Log in

View Full Version : Simple relocation parser to start.

BanMe
January 7th, 2011, 21:51
I was looking over the internet for relocation samples and found the one for morphine only after approaching it the same way, so I decided to go another way and would like some advice, on how to proceed further.

Here is the where I start this fairytale begins and lays the ruins of past 'zen' coding...posted to http://www.reverse-engineering.net/viewtopic.php?f=7&t=8082&sid=c7461d190f0c780485b6f9e62a5a4967
to which I have taken it far off topic..But w.e.

I have wanted to understand relocation in order to build one that works in reverse of this(if that makes sense). I have been trying to put together a relocation parser and then came up with a idea,but the parse comes first..so here is my code,I'm really trying to learn new asm instructions.. any thoughts ?

uses 3 register parameters eax,ecx,edx.
uses 2 stack locations +8,+C
5 parameters in total.

.inc
Code:


@Relocate@16 PROTO SYSCALL

Relocate <@Relocate@16>


updated 1/12/2011..

Code:


.486

.model flat

option casemap:none

include \masm32\include\windows.inc

include \masm32\include\ntdll.inc

includelib \masm32\lib\ntdll.lib

extern hInstWORD

.code

Relocate proc FASTCALL MemTable:PVOID,NearFunctionWORD,MemPointerWORD,CodeAtOffsetOfMemPointerWORD

;this part is dependent on this function being executed after RtlImageDirectoryEntryToData

	and ebx,0ffff0000h;I should calc the delta..*this bit taken from morphine*

	add ebx,[ebx+3Ch];dos to NT headers

	mov ebx,[ebx+034h];NT.(prefered)ImageBase

	sub edx,ebx;delta

;dependent part ends.

;start function

	test eax,eax;test if eax is a value..(it should be .reloc address..)

	jz reloc_parse_end

	mov edi,ecx;ecx is the pointer to my piece of memory(_tls_data).

	mov esi,eax

	cld;forward

	push edi;is my data table I want to create..

	;this is what I want it to look like.

	;edi+0 Total number of entries

	;HEADER_START

	;edi+4 Relocation Block Offset

	;edi+8 Size of block

	;edi+C Number of Entries in block

	;HEADER_END

	;edi+10 first block entry

	;...

	;HEADER_START

	;repeat that header for further blocks

	int 3

	add edi,4;save a area for Total

	movsd;write block offset to edi increments( esi, edi)

	movsd;write Block size to edi increments( esi, edi)

process_block:

	mov eax,[edi-4];get total sizeof relocation block; 

	sub eax,8;sub IMAGE_BASE_RELOCATION size from size of block to get size of entries.

	shr eax,1;divide by 2 to get number of entries

	push eax;store entries to stack

	mov ecx,eax;store number of entries in counter for loop with processing.

	stosd;write eax to edi increments edi.

reloc_parse_highlow:

	xor ebx,ebx;clear ebx

	xor eax,eax;clear eax

	lodsw;load a entry to eax

	mov ebx,eax;copy it for processing

	and eax,0fffh;clear top bit to get offset

	shr ebx,12;clear lowe 3 bit to get type

	sub ebx,3;check if I found IMAGE_REL_BASED_HIGHLOW

	add eax,hInst;ugly hack for testing o0

	add eax,edx;ImageBase + offset+delta 

	stosd;store entry to table

	loopnz reloc_parse_highlow;loop number of entries in ecx

	pop ecx;get current entries processed

	pop eax;get base or Total entries

	add [eax], ecx;accumalate Total entries.

	push eax;store base again

	mov eax,[esi];check if there is another block

	test eax,eax;test if zero

	jz check_table_datalocations;if no more blocks start processing data in table, else..

	mov edx,eax;.

	movsd

	movsd

	jmp process_block

reloc_parse_end:

	ret

check_table_datalocations:

	pop esi;get base of my structured table

	lodsd;total number of entries

	test eax,eax;check to see if there are any.

	je reloc_parse_end;if not end

	mov edx,eax.

	lodsd;reloc base

	lodsd;reloc sizeof block

	lodsd;number of entries

	mov ecx,eax

check_table_for_imports:

jmp reloc_parse_end

check_section_for_data:

ImportFound:

	jmp reloc_parse_end

Relocate endp


included below is 3 object files and the 'batch' file I used to compile the test dll, as well as source code for all 3 obj files. I used masm latest edition, and polink to compile the fastcall routines. If you cannot tell there is a int 3 in the code on purpose..still debugging..

I deleted materials to which I thought where not needed..in this string of posts.
evaluator
January 8th, 2011, 14:17
umm, not understood, what you want.
Do you want parce RELOC to remove relocation from already relocated module?
or just how to parse RELOC?
BanMe
January 8th, 2011, 15:00
I want to parse relocations to 'start'. But instead of applying adjustments throughout as a loader might, I want to apply 'adjusted' relocation information to a block of code that is mapped in memory to move it and the 'data' found data including imports to that memory.

So here is a list of what I want to do:
1. Finish the basic relocation parser.

2. Make a the basic parser be able to parse out only certain entries that apply to "NearFunction" and apply that info to "ApplyRelocsHere".

3. Make the Parser be able to move the data it finds in the code to Memory area and adjust reloc information as such.
evaluator
January 8th, 2011, 15:07
dont get it..

but there you have many stupiZ..
yah, learn ASSEMBLY
evaluator
January 8th, 2011, 16:15
how about you look "around".. like, see how Aspack does RELOC in it's code..
i had written parser, it's opensrc, but wont give it for DIRT2 puroses :P

PS: yor sign:
Burn It all to the ground.Who really cares?
BanMe
January 8th, 2011, 16:45
Sorry evaluator I overreacted to your comments, as I couldn't fully 'understand' them..its like a analgorithm..analogy and algorithm.. It's to interesting to be mad at. :}
evaluator
January 9th, 2011, 03:53
what really should hart: trashing your {life}time on altering others(m$) code..
is not time for you to say: let at least trash my {life}time on my own coding/programming!?

if you want OS which will run-as-you-wish, then there are opensource OSes,
turn them into yours
Darkelf
January 9th, 2011, 12:27
BanMe,

don't take eval's statements personally.
He sometimes a bit weird
I must confess, that I don't get ~75% of his comments. They are like a really hard to reverse algorithm
evaluator
January 9th, 2011, 14:16
Quote:
He sometimes a bit weird

huh? no, how you can say such dark_elf thingz!?
look at my avatar: i am PowerPoofGrl!
:P :P
Darkelf
January 9th, 2011, 15:00
Quote:
[Originally Posted by evaluator;88946]huh? no, how you can say such dark_elf thingz!?
look at my avatar: i am PowerPoofGrl!
:P :P


Hehe, I know - and what a lovely one

No, seriously I just wanted to smoothen the mood a bit here.
btw. saying darkelf things is what I'm born for - Oorah!!!

Love ya all
BanMe
January 9th, 2011, 15:15
Yea and I'm made of sugar and spice and everything 'nice', perish the thought..

and another update..woo I'm past the parsing point o0

http://img508.imageshack.us/img508/4130/visualize.jpg (http://img508.imageshack.us/i/visualize.jpg/)

On to using the table created, I still need a way to maintain the total number of entries but I am tired. I have included a test dll, it reacts weird with olly returning from tls(as i touched the stack as well and need to clean but those are trivial things...what is now important is exploring the data locations revealed to determine not only what section there in, but what type of data(string,import,constant,initialize,uninitialized).also I think this proves dELTA correct in a abstract way..I dont remeber the thread but he said something about olly fixing memory access exceptions automaticly o0.reload this 3 or 4 times to see what i mean. lol?

*removed d/l* as testing has moved forward.
BanMe
January 9th, 2011, 22:25
I have updated the code to a somewhat suitable extent and am over my first phase of development,I would really like any input on improving parse structure..though its is current working mostly as I would like it to,I still have lots to do like find the offsets that apply to a certain function block.I hope this triggers some form of discussion.

I guess now I've been 'informed'?

http://uninformed.org/index.cgi?v=6

Simply amazing article(s).

regards BanMe
BanMe
January 10th, 2011, 17:11
Quote:
[Originally Posted by Myself]
;instead of getting deltas to 'code' I want real data locations
;I would note that this solution only applies to 'this' dll as I know data is at 10002000..
;this will not work for other dll's yet, I haven't gotten that far, but the answers
;are in the PE somewhere.


The solutions are all there and have been sitting on the internet..for 20 yrs! lol good ol' iczelion PE tuts the 5th one about IMAGE_SECTION_HEADER, hit my this issue above on the nose. I thank you many times over for your contributions, if ever you read this..
BanMe
January 11th, 2011, 14:32
I think its called return back to tls o0
;entry for our Tls dll in my example it errors at a funny spot..by modding the code ever so slightly we can keep the ‘tls’ and stop execution of ep according to the PE.

This is the code for the Tls call routine and the caller of entry to dlls, you all know this..
Code:


7C901177   8BEC             MOV EBP,ESP

7C901179   56               PUSH ESI

7C90117A   57               PUSH EDI

7C90117B   53               PUSH EBX

7C90117C   8BF4             MOV ESI,ESP

7C90117E   FF75 14          PUSH DWORD PTR SS:[EBP+14]

7C901181   FF75 10          PUSH DWORD PTR SS:[EBP+10]

7C901184   FF75 0C          PUSH DWORD PTR SS:[EBP+C]

7C901187   FF55 08          CALL DWORD PTR SS:[EBP+8]

7C90118A   8BE6             MOV ESP,ESI//returns here.. -014 to get back to func entry 

7C90118C   5B               POP EBX                                  ; 10001000

7C90118D   5F               POP EDI                                  ; 10001000

7C90118E   5E               POP ESI                                  ; 10001000

7C90118F   5D               POP EBP                                  ; 10001000

7C901190   C2 1000          RETN 10


So by modding my dll entry ever so slightly, I can then return back to this function.. and properly call dll main or what not o0..

I don’t have time to really play with this 'error',just investigating tls a bit more.

My mod to my dll main in olly after return from, my matter at hand.

Old:
Code:


10001000   55               PUSH EBP

10001001   8BEC             MOV EBP,ESP

10001003   8B45 08          MOV EAX,DWORD PTR SS:[EBP+8]

10001006   A3 68220010      MOV DWORD PTR DS:[10002268],EAX

1000100B   E8 09000000      CALL 10001019

10001010   B8 01000000      MOV EAX,1

10001015   C9               LEAVE

10001016   C2 0C00          RETN 0C


New:
Code:


10001000   55               PUSH EBP

10001001   8BEC             MOV EBP,ESP

10001003   8B45 08          MOV EAX,DWORD PTR SS:[EBP+8]

10001006   A3 68220010      MOV DWORD PTR DS:[10002268],EAX

1000100B   E8 09000000      CALL 10001019

10001010   59               POP ECX                                  ; 0006F8C4

10001011   59               POP ECX                                  ; 0006F8C4

10001012   83E9 14          SUB ECX,14

10001015   51               PUSH ECX

10001016  ^EB C2            JMP SHORT 10000FDA
BanMe
January 12th, 2011, 21:02
So I am trying to analyze the relocation section further then just 'applying' relocations. Is there any other material on this, anywhere?Or do I search in the land of the 'lost' and quite possibly 'viral'.

note I have successfully counted the 'relocations' applied to calls to a 'IAT' function, by doing this with my table.
Code:


process_table:

	pop esi;get base of my structured table

	lodsd;total number of entries

	test eax,eax;check to see if there are any.

	je reloc_parse_end;if not end

	add esi, 8

	lodsd;number of entries

	mov ecx,eax

	xor edx,edx

process_table_entry:

	test ecx,ecx

	jz process_table_end

	dec ecx

	lodsd

	dec eax

	dec eax

	cmp word ptr[eax],025ffh

	jne process_table_entry

	inc edx

	loopnz process_table_entry


The next step with would be to successfully enumerate all the strings and data,then enumerating function calls. Any help on either of these would be greatly appreciated.

#added on 1-13.

So I've started my search in the land of the 'lost and viral', so far its going pretty good.. so far I've learned of hooking with relocations,encryption with relocations,polymorphism with relocations, and various others

29a #5 by TCP www.scribd.com/doc/15775001/EZine-29a5,
and subsequent win32.leon..http://eof-project.net/sources/kaze/Win32.Leon/
"from position-independent to self-relocatable" http://vxheavens.com/lib/vhe08.html

I think again I have lost everyone..

I have done some further work in parsing the table mainly locating calls and jmps and find the IAT jump table and the base of the IAT, this removes a fair amout from the total, but still there is more info to digest and fun ways to find them...I have started to make Object's for each processed entry, each containing only the simplest of information about each object.

And as a small example here is what ive got so far for my call object.
Code:


found_call:

	inc eax

	;build_call_object

	push eax

	mov eax,CallTable

	cmp eax, edx

	jne continue_build_call

	invoke VirtualAlloc,edx,1024,MEM_COMMIT or MEM_RESERVE,PAGE_READWRITE

	test eax,eax

	jz reloc_parse_end

	mov CallTable,eax

	mov CallIndex,edx

continue_build_call

	;CALL_OBJECT struct

	;CallLocation DWORD

	;CallAddress DWORD

	;Charecteristics DWORD

	;CALL_OBJECT ends

	....



BanMe
BanMe
January 14th, 2011, 13:29
Today might be theday..
BanMe
January 21st, 2011, 17:32
So this is the list of variants ive started building with olly's help, love the assemble feature. this variant table is a list of the entries and each entries variance based upon register used..seems mov DATA,EAX is the smallest way.. funny.

All these variances arent going to be entered into my relocation data analyzer, but I get side tracked alot..

updated detection method for analyzing how the data is used.so many more to add.
Code:


	dec eax

	cmp byte ptr [eax],08Eh;call location

	je found_call

	cmp byte ptr [eax],09Eh;found jump location

	je found_jmp

	cmp byte ptr [eax],086h;push data

	je found_push

	;mov reg,DATA

	cmp byte ptr[eax],08bh;eax,data

	cmp byte ptr[eax],09bh;ecx,...

	cmp byte ptr[eax],0abh;edx,...

	cmp byte ptr[eax],0bbh;ebx,...

	cmp byte ptr[eax],0ebh;esi,...

	cmp byte ptr[eax],0fbh;edi,...

	je MOV_REG_DATA

	;mov DATA,reg

	cmp byte ptr[eax],3ah;data,eax

	dec eax

	cmp word ptr[eax],0D098h

	cmp word ptr[eax],01598h

	cmp word ptr[eax],01D98h

	cmp word ptr[eax],03598h

	cmp word ptr[eax],0D398h

	cmp word ptr[eax],0D298h

	cmp word ptr[eax],02598h 

	je MOV_DATA_REG

	;lea reg,DATA

	cmp word ptr[eax],0D098h

 	cmp word ptr[eax],8D15

  	cmp word ptr[eax],8D1D

 	cmp word ptr[eax],8D35

 	cmp word ptr[eax],8D3D

 	cmp word ptr[eax],8D2D

 	cmp word ptr[eax],8D25

	je LEA_REG_DATA

	cmp word ptr[eax],025FFh

	je found_import_table_jmp

	cmp word ptr[eax],035FFh;push DWORD ptr DATA

	je found_push


ok so I don't really explain much..I'm still digging so yea..read up.I'm gonna try to have my Tls data stuff all done and I would like someone to proof read when I'm done.
Indy
January 21st, 2011, 23:26
http://indy-vx.narod.ru/Info/OpI.png
BanMe
January 22nd, 2011, 01:26
omg so much packed so tightly makes my head spin o0
TY.
Indy
January 22nd, 2011, 17:08
Intel® 64 and IA-32 Architectures Software Developer’s Manual Vol. 2B: A.1, A.3 etc.
NeOXOeN
January 25th, 2011, 07:07
BanMe: dont worry about evaluator comments,, nobody gets his what he says anyway..

just think of it as spam.. that is what i do

Keep a good work..
BanMe
January 25th, 2011, 08:06
Thank for encouragement,but I know better than to discount what eval says as just spam. I forgave and forgot.
BanMe
January 26th, 2011, 22:22
So I got bored trying to figure all the opcodes that 'could' surround data, though I haven't quit that portion of it, I thought a experiment with the section already done might be fun...

This is a idea I have NOT done it yet, but it sounds logical to do.. I have identifying factor(s) and a brain.So Im good to go..

Locating a Api with the reloc section

So what have we learned about the reloc section in general..

1.It might contain locations to data that is used by code.

Code:


LdrpAllocateTls

MOV EDI,EDI

PUSH EBP

MOV EBP,ESP

PUSH ECX

PUSH EBX

PUSH ESI

PUSH EDI

MOV EAX,DWORD PTR FS:[18]

CMP DWORD PTR DS:[LdrpNumberOfTlsEntries],0

7e000 base and what the entry should be.. 3208

MOV ESI,EAX

JNZ 7C91B8F0

XOR EAX,EAX

POP EDI

POP ESI

POP EBX

LEAVE

RETN


Code:


LdrpInitialize 

MOV EDI,EDI

PUSH EBP

MOV EBP,ESP

CMP BYTE PTR DS:[SecurityCookieInitialized],0

7e000 and entry should be 320C

JE 7C922DCD

POP EBP

JMP _LdrpInitialize


disasm backwards for prolog..or just sub from the address.
I will try make a example hello world, but it wont be pretty..

regards BanMe