions requiring 2 or more bytes each.
Assuming that the bytes you are inserting would effectively call the MessageBox function, (a) it would not have the data to display as expected and (b) would probably crash due to a page fault trying to access data outside the allowed range.
Raymond
There is also one
too much isn't there?!
mov al,000h
stosb
too much isn't there?!
How about this, it works on my computer :) :
( It is first time I use VirtualProtect api, so can anybody confirm I use it correctly?? )
( It is first time I use VirtualProtect api, so can anybody confirm I use it correctly?? )
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
szErr db "error virtualprotect",0
szTitle db "smc test",0
szText db "hello world",0
.data?
oldProt dd ?
.code
start:
mov esi, (ProgramEnd-start)
invoke VirtualProtect, 401000h, esi, PAGE_EXECUTE_READWRITE, ADDR oldProt ; enable write to code section
test eax, eax
jnz _patch
invoke MessageBox, NULL, szErr, szErr, MB_OK ; error, show it and quit
jmp _end
_patch:
lea edi, _change
mov al, 0e8h ; call opcode
stosb
mov eax, 00000008h ; Will be 08 00 00 00 when written to memory
stosd
invoke VirtualProtect, 401000h, esi, oldProt, ADDR oldProt ; restore the old protection settings
_msgBox: push NULL
push offset szTitle
push offset szText
push NULL
_change: nop ; here will be inserted 'call MessageBox'
nop
nop
nop
nop
_end: invoke ExitProcess, NULL
ProgramEnd:
end start