Is there a way to terminate an Prog in Win32
by some tricky instruction?

Tried an 'RET' --> Program crashes

because we will lost deep in kernel32!

Any ideas? Perhaps Fodder has the answer?

Posted on 2002-02-08 05:17:21 by CRYO
Because of every runnig program creates his own process, you have to correctly finished him, like

push 0
call ExitProcess

Actually, you can find in memory starting address of kernel32, and then, if you know the offset of ExitProcess function inside kernel32 you can invoke it without using API. Some kind of programs doing this in such way - packers/protectors/virus/etc...

BTW, why you need this.
Posted on 2002-02-08 05:41:31 by masquer
hm as far i know ret works but only if you don't pollute
your stack... i think you can also grab the first stack-value
on prog-start and return to it later... but it's very dirty...
use ExitProcess...

btw masquer, ExitProcess is an API, Linked or not...


yup, worked In 2k

bla "test",0

start: invoke MessageBox,0,addr bla,addr bla,0
Posted on 2002-02-08 05:44:47 by mob


yup, worked In 2k

bla "test",0

start: invoke MessageBox,0,addr bla,addr bla,0
yeah, worked for me too :)
Posted on 2002-02-08 07:02:02 by cynix
p.s. does this count as "using" ExitProcess? :grin:
pop ecx

push 0
push ecx
push ExitProcess
Posted on 2002-02-08 07:05:25 by cynix
thanks to all!

I'm currently coding the loader of a PE-protector. If the Search-Api-Routine fails or any modification are taken, the Loader should quit.

I give the 'ret' solution a second try.

I've heard/read about the 'ret' instruction for a while, but
as quick Program terminating in DOS-Days.:)
Posted on 2002-02-08 11:52:18 by CRYO
CRYO, at least import kernel32.ExitProcess in the packer. First, this
lets you exit in a clean way that will work on any future version of
win32. Second, since you need at least one import from kernel32
for your executable to even *load* (across all win32 versions), it
might as well be ExitProcess.
Posted on 2002-02-08 12:23:55 by f0dder
Hi fodder,
how should i do integrate an Api permanently in my
loader? Building up my own IAT and do injecting it to
the target-app? Or i misunderstand you?

At least one import from Kernel?
Is that a requirement of Windows2000/XP/Me?

Sorry for stupid questions. I'm new at writing loaders,
the PE-format and OS-Compatibilty

it works for me too!

But take care to presave the ebx-register at Entry Point.
(push ebx) and before quitting via 'ret' do a (pop ebx)
Posted on 2002-02-08 12:45:01 by CRYO
Yes, the "at least one import from kernel32" is a win2k requirement,
and probably not a requirement on all versions of win2k. It makes
sense, though, since your program entrypoint will be called by
CreateProcess code, which resides in kernel32.

I assume your packer compresses the original program IAT. You
should modify the PE structure and build a new smallish IAT (for
the depacker), which includes at least ExitProcess. It makes sense
to include LoadLibrary as well - even though you can backscan from
kernel32.exitprocess and get kernel32 base addy, you can not be
100% sure that LoadLibrary is there, as NT can redirect exports.
The probability of LoadLibrary not being in kernel32 is very small,
but... it's a probability nevertheless.
Posted on 2002-02-08 12:49:23 by f0dder
phew! sounds hard to get on.

Seems as I must read about IAT on.

So I start a search and google around.

Anyone has cool links or articels about the
IAT? Structures & Creating of it?

I read a lot of more than i code!
But this is reason I decided to code in Win32ASM!:grin:
Posted on 2002-02-08 13:01:08 by CRYO
Iczelion's PE tutorials, LUEVELSMEYER PE docs... Matt Pietreks as
well, and... in general, look around. The structures are not too hard
to understand, and information is rich and easy to find.
Posted on 2002-02-08 13:18:39 by f0dder