Ho humm, a couple of questions, related to other threads around here.

First, on nasm macros. In masm, we have the capability to return a value from a macro, so stuff like `dd CText("blah")' or "invoke blah, CText("Blah!")' can be done. I looked over the nasm macro reference (rather briefly, admitted), but wasn't able to find such a feature :(

Second, some kernel-mode question. Is there a (documented or not) way of setting page permissions from kernel mode? I know it's possible to set READ/WRITE permission, but I really want to get at the user/supervisor bit. And frankly, because of the way NT manages the pagetables, I'd rather not have to modify them myself if I can avoid it.
Posted on 2004-01-22 17:52:13 by f0dder
There no exist such a feature in nasm, basically nasm replaces the text
defined in the macro and manipulate in the correct way,
with what you have defined before in the macro body, also you can use the option at command line
-lnameOfListFile to see how is this replacement done.

There are local labels for macros and context, the first is used for generate diferent labels....
when you use the same macro serious times and you whant 'write' a label you will get a error like
redeclaration of xName... this can be solved using locals macro labels,
this is that you use in a macro and a like internal counter is incremented,
and you can use the name in other macro but with other internal value (follow a secuence)... or
like the context (or scope) of a local with proc, you can reuse the name calling the
same macro serious times.

The context labels can be accessed from diferent macros,
this is have a 'global' scope in(between) the macros, only if exist a context... (created with %push %pop directives to the preprocessor
this is a LIFO)

In nasm, there exist a very easy way of do the thing invk "str", 1, eax

%macro invk 1-*
%rep %0-1
%ifstr %1
;
jmp %%skip_this_in_code
%%str ;create a local label (there exist a internal counter to nasm, that generate a secuence)
db %1,0
%%skip_this_in_code
;__SECT__
push dword %%str
%else
push dword %1
%endif
%endrep
%if %1_defined
call %1
%else
call [%1]
%endif
%endmacro

Here I comment some lines, for show two difrent ways of do the same thing, like is now, insert the text
in the code and skeep it and push the local macro label %%str, if you uncomment the lines,
and comment the line and comment jmp %%skip_this_in_code, you have other way, switch to data section
mark the label return to the code section and push like in the anterior way...... also see that %%name is really a label
is manipulated like that at the end by nasm.....
... also see that the local counter for the locals labels is only incremented 'after' you define a label, not in a instruction like jmp, that not generate a label
when you use invk MessageBox, NULL, "hello", Three", MB_OK, the macro will be
evaluated and produce the correct secuence, also see that you can pass
a no limit of arguments (this is marked with the marks of how many arguments you whant,
at the declaration line, you see 1-*), this mark the less and the most arguments that the
macro can accept, in this case 1 to 'infinity' marked with *... also I think maybe there exist a limit..
but I think is a linked list that handle the arguments... dont remember :S....

Ok, to much text and I think I not explain the point.... :D

See that you can create a label for example, and still there, or you can assign a number to a
thing, and after the execution of the macro still there the value
I use this in a macro that I have (I not return nothing, but can still access the definitions that I do inside,
handle locals, also I will like provide some like blocks,
for accept locals not at procedure level, but for a loop level, and like was sayed before (dunno where)
dont overload the function if is recursive, only have the space for the local where necesary...
but thatis a later work

I think I can superate in a lot of way the proc/invoke in masm, the only real limitation that I find is that
I can not check for the size of a thing... because in nasm there no exist such a thing, there no exist
such a thing...... for example, in fact in nasm there no exist structs.. exist address+displacement ;), also...
for look like other assemblers there exist a macro... yea macros are used for this, that handle the struct thing....

struc aStructure
.name1 resb 1
.name2 resb 1
.name3 resd 1
endstruc


And for acces, if you have in data section:
aVarOrLabelOrAddress resb aStructure_size ;there no exist sizeof.. there no exist.. sizes.. or some like that.. tracing of sizes...

you do....
mov eax, aVarOrLabelOrAddress
xor ebx, ebx
mov , ebx ;you zeroise the first two elements (also they are only address)... also see that
; there is no warning or some when you do this, because nasmw dont have check for size of variables...
; or nasm dont have types ..... only other things and such ;)
mov , bx
;or
mov , bx ; This is only for not need remember each displacement, and read
symbolic names... that have more meaning that a mov , bx




Hope if you read to this place... no, no exist a return directive or some like that for the preprocessor,
what you define inside a macro, can be used outside.


And hope too that I explain well... :S

If still having questions.. simple do the question ;), about the other question I dunno... I think some other people can help in tht.. :D

Have a nie day or night.
Posted on 2004-01-22 23:07:24 by rea
> In masm, we have the capability to return a value from a macro, so stuff like `dd CText("blah")' or
> "invoke blah, CText("Blah!")' can be done. I looked over the nasm macro reference (rather briefly,
> admitted), but wasn't able to find such a feature.

I have not finded any macro instruction in NASM like the "exitm" of MASM, but there are some ways
to do things like:

invoke blah, CText "Blah!"

or

invoke blah, addr

You can use the "%ifidn" macro instruction in the "invoke" macro to select what parameter
begins with "CText" or "addr"; something like:

%ifidn %1, CText
%rotate 1
.data
%%blah db %1, 0
.text
push dword %%blah
%endif

I did not test this, but I suppose that must work. I saw something seemed to this in the
nguga _ADDR macro.

I wait that this can help you

> Is there a (documented or not) way of setting page permissions from kernel mode?

Sorry. I'm curious. Do you search some kernel mode function to set page permissions,
something like the win32 user mode VirtualProtextEx?

------
nmt
Posted on 2004-01-23 00:18:09 by n u M I T_o r
hgb, that was a lot of text - that didn't help at all :)
I'm not interesting in various "invoke" macros for nasm, I already know how to do that.
I need something like masm's exitm, so I can do generic stuff.
Guess I might just skip nasm and go fasm, if that can't do what I want... well ;)
Besides, "jmp skip_data" is such a silly thing to do.


Sorry. I'm curious. Do you search some kernel mode function to set page permissions,
something like the win32 user mode VirtualProtextEx?

Sortof. Such an API actually exists in kernelmode, however as far as I can see, it only does the same protection flags as VirtualProtect... ie, the read/write/execute stuff (execute of course not being supported on x86). What I need, as stated before, is a way to toggle the user/supervisor bit.
Posted on 2004-01-23 00:45:31 by f0dder
hehe, I know that... was much :D

There only exist %exitrep that break the actual %rep block. There no exist a directive for exit the actual macro... I will question for that..... :D, if you whant in the times that that directive is not handled, then you will try handle in other way how you get out of the macro... (that will require some %if and such...).

What you refer to generic stuff... also I will like to know for see if cn be handled or not.


The definitions that you do in the macro, are accesible after you execute, In that way there is not necesity of return nothing.

have a nice day or night.
Posted on 2004-01-23 01:51:35 by rea
Taking a stab at the second question, others may have a better handle on this, but I think unless you're mapping your own pages as an MDL, where you can specify the access mode as either KernelMode or UserMode, you're stuck modifying the U/S bit of the PDE/PTE arrays directly (a la icedump PAGEFLAG). I'm not exactly sure that the MDL AccessMode setting actually modifies the U/S bit, but there may be a way to tell...

In reading Sven Schrieber's Exploring Windows 2000 Memory sample chapter, you may have seen it online here:

http://www.informit.com/isapi/product_id~%7B6D5ACA10-5AB0-4627-81E5-65B9F6E080AC%7D/st~%7B6EB673C6-2B46-498B-A653-803F5FC3AA6E%7D/content/index.asp

He discusses how the memory manager API functions MmGetPhysicalAddress and MmIsAddressValid access the PDE and PTE arrays, the base addresses are defined as constants (beginning at linear address 0xC0000000) and appear as "magic numbers" within the functions. I haven't seen any other reference to accessing these arrays (in)directly in any of my driver references.

The other interesting thing he discusses is Watching PTEs Change Their States using his w2k_mem utility. For example, by viewing the output he could tell that 4 PTEs found at a certain address, part of the image of win32k.sys, had been swapped out because their P bit indicated a nonpresent page.

I mention this simply because one might be able to check the U/S bit of a selected PTE in a similar way. (I'm thinking here of confirming if the MDL AccessMode is directly tied to the U/S bit).


EDIT: Re the whole MDL business, this is a good example I've made use of, also demonstrated by Four-F in one of his untranslated driver tuts.

http://www.osr.com/ntinsider/2000/sharing_memory.htm
Sharing Memory Between Drivers and Applications
Posted on 2004-01-23 02:39:31 by Kayaker
'Undocumented Windows NT' also seems to have some info about accessing the PTE to display page flags (and even some source code) .. dunno if it's obsolete by now .. anyway, check out page 6 of

http://www.windowsitlibrary.com/Content/356/04/6.html
Posted on 2004-01-23 03:07:29 by Jibz
I don't need to "break out" of the macro (though if that facility is not there - lame). I need to *return* a value from the macro.


The definitions that you do in the macro, are accesible after you execute, In that way there is not necesity of return nothing.

Yes, but that's just not good enough for me. I cannot do statements like "dd macro("blah")", I would have to do "macro("blah")", followed by "dd symbol_left_from_macro". This also means you wouldn't be able to use the macro directly multiple times in a invoke/call macro... nasm's macro feature seems to be pretty limited, after all.

Kayaker, Jibz - thanks. I'll have a look.
The business of changing the PTEs directly isn't that bad in itself... make a lin->phys mapping for CR3 (etc), modify the PTEs necessary. Big deal. What I'm worried about is that these PTEs might be reconstructed from MDLs, and thus have the U/S bit reset? If I use one of the kernel-mode memory allocs calls, is there a call to get to the associated MDLs?

I guess I'll have to do some more reading, tracing, and disassembly... and play around ;)
Posted on 2004-01-23 05:28:39 by f0dder
NASM now is it?

As far as I know the U/S bit (bit 2 of a PDE) is used in conjunction with the WP bit of CR0 to deny access of CPL0 to user mode pages. Here's something to play with:

mov ecx,eax
shr eax,16h ; Page Dir Index, PDI
shl eax,2 ; size of PDE = PDE offset
mov eax, ; Page Dir Base + PDE offset
test eax,1
jz $+043h ; if then mask PTE valid
test eax,80h
jnz $+01ah
mov eax,ecx
shr eax,0Ah
and eax,3FFFFCh ; mask pte page frame number
add eax,0C0000000h ; add Page Table Base
mov eax, ; get PTE
test eax,1
jz $+011h ; if 4MB page
and eax,0FFFFF000h ; Mask Page Frame Number
and ecx,0FFFh
add eax,ecx ; add byte offset to physical address
jmp $+017h
xor eax,eax
jmp $+13h
and eax,0FFC00000h
and ecx,3FFFFFh
add eax,ecx
jmp $+04h
xor eax,eax

That will help you find the PDE you are looking for. It's a disassembly of "GetPhysicalAddress". Here's a break down of it you may find useful:


pagestuff:

push ds
mov ds,GlobalSel

mov eax,GDTbase
add eax,050h ; "TSS" offset location in GDT
mov esi,eax
call DescriptorAddress
mov esi,eax
mov edi,markaddr
add edi,0100h
mov eax,dword ptr ; offset "PDBR in TSS

mov eax,0967ba000h ; "Logical ADDRESS"
;call PageLookUp
;jmp point

mov ecx,eax
;and eax,0FFFFF000h
shr eax,16h
shl eax,2
sub eax,03FD00000h

mov eax,dword ptr ;*remove this and unhide point for entry addr*
;jmp point ;**********

test eax,01h
jnz $+09h
mov eax,0FFFFFFFFh ; Use FF's to indicate not present
jmp point
test eax,080h
jnz FourMPage

FourKPage:
mov eax,ecx
shr eax,0Ah
and eax,3FFFFCh ; mask pte page frame number
sub eax,040000000h ; (add C0000000) add Page Table Base
mov eax, ; get PTE
;jmp point
test eax,01h
jnz $+09
mov eax,0FFFFFFFFh ; Use FF's to indicate not present
jmp point

FourMPage:
and eax,0FFFFF000h ; Mask Page Frame Number
and ecx,0FFFh
add eax,ecx

point:
mov dword ptr ,eax
pop ds
jmp restorePF
dump:
mov esi,eax
push es
push ds
pop es
mov ecx,0400h
cld
rep movsd ;dump stack contents
pop es
pop ds
jmp restorePF

DumpPageDir:

push ds
mov ds,GlobalSel
mov eax,0c0300000h
add eax,0000h ;offset
mov edi,markaddr
add edi,0100h
mov esi,eax
push es
push ds
pop es
mov ecx,0400h
cld
rep movsd
pop es
pop ds
jmp restorePF
Posted on 2004-01-23 10:35:45 by mrgone
Turncoat? Like, why? For using nasm for projects where it fits? Anyway, guess I'll stop using nasm and go fasm from now on, if it has the macro features I need (which I have a strong suspicion it does).

Thanks for trying to help, but... I don't really have a problem in dealing with page tables manually - I'd just rather avoid if if there's kernel routines to do what I want, for various reasons. The code's pretty ugly btw ^_^


As far as I know the U/S bit (bit 2 of a PDE) is used in conjunction with the WP bit of CR0 to deny access of CPL0 to user mode pages.

Rather, I would say that the WP bit is used to deny R0 code write access to user pages that are marked as read-only. With the WP bit clear, R0 code can write to read-only user pages without causing an exception, which is of course not good in a system that requires Copy-On-Write.

Anyway, I'll have a go at writing some driver test code either tonight, or tomorrow.
Posted on 2004-01-23 10:52:13 by f0dder
Hutch's is best!
Posted on 2004-01-23 11:15:40 by mrgone
MASM is okay for writing high-level assembly code... but that where I'd use a high-level language instead. It's nowhere as flexible as, say, fasm - and lacks things like direct binary output.

Besides, MASM is not Hutches, he just threw together masm + some crappy powerbasic stuff + a bunch of other peoples work and called it MASM32. That's great and all, and there's some work in maintaining it, but... heh.
Posted on 2004-01-23 11:26:37 by f0dder
I not think is lame, only was not used for us ..... hehe, I supose was a miss there ;), also I think some like that can be easy implemented??.. because I read some bug reports, and find one that in anterior versions exitrep will break all the reps.. even nexted... also we can take this anterior 'fail' and only exit the macro, then take the expression in case of one and insert the toker in that place...


;) Have a nice day or night.
Posted on 2004-01-25 00:48:23 by rea
hmmmm,

Besides, MASM is not Hutches, he just threw together masm + some crappy powerbasic stuff + a bunch of other peoples work and called it MASM32. That's great and all, and there's some work in maintaining it, but... heh.

I know you haven't got much talent in the basic area so I suggest that this wisecrack is just a tinge of bitchyness for being a little off the pace. :tongue:

Now as you don't seem to be able to manage much in the line of assembler yourself and need to use a C++ compiler as a crutch, perhaps you need to learn the old lesson that people in glass houses should not throw stones. :grin:

Regards,
http://www.asmcommunity.net/board/cryptmail.php?tauntspiders=in.your.face@nomail.for.you&id=2f46ed9f24413347f14439b64bdc03fd
Posted on 2004-01-25 05:50:23 by hutch--
I like MASM a lot, and I never found it a problem that it doesn't have binary output. I just wrote a tool that can extract the .text section from a PE file, so I get the binary code that way (ofcourse it also works on binaries generated with C/C++ or other languages :)).
And I still get all the low- and highlevel features that MASM offers, which I fail to find in any other assemblers.

Anyway, just my 2 cents, perhaps you would like to write such a tool aswell, or use mine.
Posted on 2004-01-25 06:01:25 by Henk-Jan

Anyway, just my 2 cents, perhaps you would like to write such a tool aswell, or use mine.

In situations where I want binary output, I prefer what nasm/fasm can give me, it offers a bit more control. Furthermore, fasm is able to do something I never really succeeded in doing with masm - *really* putting everything in one section, and having 100% control over the order of things. This was quite important when doing the stub for my exe packer/krypter.

For more advanced stuff, I made a tool for converting PE files into my own format... relocations, imports, everything. This works quite well, and lets me write the "level2" code of my packer/krypter in just about any language I want.
Posted on 2004-01-25 06:20:05 by f0dder
In situations where I want binary output, I prefer what nasm/fasm can give me, it offers a bit more control.


Well I haven't used nasm much, and not used fasm at all, so I'm not sure what extra control they can give. All I can say is that I never found MASM lacking the control I need.

Furthermore, fasm is able to do something I never really succeeded in doing with masm - *really* putting everything in one section, and having 100% control over the order of things.


What do you mean by that exactly? If you put everything in the .code section in MASM, you get it where it's supposed to be, right?
Posted on 2004-01-25 06:23:28 by Henk-Jan

What do you mean by that exactly? If you put everything in the .code section in MASM, you get it where it's supposed to be, right?

Not exactly - try putting your imports in the code section... it's possible to do this with /MERGE, but with /MERGE you don't have any control over the section ordering.
Posted on 2004-01-25 06:27:11 by f0dder
/MERGE is a linker option though, not a MASM option. So the issue is slightly different I guess. I thought you were talking about the assembler only, and dumping raw code... But you want to dump PE code. I guess in that case, you would need to look at a linker in the case of MASM. Or... build the entire binary image manually... or use some macros that can take care of the jobs that the linker does, and put the stuff in the binary the way you want it :)

Anyway, whatever works for you, I suppose.
Posted on 2004-01-25 06:39:07 by Henk-Jan

Anyway, whatever works for you, I suppose.

Exactly. Fasm does this job like a charm, without me having to write my own linker, or building a PE by hand with masm code and dumping that. And when doing direct binary output, I still prefer fasm/nasm - since there's no "ripcode" additional step.
Posted on 2004-01-25 06:44:29 by f0dder