Last night I was working on a program which I decided to not use imports, after I finished I realized
that there is a lot of useless typing involved in obtaining kernel32 base (using the delta method) loading
each API and then you end up with an odd calling convention. SO, to make things about as easy as they
can get, I created this little include file. Let me know what you think, the GetProcAddr procedure was
given to me as a replacement for my slow Hash search routine (ProcSearch) I wrote, by EvilHomer2k, the
rest of the stuff was just thrown together off of my last program. Take a look at it and let me know if
you like it. Thanks in advance for any suggestions, comments, and/or critisizms.

Regards,
Bryant Keller

Download K32B.INC

Update: sorry typed the download link wrong, fixed now.
Posted on 2005-09-04 14:20:01 by Synfire
Your method of finding kernel32 base doesn't seem very safe, and it doesn't seem like you handle forwarded exports. Basically this means that the code can probably be used for viruses and shellcode, but will be unusable for real applications. Not to mention that an application that doesn't end up importing from kernel32.dll will fail on win2k.
Posted on 2005-09-04 20:06:58 by f0dder
Thanks f0dder,

My actual idea is to change the K32B macro and name it DeltaM (or the like), then actually impliment
several other methods under descriptive names as well. I'm not likely to continue this though since I've
not really got much of a response on it. I just wanted to see if writing a quick include that would simplify
this process would be something anyone would want. But only about 12-13 people actually downloaded
it, other than close friends. So I'm probably not going to continue with it. But I really appreciate the
response man.

Cheers,
Bryant Keller
Posted on 2005-09-06 06:47:15 by Synfire
Hi all :)


Not to mention that an application that doesn't end up importing from kernel32.dll will fail on win2k.

Is that possible? I mean for a process not to have kernel32.dll mapped in it's address space.


But only about 12-13 people actually downloaded it, other than close friends. So I'm probably not going to continue with it.


Well, you can't expect much more than that just yet. The topic is rather limited in itself, this isn't such a large forum, and you just posted this a couple days ago. Don't be discouraged! :)
Posted on 2005-09-06 10:25:35 by QvasiModo

Is that possible? I mean for a process not to have kernel32.dll mapped in it's address space.

Yes... it seems that win2k will not load kernel32 if it's not used, which will cause the loader to fail *silently* since the loader depends on kernel32 being present.

I think XP forces kernel32 (and some other DLLs?) into the process address space, and thus PEs can run on XP without any imports.

And yes, it *is* rather specifically kernel32.dll you must end up importing from - importing a "dummy.dll" won't work, so it's not because of a missing import section. Importing from gdi32 will work because that *ends up* importing from kernel32 (this can be useful if you're coding 4k intros, since GDI32:Arc is probably the shortest import you can have). But for all *real* applications, I would import at least kernel32:exitprocess.
Posted on 2005-09-06 11:34:57 by f0dder
My favourite import is still ExitProcess. Clean code is way to go
Posted on 2005-09-06 11:49:51 by roticv
Synfire,

I have a projet similar to your one :

http://www.asmcommunity.net/board/index.php?topic=21427.0
Posted on 2005-09-14 04:54:33 by Vortex
Vortex,
Sweet man, I'll look into it a little better here in a few minutes. I just woke up and I was just checking to see
if a buddy PM'd me with a response on another project I'm doing.

QvaziModo,
I still haven't gotten a big response to it from what I can tell on my site logs, but I've decided to continue this
in my spare time since a few really close friends have shown a big intrest in it.

f0dder,
BTW, I thought the PE loader always loaded KERNEL32.DLL and NTDLL.DLL when it ran an application, I don't
currently use 2K so I've not had a chance to check if it will run fine on it, but I've ran it on 98SE and XP
without a single failure... I'll have to get ahold of a 2K disk and check it out, thanks for the heads up and
sorry I didn't get back until such a late time.. I've got like 5 different projects going (and this one is the only
one I'm doing for myself).

Regards,
Bryant Keller
Posted on 2005-09-16 11:12:50 by Synfire
Hi Synfire,

Here is another example without import section.
Attachments:
Posted on 2005-09-16 12:26:33 by Vortex
Well, on 2k you apperantly don't get ntdll and kernel32 "for free". I did a number of tests, and my conclusion was that you need to "end up importing from kernel32", whether directly (like kernel32.exitprocess) or indirectly (like importing gdi32 that imports from kernel32). It's been a couple of years, so I can't remember if importing ntdll was enough - but I think I tested it, and it makes sense that kernel32 is required (because of the stack contents of your main thread...)

I did test importing just from a "dummy.dll", which also failed, so it wasn't some "your program must have something in the import table", it was a specific DLL requirement.
Posted on 2005-09-17 05:51:29 by f0dder
Fine, I agree that K32 won't always be imported, though rare..
As for NTDLL, I was under the impression that it is ALWAYS imported on ALL nt systems, and can be obtained via the PEB/PEB_LDR/InitOrderModuleList first entry.
If I'm wrong, shoot me down :)
Since I don't have 2K, would someone who does have it (and a JIT debugger such as Olly) please confirm this so we can put this to bed?


.486
.model flat, stdcall
option casemap:none
.code
start:
mov     eax, fs:[30h]   ; EAX=PEB base
mov     eax,   ; EAX=PEB_LDR_DATA
mov     eax,   ; InitOrderModuleList 1st entry is ntdll
mov     eax,   ;eax=BaseOfNTDLL
int 3
end start


Postscript: Under 2K3 and onwards, I'm led to believe that the 2nd entry is K32.
I do not attempt to qualify that statement.
Posted on 2005-09-18 09:21:34 by Homer
Homer, that code won't even load under win2k - if you don't end up importing kernel32, the loader will silently refuse to load the executable. No user prompt, no nothing.
Posted on 2005-09-18 09:39:44 by f0dder
Ok, so 2K's pe loader just shits itself and gives up the ghost if it can't find anything to resolve?
That's so bizarre :)
Since most of the functionality of K32 is in fact imported from ntdll, is it really ntdll that is a base requirement for 2K's pe loader, or are you absolutely certain K32 is required?
Posted on 2005-09-19 18:51:03 by Homer
It shits itself if kernel32.dll isn't there, not if "it can't find anything to resolve" - adding a "dummy.dll" means it has to resolve some imports, but it will still fail.

I'm pretty sure I tested an app that only imported from NTDLL and that it failed to load too - but it's been some years. Most likely the requirement is both kernel32 and ntdll, but since kernel32 depends on ntdll this is somewhat hard to verify :)
Posted on 2005-09-20 03:16:08 by f0dder