Log in

View Full Version : Error Issue


Jo_ti
October 12th, 2009, 09:49
i have injected small code in my exe. here is data

PUSH 144
PUSH 403000
PUSH 40301A
PUSH 0
Call 77D8050B <<<----MSG BOX API

So the problem is this. The code is working fine in my system but it is giving error in another system. I am able to see the msg box but when tested in another systm it got crash. I think all the parameters are correct so where is the probem??

Nacho_dj
October 12th, 2009, 10:50
The problem is that not all machines are running on the same kernel32.dll version, so if you use hardcoded calls, the risk of malfunctioning on different machines is enormous, since that function might start on a different address of the kernel.

So, you'd rather use references to functions as the import tables do, by the name of function, and let the system search the address of start of the function by its own when it loads your executable.

It would be very useful if you read something about how import table works. Please have a look a iczelion tutorials, especifically Import Table section, they are very complete...
Code:
http://win32assembly.online.fr/pe-tut6.html


Another useful use could be invoking LoadLibraryA/GetModuleHandle (depending if your module is loaded or not) and then GetProcAddress, to obtain the handle of the start of the function required and then, perform a call to that address...

Best regards

Nacho_dj

D-Jester
October 12th, 2009, 20:00
Nacho_dj is the man, when it comes to Import Tables. Not much I can add to his wisdom.

When a program is loaded into memory Windows looks up all the addresses for the imported functions (using the IAT).
This is why you see :

Code:
call dword ptr [XXXXXXXX]


rather than

Code:
call XXXXXXXX


because all API functions are called through the IAT pointers that windows has fixedup

Alternatively you can use something along the lines of:

Code:

push "Kernel32.dll"
call LoadLibraryA
push "MessageBoxA"
push eax ; eax holds Handle to Kernel32.dll
call GetProcAddress
push 144
push 00403000
push 0040301A
call eax ; eax holds the address of MessageBoxA

Jo_ti
October 13th, 2009, 06:35
Hi Nacho_dj thanks for your idea. I read all the tutorials icelezion and they are good enough just because of that i am trying to play with real executable files by injecting own data.


I agree with D-Jester it needs to be like this call [xxxxxx] like which we normally get in application call to specific pointer which redirect it to api. I tried jester but it was giving error no idea why. Can you take a look over small test.exe on which i am doing this. might be you can guide me in right direction by looking at my code.

D-Jester
October 13th, 2009, 11:09
Quote:
[Originally Posted by Jo_ti;83319]Hi Nacho_dj thanks for your idea. I read all the tutorials icelezion and they are good enough just because of that i am trying to play with real executable files by injecting own data.


I agree with D-Jester it needs to be like this call [xxxxxx] like which we normally get in application call to specific pointer which redirect it to api. I tried jester but it was giving error no idea why. Can you take a look over small test.exe on which i am doing this. might be you can guide me in right direction by looking at my code.


If you upload it to rapidshare, I'll take a look.

Jo_ti
October 15th, 2009, 14:53
Thanks for the help jester, i just figured it out myself

Jst want to ask simple question. I want to get the size of codesection in wininet.dll which just load when i press f9... and basically i got info that size of codesection vary in different system. So if i want to get the size of any section of any module which api should be helpful in that case.

Jo_ti
October 17th, 2009, 04:01
no one knows? ok

May i get some info about wininet.dll

PE header address
Code start address
Code end address
and size of code section in your pc.


Not having much frnds in reverse enginerring. So just need this info in another pc.

evlncrn8
October 17th, 2009, 08:59
the only way u can do it is manually, coding your own runtime pe parser to get the information.
this sadly stems into the rootkit / malware area, and chances are relatively high that the thread will be closed

Kayaker
October 17th, 2009, 10:56
Quote:
and chances are relatively high that the thread will be closed


Oh I don't think so, though the answer is correct. That's pretty useful stuff that everyone should know. I'd suggest to Jo_ti to review the Iczelion tutorials again, all the information about getting those PE details are in there, and other examples are not difficult to find with a bit of background research.