The MASM Forum

This demo uses executable memory as a location to write an algorithm at a random location within that executable memory. The purpose is an obvious one, if you want to place executable code where it cannot be predictably found, it makes it far harder to dynamically patch. This technique only works on pure mnemonic code as it has no access to either import tables or global data and to obtain the binary data for the algorithm you need to extract it from a binary file (executable) by a simple enough method using 2 global labels at the beginning and end of the algo you want to get.

The first label is the offset in the file, the second is so you can calculate the algo length by subtracting the first label address from the second.

This is the working test piece.

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
;                    write executable code to a random location and execute it
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    include \masm32\include64\masm64rt.inc

    .data?
      exmem   dq ?
      pstrlen dq ?
      void    dq ?

    .data
    align 16
  ; ----------
  ; algorithms
  ; ----------
    string_length \
      db 72,139,193,72,131,232,1,72,131,192,1,128,56,0,116,63
      db 72,131,192,1,128,56,0,116,54,72,131,192,1,128,56,0
      db 116,45,72,131,192,1,128,56,0,116,36,72,131,192,1,128
      db 56,0,116,27,72,131,192,1,128,56,0,116,18,72,131,192
      db 1,128,56,0,116,9,72,131,192,1,128,56,0,117,184,72
      db 43,193,195

    align 8
      llen dq 83                                    ; algorithm length
      plen dq string_length                         ; pointer to algorithm data

    .code

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

entry_point proc

    mov exmem, exalloc(1024*1024)                   ; allocate 1 meg of executable memory

    invoke seed_rrand,rv(GetTickCount)              ; seed the randome algo
    invoke rrand,1024,1024*768                      ; generate random number within range
    alignup rax, 32                                 ; align up to 32 byte boundary
    mov pstrlen, rax                                ; load rax to required offset in memory
    mov rcx, exmem                                  ; copy pointer to executable memory into rcx
    add pstrlen, rcx                                ; add it to random offset

    rcall mcopy,plen,pstrlen,llen                   ; copy algorithm to random address

    invoke pstrlen,"This is a string length test"   ; execute algorithm at random address
    conout "String is ",str$(rax)," bytes long",lf  ; display result

    mov void, exfree(exmem)                         ; free memory
    waitkey
    invoke ExitProcess,0

    ret

entry_point endp

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    end

I thing it can be done with the stack as well.