Can any one plz explain me the concept of what a 'delta' handle is coz i have seen a lot of programs

containing the following snippet of code:

CALL DELTA ; GET DELTA

DELTA: POP EBP

SUB EBP, DELTA

Also how can i get kernel32 imagebase from the stack. I want to do this since i have to protect an exe by

having '0' imports to refer to :grin:

Thkx in advance

:stupid:
Posted on 2004-04-13 22:14:23 by telophase
DELTA is most likely not a handle but a symbolic name. Delta is the mathematical word for 'difference' or 'change'. For example

mov edx, offset Function_End
sub edx, offset Function_Start
mov Delta, edx

Delta holds the difference, or change in adresses.

Hope this helps
:NaN:
Posted on 2004-04-13 22:31:57 by NaN
an exe with 0 imports wont run in xp/2k/nt as far as i remember

and the call delta gives you the runtime eip effectively,allowing you to use that address as a 'landmark' when calculating other addresses..trace it, it isnt rocket science
Posted on 2004-04-13 23:42:03 by evlncrn8
Posted on 2004-04-13 23:46:25 by f0dder
You use it to create virus
Posted on 2004-04-14 01:48:28 by greenant
'alternative importing' is used in software protection, too (no, f0dcrypt is still not ready for release and probably won't be for quite some time yet.)

I am sure telophase wouldn't need to ask about such techniques here if he was a virus writer, as they are well described in various viral zines. (And if he is, well, I hope we will toddle off and go somewhere else.)
Posted on 2004-04-14 09:49:37 by f0dder
an exe with 0 imports wont run in xp/2k/nt as far as i remember


I don't understand what you want to tell here.

Do you mean that a program that don't call any function in windows or any library. will not work on the xp/2k/nt systems.
Then How dos programs work on it?

And another thing here, What is delta ?
I will tell you what I understood. you get by using it eip that allow your code to enter the program loop. to run on the processor. Is that right?

Finally How to make such thing??????????????


Thanks,
Amr
Posted on 2004-04-14 10:08:08 by amr

Then How dos programs work on it?

Because DOS programs run in another subsystem - the NTVDM. Obviously DOS programs don't have to use win32 imports :p.

0-import exe's will work on some win32 versions but not on others. Didn't work on the versions of win2k I tried it on, but worked on XP. Since there's at least a couple of platforms it doesn't work on, the technique is unusable for me.

If anybody knows the tech detail why it works on XP but not 2k, enlighten me - I'm too lazy to reverse the PE loader :)


And another thing here, What is delta ?

http://www.asmcommunity.net/board/index.php?topic=17649&highlight=delta
Posted on 2004-04-14 10:17:47 by f0dder
If anybody knows the tech detail why it works on XP but not 2k, enlighten me - I'm too lazy to reverse the PE loader



If I remember correctly reading it off somewhere, the problem with 0 imports is only on 2k. It had soemthing to do with the PE loader in 2k. The exact details I cannot remmeber, might need to dig for it.
Posted on 2004-04-14 10:33:24 by roticv
Well, my guess...

It's a more or less wellknown fact that your program entrypoint isn't the first code that executes on process creation. Some of the first code that executes in your process is actually kernel32.dll code, which then calls your entrypoint iirc. This is why you can find a kernel32 address on at program entrypoint.

It's also wellknown that DLL's aren't "global" on NT as they are on 9x - they get mapped for each individual process only if the process uses them.

So... it would seem the stuff fails on 2k because 2k doesn't "force" kernel32 into your process. But why does it succed on XP, then? Are DLLs forced into your process, and is it more than just kernel32?

(And of course, the above is a *lot* of speculation, so it could be wrong).
Posted on 2004-04-14 10:55:01 by f0dder
Ah you reminded me.

I think the reason why the exe cannot be loaded without an import in win2k is because without any imports, ntdll.dll cannot be mapped into the memory and thus the exe fails to load properly. Like what you said dll aren't global on NT.

Perhaps we need to look into the pe loader of XP? :p
Posted on 2004-04-14 11:02:42 by roticv
I can't really be bothered :). I asked g-rom about it a while ago, and he didn't know either - it even came as a surprise to him that the noimports stuff didn't work on 2k.
Posted on 2004-04-14 11:14:06 by f0dder

It's a more or less wellknown fact that your program entrypoint isn't the first code that executes on process creation. Some of the first code that executes in your process is actually kernel32.dll code, which then calls your entrypoint iirc. This is why you can find a kernel32 address on at program entrypoint.


AFAIK, the address in is the same return address for procedures called through CreateThread. It is supposed to be simply a call to ExitThread with a return value of 0. The lParam seems to be missing in this case? :confused:
Posted on 2004-04-14 15:33:31 by QvasiModo
The and thread-return values are different on my system...
Posted on 2004-04-14 15:58:50 by f0dder
Yep, here too (XP). I'll try it back home (98). Then I'll see if I got that info from there, or if I've finally melted my brain :P
Posted on 2004-04-14 17:55:22 by QvasiModo
Guess I was way off the mark here <lol>

:NaN:
Posted on 2004-04-14 18:33:52 by NaN
Not that much, NaN - the 'delta' is indeed still difference/change in this context - the precise meaning would be "amount loaded code has been relocated from it's original imagebase".
Posted on 2004-04-14 18:37:37 by f0dder
But all you people tell me one thing how do i get the ImageBase of kernel32 from the stack?

And is it also possible for me to get ImageBase of other DLL's lke user32 or shell32 etc..
Posted on 2004-04-14 20:21:00 by telophase

But all you people tell me one thing how do i get the ImageBase of kernel32 from the stack?

And is it also possible for me to get ImageBase of other DLL's lke user32 or shell32 etc..


on EP get the vall off the stack like dword ptr ..That'll give you somewhere in K32..doesnt really matter and you can wipe the loword if you want cause x86 is on 1 page align..this is all in Billys 29A4 guide (sorry to cite it here). Anyways heres my func for it..kinda lame cause its slow:




;--------------------------------------;
; GetKernelBase ;
; ;
; - Gets kernel32 base ;
; ;
; Input: ;
; - EAX - Somewhere in KERNEL32 ;
; ;
; Output: ;
; ddKernBase - Base ;
;--------------------------------------;

GetKernelBase proc
pushad

LoopCheck:
cmp word ptr [eax], IMAGE_DOS_SIGNATURE
jz LoopFind
dec eax
jmp LoopCheck

LoopFind:
movzx edi, word ptr [eax+3ch]
add edi, eax
cmp dword ptr [edi], IMAGE_NT_SIGNATURE
jz LoopEnd
dec eax
jmp LoopCheck ; rinse & repeat

LoopEnd:
mov dword ptr [ebp+ddKernBase], eax

popad
ret

GetKernelBase endp



0 Imports dont work cause M$ prolly assumed that what legit exe would need 0 imports which theyre right. At any rate you can use virtual loader like y0das Incontext or z0mbies thing INMEM.rar for 0 imports i think.
Posted on 2004-04-14 21:37:33 by archphase
The concept of virtual loaders sounds good could you give me some more info or some links and stuff on this thing
Posted on 2004-04-14 22:28:32 by telophase