Log in

View Full Version : Simple relocation parser to start.


BanMe
January 7th, 2011, 21:51
I was looking over the internet for relocation samples and found the one for morphine only after approaching it the same way, so I decided to go another way and would like some advice, on how to proceed further.

Here is the where I start this fairytale begins and lays the ruins of past 'zen' coding...posted to http://www.reverse-engineering.net/viewtopic.php?f=7&t=8082&sid=c7461d190f0c780485b6f9e62a5a4967
to which I have taken it far off topic..But w.e.

I have wanted to understand relocation in order to build one that works in reverse of this(if that makes sense). I have been trying to put together a relocation parser and then came up with a idea,but the parse comes first..so here is my code,I'm really trying to learn new asm instructions.. any thoughts ?

uses 3 register parameters eax,ecx,edx.
uses 2 stack locations +8,+C
5 parameters in total.

.inc
Code:

@Relocate@16 PROTO SYSCALL
Relocate <@Relocate@16>


updated 1/12/2011..

Code:

.486
.model flat
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\ntdll.inc
includelib \masm32\lib\ntdll.lib
extern hInstWORD
.code
Relocate proc FASTCALL MemTable:PVOID,NearFunctionWORD,MemPointerWORD,CodeAtOffsetOfMemPointerWORD
;this part is dependent on this function being executed after RtlImageDirectoryEntryToData
and ebx,0ffff0000h;I should calc the delta..*this bit taken from morphine*
add ebx,[ebx+3Ch];dos to NT headers
mov ebx,[ebx+034h];NT.(prefered)ImageBase
sub edx,ebx;delta
;dependent part ends.
;start function
test eax,eax;test if eax is a value..(it should be .reloc address..)
jz reloc_parse_end
mov edi,ecx;ecx is the pointer to my piece of memory(_tls_data).
mov esi,eax
cld;forward
push edi;is my data table I want to create..
;this is what I want it to look like.
;edi+0 Total number of entries
;HEADER_START
;edi+4 Relocation Block Offset
;edi+8 Size of block
;edi+C Number of Entries in block
;HEADER_END
;edi+10 first block entry
;...
;HEADER_START
;repeat that header for further blocks
int 3
add edi,4;save a area for Total
movsd;write block offset to edi increments( esi, edi)
movsd;write Block size to edi increments( esi, edi)
process_block:
mov eax,[edi-4];get total sizeof relocation block;
sub eax,8;sub IMAGE_BASE_RELOCATION size from size of block to get size of entries.
shr eax,1;divide by 2 to get number of entries
push eax;store entries to stack
mov ecx,eax;store number of entries in counter for loop with processing.
stosd;write eax to edi increments edi.
reloc_parse_highlow:
xor ebx,ebx;clear ebx
xor eax,eax;clear eax
lodsw;load a entry to eax
mov ebx,eax;copy it for processing
and eax,0fffh;clear top bit to get offset
shr ebx,12;clear lowe 3 bit to get type
sub ebx,3;check if I found IMAGE_REL_BASED_HIGHLOW
add eax,hInst;ugly hack for testing o0
add eax,edx;ImageBase + offset+delta
stosd;store entry to table
loopnz reloc_parse_highlow;loop number of entries in ecx
pop ecx;get current entries processed
pop eax;get base or Total entries
add [eax], ecx;accumalate Total entries.
push eax;store base again
mov eax,[esi];check if there is another block
test eax,eax;test if zero
jz check_table_datalocations;if no more blocks start processing data in table, else..
mov edx,eax;.
movsd
movsd
jmp process_block
reloc_parse_end:
ret
check_table_datalocations:
pop esi;get base of my structured table
lodsd;total number of entries
test eax,eax;check to see if there are any.
je reloc_parse_end;if not end
mov edx,eax.
lodsd;reloc base
lodsd;reloc sizeof block
lodsd;number of entries
mov ecx,eax
check_table_for_imports:
jmp reloc_parse_end
check_section_for_data:
ImportFound:
jmp reloc_parse_end
Relocate endp


included below is 3 object files and the 'batch' file I used to compile the test dll, as well as source code for all 3 obj files. I used masm latest edition, and polink to compile the fastcall routines. If you cannot tell there is a int 3 in the code on purpose..still debugging..

I deleted materials to which I thought where not needed..in this string of posts.

evaluator
January 8th, 2011, 14:17
umm, not understood, what you want.
Do you want parce RELOC to remove relocation from already relocated module?
or just how to parse RELOC?

BanMe
January 8th, 2011, 15:00
I want to parse relocations to 'start'. But instead of applying adjustments throughout as a loader might, I want to apply 'adjusted' relocation information to a block of code that is mapped in memory to move it and the 'data' found data including imports to that memory.

So here is a list of what I want to do:
1. Finish the basic relocation parser.

2. Make a the basic parser be able to parse out only certain entries that apply to "NearFunction" and apply that info to "ApplyRelocsHere".

3. Make the Parser be able to move the data it finds in the code to Memory area and adjust reloc information as such.

evaluator
January 8th, 2011, 15:07
dont get it..

but there you have many stupiZ..
yah, learn ASSEMBLY

evaluator
January 8th, 2011, 16:15
how about you look "around".. like, see how Aspack does RELOC in it's code..
i had written parser, it's opensrc, but wont give it for DIRT2 puroses :P

PS: yor sign:
Burn It all to the ground.Who really cares?

BanMe
January 8th, 2011, 16:45
Sorry evaluator I overreacted to your comments, as I couldn't fully 'understand' them..its like a analgorithm..analogy and algorithm.. It's to interesting to be mad at. :}

evaluator
January 9th, 2011, 03:53
what really should hart: trashing your {life}time on altering others(m$) code..
is not time for you to say: let at least trash my {life}time on my own coding/programming!?

if you want OS which will run-as-you-wish, then there are opensource OSes,
turn them into yours

Darkelf
January 9th, 2011, 12:27
BanMe,

don't take eval's statements personally.
He sometimes a bit weird
I must confess, that I don't get ~75% of his comments. They are like a really hard to reverse algorithm

evaluator
January 9th, 2011, 14:16
Quote:
He sometimes a bit weird

huh? no, how you can say such dark_elf thingz!?
look at my avatar: i am PowerPoofGrl!
:P :P

Darkelf
January 9th, 2011, 15:00
Quote:
[Originally Posted by evaluator;88946]huh? no, how you can say such dark_elf thingz!?
look at my avatar: i am PowerPoofGrl!
:P :P


Hehe, I know - and what a lovely one

No, seriously I just wanted to smoothen the mood a bit here.
btw. saying darkelf things is what I'm born for - Oorah!!!

Love ya all

BanMe
January 9th, 2011, 15:15
Yea and I'm made of sugar and spice and everything 'nice', perish the thought..

and another update..woo I'm past the parsing point o0

http://img508.imageshack.us/img508/4130/visualize.jpg (http://img508.imageshack.us/i/visualize.jpg/)

On to using the table created, I still need a way to maintain the total number of entries but I am tired. I have included a test dll, it reacts weird with olly returning from tls(as i touched the stack as well and need to clean but those are trivial things...what is now important is exploring the data locations revealed to determine not only what section there in, but what type of data(string,import,constant,initialize,uninitialized).also I think this proves dELTA correct in a abstract way..I dont remeber the thread but he said something about olly fixing memory access exceptions automaticly o0.reload this 3 or 4 times to see what i mean. lol?

*removed d/l* as testing has moved forward.

BanMe
January 9th, 2011, 22:25
I have updated the code to a somewhat suitable extent and am over my first phase of development,I would really like any input on improving parse structure..though its is current working mostly as I would like it to,I still have lots to do like find the offsets that apply to a certain function block.I hope this triggers some form of discussion.

I guess now I've been 'informed'?

http://uninformed.org/index.cgi?v=6

Simply amazing article(s).

regards BanMe

BanMe
January 10th, 2011, 17:11
Quote:
[Originally Posted by Myself]
;instead of getting deltas to 'code' I want real data locations
;I would note that this solution only applies to 'this' dll as I know data is at 10002000..
;this will not work for other dll's yet, I haven't gotten that far, but the answers
;are in the PE somewhere.


The solutions are all there and have been sitting on the internet..for 20 yrs! lol good ol' iczelion PE tuts the 5th one about IMAGE_SECTION_HEADER, hit my this issue above on the nose. I thank you many times over for your contributions, if ever you read this..

BanMe
January 11th, 2011, 14:32
I think its called return back to tls o0
;entry for our Tls dll in my example it errors at a funny spot..by modding the code ever so slightly we can keep the ‘tls’ and stop execution of ep according to the PE.

This is the code for the Tls call routine and the caller of entry to dlls, you all know this..
Code:

7C901177 8BEC MOV EBP,ESP
7C901179 56 PUSH ESI
7C90117A 57 PUSH EDI
7C90117B 53 PUSH EBX
7C90117C 8BF4 MOV ESI,ESP
7C90117E FF75 14 PUSH DWORD PTR SS:[EBP+14]
7C901181 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C901184 FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C901187 FF55 08 CALL DWORD PTR SS:[EBP+8]
7C90118A 8BE6 MOV ESP,ESI//returns here.. -014 to get back to func entry
7C90118C 5B POP EBX ; 10001000
7C90118D 5F POP EDI ; 10001000
7C90118E 5E POP ESI ; 10001000
7C90118F 5D POP EBP ; 10001000
7C901190 C2 1000 RETN 10


So by modding my dll entry ever so slightly, I can then return back to this function.. and properly call dll main or what not o0..

I don’t have time to really play with this 'error',just investigating tls a bit more.

My mod to my dll main in olly after return from, my matter at hand.

Old:
Code:

10001000 55 PUSH EBP
10001001 8BEC MOV EBP,ESP
10001003 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
10001006 A3 68220010 MOV DWORD PTR DS:[10002268],EAX
1000100B E8 09000000 CALL 10001019
10001010 B8 01000000 MOV EAX,1
10001015 C9 LEAVE
10001016 C2 0C00 RETN 0C


New:
Code:

10001000 55 PUSH EBP
10001001 8BEC MOV EBP,ESP
10001003 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
10001006 A3 68220010 MOV DWORD PTR DS:[10002268],EAX
1000100B E8 09000000 CALL 10001019
10001010 59 POP ECX ; 0006F8C4
10001011 59 POP ECX ; 0006F8C4
10001012 83E9 14 SUB ECX,14
10001015 51 PUSH ECX
10001016 ^EB C2 JMP SHORT 10000FDA

BanMe
January 12th, 2011, 21:02
So I am trying to analyze the relocation section further then just 'applying' relocations. Is there any other material on this, anywhere?Or do I search in the land of the 'lost' and quite possibly 'viral'.

note I have successfully counted the 'relocations' applied to calls to a 'IAT' function, by doing this with my table.
Code:

process_table:
pop esi;get base of my structured table
lodsd;total number of entries
test eax,eax;check to see if there are any.
je reloc_parse_end;if not end
add esi, 8
lodsd;number of entries
mov ecx,eax
xor edx,edx
process_table_entry:
test ecx,ecx
jz process_table_end
dec ecx
lodsd
dec eax
dec eax
cmp word ptr[eax],025ffh
jne process_table_entry
inc edx
loopnz process_table_entry


The next step with would be to successfully enumerate all the strings and data,then enumerating function calls. Any help on either of these would be greatly appreciated.

#added on 1-13.

So I've started my search in the land of the 'lost and viral', so far its going pretty good.. so far I've learned of hooking with relocations,encryption with relocations,polymorphism with relocations, and various others

29a #5 by TCP www.scribd.com/doc/15775001/EZine-29a5,
and subsequent win32.leon..http://eof-project.net/sources/kaze/Win32.Leon/
"from position-independent to self-relocatable" http://vxheavens.com/lib/vhe08.html

I think again I have lost everyone..

I have done some further work in parsing the table mainly locating calls and jmps and find the IAT jump table and the base of the IAT, this removes a fair amout from the total, but still there is more info to digest and fun ways to find them...I have started to make Object's for each processed entry, each containing only the simplest of information about each object.

And as a small example here is what ive got so far for my call object.
Code:

found_call:
inc eax
;build_call_object
push eax
mov eax,CallTable
cmp eax, edx
jne continue_build_call
invoke VirtualAlloc,edx,1024,MEM_COMMIT or MEM_RESERVE,PAGE_READWRITE
test eax,eax
jz reloc_parse_end
mov CallTable,eax
mov CallIndex,edx
continue_build_call
;CALL_OBJECT struct
;CallLocation DWORD
;CallAddress DWORD
;Charecteristics DWORD
;CALL_OBJECT ends
....



BanMe

BanMe
January 14th, 2011, 13:29
Today might be theday..

BanMe
January 21st, 2011, 17:32
So this is the list of variants ive started building with olly's help, love the assemble feature. this variant table is a list of the entries and each entries variance based upon register used..seems mov DATA,EAX is the smallest way.. funny.

All these variances arent going to be entered into my relocation data analyzer, but I get side tracked alot..

updated detection method for analyzing how the data is used.so many more to add.
Code:

dec eax
cmp byte ptr [eax],08Eh;call location
je found_call
cmp byte ptr [eax],09Eh;found jump location
je found_jmp
cmp byte ptr [eax],086h;push data
je found_push
;mov reg,DATA
cmp byte ptr[eax],08bh;eax,data
cmp byte ptr[eax],09bh;ecx,...
cmp byte ptr[eax],0abh;edx,...
cmp byte ptr[eax],0bbh;ebx,...
cmp byte ptr[eax],0ebh;esi,...
cmp byte ptr[eax],0fbh;edi,...
je MOV_REG_DATA
;mov DATA,reg
cmp byte ptr[eax],3ah;data,eax
dec eax
cmp word ptr[eax],0D098h
cmp word ptr[eax],01598h
cmp word ptr[eax],01D98h
cmp word ptr[eax],03598h
cmp word ptr[eax],0D398h
cmp word ptr[eax],0D298h
cmp word ptr[eax],02598h
je MOV_DATA_REG
;lea reg,DATA
cmp word ptr[eax],0D098h
cmp word ptr[eax],8D15
cmp word ptr[eax],8D1D
cmp word ptr[eax],8D35
cmp word ptr[eax],8D3D
cmp word ptr[eax],8D2D
cmp word ptr[eax],8D25
je LEA_REG_DATA
cmp word ptr[eax],025FFh
je found_import_table_jmp
cmp word ptr[eax],035FFh;push DWORD ptr DATA
je found_push


ok so I don't really explain much..I'm still digging so yea..read up.I'm gonna try to have my Tls data stuff all done and I would like someone to proof read when I'm done.

Indy
January 21st, 2011, 23:26
http://indy-vx.narod.ru/Info/OpI.png

BanMe
January 22nd, 2011, 01:26
omg so much packed so tightly makes my head spin o0
TY.

Indy
January 22nd, 2011, 17:08
Intel® 64 and IA-32 Architectures Software Developer’s Manual Vol. 2B: A.1, A.3 etc.

NeOXOeN
January 25th, 2011, 07:07
BanMe: dont worry about evaluator comments,, nobody gets his what he says anyway..

just think of it as spam.. that is what i do

Keep a good work..

BanMe
January 25th, 2011, 08:06
Thank for encouragement,but I know better than to discount what eval says as just spam. I forgave and forgot.

BanMe
January 26th, 2011, 22:22
So I got bored trying to figure all the opcodes that 'could' surround data, though I haven't quit that portion of it, I thought a experiment with the section already done might be fun...

This is a idea I have NOT done it yet, but it sounds logical to do.. I have identifying factor(s) and a brain.So Im good to go..

Locating a Api with the reloc section

So what have we learned about the reloc section in general..

1.It might contain locations to data that is used by code.

Code:

LdrpAllocateTls
MOV EDI,EDI
PUSH EBP
MOV EBP,ESP
PUSH ECX
PUSH EBX
PUSH ESI
PUSH EDI
MOV EAX,DWORD PTR FS:[18]
CMP DWORD PTR DS:[LdrpNumberOfTlsEntries],0
7e000 base and what the entry should be.. 3208
MOV ESI,EAX
JNZ 7C91B8F0
XOR EAX,EAX
POP EDI
POP ESI
POP EBX
LEAVE
RETN


Code:

LdrpInitialize
MOV EDI,EDI
PUSH EBP
MOV EBP,ESP
CMP BYTE PTR DS:[SecurityCookieInitialized],0
7e000 and entry should be 320C
JE 7C922DCD
POP EBP
JMP _LdrpInitialize


disasm backwards for prolog..or just sub from the address.
I will try make a example hello world, but it wont be pretty..

regards BanMe