Can any one plz explain me the concept of what a 'delta' handle is coz i have seen a lot of programs
containing the following snippet of code:
CALL DELTA ; GET DELTA
DELTA: POP EBP
SUB EBP, DELTA
Also how can i get kernel32 imagebase from the stack. I want to do this since i have to protect an exe by
having '0' imports to refer to :grin:
Thkx in advance
:stupid:
containing the following snippet of code:
CALL DELTA ; GET DELTA
DELTA: POP EBP
SUB EBP, DELTA
Also how can i get kernel32 imagebase from the stack. I want to do this since i have to protect an exe by
having '0' imports to refer to :grin:
Thkx in advance
:stupid:
DELTA is most likely not a handle but a symbolic name. Delta is the mathematical word for 'difference' or 'change'. For example
mov edx, offset Function_End
sub edx, offset Function_Start
mov Delta, edx
Delta holds the difference, or change in adresses.
Hope this helps
:NaN:
mov edx, offset Function_End
sub edx, offset Function_Start
mov Delta, edx
Delta holds the difference, or change in adresses.
Hope this helps
:NaN:
an exe with 0 imports wont run in xp/2k/nt as far as i remember
and the call delta gives you the runtime eip effectively,allowing you to use that address as a 'landmark' when calculating other addresses..trace it, it isnt rocket science
and the call delta gives you the runtime eip effectively,allowing you to use that address as a 'landmark' when calculating other addresses..trace it, it isnt rocket science
http://www.asmcommunity.net/board/index.php?topic=17649&highlight=delta
0 imports will not work, forget the idea.
0 imports will not work, forget the idea.
You use it to create virus
'alternative importing' is used in software protection, too (no, f0dcrypt is still not ready for release and probably won't be for quite some time yet.)
I am sure telophase wouldn't need to ask about such techniques here if he was a virus writer, as they are well described in various viral zines. (And if he is, well, I hope we will toddle off and go somewhere else.)
I am sure telophase wouldn't need to ask about such techniques here if he was a virus writer, as they are well described in various viral zines. (And if he is, well, I hope we will toddle off and go somewhere else.)
an exe with 0 imports wont run in xp/2k/nt as far as i remember
I don't understand what you want to tell here.
Do you mean that a program that don't call any function in windows or any library. will not work on the xp/2k/nt systems.
Then How dos programs work on it?
And another thing here, What is delta ?
I will tell you what I understood. you get by using it eip that allow your code to enter the program loop. to run on the processor. Is that right?
Finally How to make such thing??????????????
Thanks,
Amr
Then How dos programs work on it?
Because DOS programs run in another subsystem - the NTVDM. Obviously DOS programs don't have to use win32 imports :p.
0-import exe's will work on some win32 versions but not on others. Didn't work on the versions of win2k I tried it on, but worked on XP. Since there's at least a couple of platforms it doesn't work on, the technique is unusable for me.
If anybody knows the tech detail why it works on XP but not 2k, enlighten me - I'm too lazy to reverse the PE loader :)
And another thing here, What is delta ?
http://www.asmcommunity.net/board/index.php?topic=17649&highlight=delta
If anybody knows the tech detail why it works on XP but not 2k, enlighten me - I'm too lazy to reverse the PE loader
If I remember correctly reading it off somewhere, the problem with 0 imports is only on 2k. It had soemthing to do with the PE loader in 2k. The exact details I cannot remmeber, might need to dig for it.
Well, my guess...
It's a more or less wellknown fact that your program entrypoint isn't the first code that executes on process creation. Some of the first code that executes in your process is actually kernel32.dll code, which then calls your entrypoint iirc. This is why you can find a kernel32 address on at program entrypoint.
It's also wellknown that DLL's aren't "global" on NT as they are on 9x - they get mapped for each individual process only if the process uses them.
So... it would seem the stuff fails on 2k because 2k doesn't "force" kernel32 into your process. But why does it succed on XP, then? Are DLLs forced into your process, and is it more than just kernel32?
(And of course, the above is a *lot* of speculation, so it could be wrong).
It's a more or less wellknown fact that your program entrypoint isn't the first code that executes on process creation. Some of the first code that executes in your process is actually kernel32.dll code, which then calls your entrypoint iirc. This is why you can find a kernel32 address on at program entrypoint.
It's also wellknown that DLL's aren't "global" on NT as they are on 9x - they get mapped for each individual process only if the process uses them.
So... it would seem the stuff fails on 2k because 2k doesn't "force" kernel32 into your process. But why does it succed on XP, then? Are DLLs forced into your process, and is it more than just kernel32?
(And of course, the above is a *lot* of speculation, so it could be wrong).
Ah you reminded me.
I think the reason why the exe cannot be loaded without an import in win2k is because without any imports, ntdll.dll cannot be mapped into the memory and thus the exe fails to load properly. Like what you said dll aren't global on NT.
Perhaps we need to look into the pe loader of XP? :p
I think the reason why the exe cannot be loaded without an import in win2k is because without any imports, ntdll.dll cannot be mapped into the memory and thus the exe fails to load properly. Like what you said dll aren't global on NT.
Perhaps we need to look into the pe loader of XP? :p
I can't really be bothered :). I asked g-rom about it a while ago, and he didn't know either - it even came as a surprise to him that the noimports stuff didn't work on 2k.
It's a more or less wellknown fact that your program entrypoint isn't the first code that executes on process creation. Some of the first code that executes in your process is actually kernel32.dll code, which then calls your entrypoint iirc. This is why you can find a kernel32 address on at program entrypoint.
AFAIK, the address in is the same return address for procedures called through CreateThread. It is supposed to be simply a call to ExitThread with a return value of 0. The lParam seems to be missing in this case? :confused:
The and thread-return values are different on my system...
Yep, here too (XP). I'll try it back home (98). Then I'll see if I got that info from there, or if I've finally melted my brain :P
Guess I was way off the mark here <lol>
:NaN:
:NaN:
Not that much, NaN - the 'delta' is indeed still difference/change in this context - the precise meaning would be "amount loaded code has been relocated from it's original imagebase".
But all you people tell me one thing how do i get the ImageBase of kernel32 from the stack?
And is it also possible for me to get ImageBase of other DLL's lke user32 or shell32 etc..
And is it also possible for me to get ImageBase of other DLL's lke user32 or shell32 etc..
But all you people tell me one thing how do i get the ImageBase of kernel32 from the stack?
And is it also possible for me to get ImageBase of other DLL's lke user32 or shell32 etc..
on EP get the vall off the stack like dword ptr ..That'll give you somewhere in K32..doesnt really matter and you can wipe the loword if you want cause x86 is on 1 page align..this is all in Billys 29A4 guide (sorry to cite it here). Anyways heres my func for it..kinda lame cause its slow:
;--------------------------------------;
; GetKernelBase ;
; ;
; - Gets kernel32 base ;
; ;
; Input: ;
; - EAX - Somewhere in KERNEL32 ;
; ;
; Output: ;
; ddKernBase - Base ;
;--------------------------------------;
GetKernelBase proc
pushad
LoopCheck:
cmp word ptr [eax], IMAGE_DOS_SIGNATURE
jz LoopFind
dec eax
jmp LoopCheck
LoopFind:
movzx edi, word ptr [eax+3ch]
add edi, eax
cmp dword ptr [edi], IMAGE_NT_SIGNATURE
jz LoopEnd
dec eax
jmp LoopCheck ; rinse & repeat
LoopEnd:
mov dword ptr [ebp+ddKernBase], eax
popad
ret
GetKernelBase endp
0 Imports dont work cause M$ prolly assumed that what legit exe would need 0 imports which theyre right. At any rate you can use virtual loader like y0das Incontext or z0mbies thing INMEM.rar for 0 imports i think.
The concept of virtual loaders sounds good could you give me some more info or some links and stuff on this thing