Author Topic: Is there such thing?  (Read 12284 times)

hfheatherfox07

  • Member
  • ***
  • Posts: 464
Re: Is there such thing?
« Reply #15 on: December 05, 2012, 09:46:59 PM »
Your code and your skills will be assimilated. Your programming language is irrelevant.
We are the ASM Borg and you will become part of us. Compile and be assembled.

Dubby

  • Member
  • **
  • Posts: 60
Re: Is there such thing?
« Reply #16 on: December 06, 2012, 01:55:33 AM »
To be safe subtract it with the PE's Image Base. its not always 400000.
we can get the image base of offline PE file from "IMAGE_OPTIONAL_HEADER.ImageBase" member.
but certain condition does apply.

Oh anyway for the reverse function (use the same routine)
replace:
Code: [Select]
VirtualAddress ==> PointerToRawData
PointerToRawData ==>VirtualAddress
simple isn't it..  :icon_redface:

hfheatherfox07

  • Member
  • ***
  • Posts: 464
Re: Is there such thing?
« Reply #17 on: December 06, 2012, 04:34:34 AM »
Looking at Iczelion's PE tut 5. http://win32assembly.programminghorizon.com/pe-tut5.html

He says "Read the value in VirtualAddress and add the value in ImageBase to it to get the virtual address the section should start from. "

Where does he do that?
I should really stop going to bed at 6AM .... Sorry if I am missing where that is
Your code and your skills will be assimilated. Your programming language is irrelevant.
We are the ASM Borg and you will become part of us. Compile and be assembled.

Dubby

  • Member
  • **
  • Posts: 60
Re: Is there such thing?
« Reply #18 on: December 06, 2012, 04:47:40 AM »
well of course dude... it's totally true..
he means to get the VA of starting certain section in the memory, when the PE get loaded/executed ,don't mix it up with VirtualAddress of Section header member.

now better go get some sleep,,

hfheatherfox07

  • Member
  • ***
  • Posts: 464
Re: Is there such thing?
« Reply #19 on: December 06, 2012, 05:04:25 AM »
I should definitely clear my head before looking at this ..... :biggrin:

Than we can just subtract user input from that to calculate the raw offset ....

Something like:

.data
userVAAddress  db "403007", 0   OR  userVAAddress  db 403007h

.data?
hVAAddress dd ?

Invoke RVAToOffset, pMapping, hVAAddress
Your code and your skills will be assimilated. Your programming language is irrelevant.
We are the ASM Borg and you will become part of us. Compile and be assembled.

hfheatherfox07

  • Member
  • ***
  • Posts: 464
Re: Is there such thing?
« Reply #20 on: December 06, 2012, 06:37:39 PM »
OK It is 230 AM here and I am a little stuck ..... :(
Just trying to make a Bare Bones GetImagebase.ASM



Code: [Select]
.586
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
include \masm32\include\user32.inc
include \masm32\macros\macros.asm
include \masm32\include\masm32.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
includelib \masm32\lib\masm32.lib


; prototypes
WinMain   Proto :HINSTANCE, :DWORD, :LPSTR,:DWORD
_ImageBase Proto :DWORD
.data
ImageBase dd 0
ofn   OPENFILENAME <>
FilterString   db "Executable Files (*.exe, *.dll)",0,"*.exe;*.dll",0
               db "All Files",0,"*.*",0,0
Format  db "%d",0; d for asm number
cpt2     db "ImageBase:",0
.data?
Buffer   db 32 dup(?) ; buffer

.code

start:
Invoke GetModuleHandle, NULL
Mov Edx, Eax
Push Edx
Invoke GetCommandLine
Pop Edx
Invoke WinMain, Edx, NULL, Eax, SW_SHOW
invoke ExitProcess, 0

WinMain Proc hInstance: HINSTANCE, hPrevInstance:DWORD, lpCmdLine:  LPSTR,nCmdShow:DWORD
local LocalBuffer[512]:byte
.data
hFile dd ?
hMapping dd ?
pMapping dd ?
.code

mov ofn.lStructSize,SIZEOF ofn
mov  ofn.lpstrFilter, OFFSET FilterString
mov  ofn.lpstrFile, OFFSET Buffer
mov  ofn.nMaxFile,512
mov  ofn.Flags, OFN_FILEMUSTEXIST or \
                       OFN_PATHMUSTEXIST or OFN_LONGNAMES or\
                       OFN_EXPLORER or OFN_HIDEREADONLY               
invoke GetOpenFileName, ADDR ofn

.if eax==TRUE
invoke CreateFile, Addr Buffer, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL
.if Eax != INVALID_HANDLE_VALUE
Mov hFile, Eax
Invoke CreateFileMapping, Eax, NULL, PAGE_READONLY,0,0,0
.if Eax != NULL
Mov hMapping, Eax
Invoke MapViewOfFile, Eax, FILE_MAP_READ,0,0,0
Mov pMapping, Eax
lea Ecx, Buffer
Push Ecx
Invoke RtlZeroMemory, Ecx, sizeof Buffer
Invoke _ImageBase, pMapping
Pop Ecx
invoke wsprintf, ADDR Buffer, ADDR Format, eax
Invoke MessageBox, NULL, Addr Buffer, Addr cpt2, MB_OK
Invoke UnmapViewOfFile, pMapping
Invoke CloseHandle, hMapping
.endif
Invoke CloseHandle, hFile
.endif
.endif
ret
WinMain endp
_ImageBase proc MappedFile:DWORD

LOCAL FileAlignment: DWORD

mov eax, MappedFile
assume eax: PTR IMAGE_DOS_HEADER
add eax, dword ptr[eax].e_lfanew

assume eax: PTR IMAGE_NT_HEADERS32
push dword ptr[eax].OptionalHeader.FileAlignment
pop dword ptr[FileAlignment]

push dword ptr[eax].OptionalHeader.ImageBase
pop dword ptr[ImageBase]

ret

_ImageBase endp
end start

I found so many things online ...apparently we can use :
Code: [Select]

proc dwProc, dwImage:DWORD
LOCAL dwMem:DWORD

                MOV EAX, dwMem
MOV ECX, PHeaders
MOV ECX, IMAGE_NT_HEADERS.OptionalHeader.ImageBase[ECX]
SUB EAX, ECX
MOV dwDelta, EAX
;ECX CANT Be Modified here, has to stay same (ImageBase)
MOV EAX, dwImage
SUB EAX, ECX
MOV dwOldDelta, EAX


I am a little lost ...... :(

Also I found an OffsetToRVA Proc   :biggrin:
Code: [Select]
OffsetToRVA PROTO SectionHeader: DWORD, lOffset: DWORD, NumberOfSections: WORD

.data
NumberOfSections dw 0

and  SectionHeader would be defines as "LOCAL SectionHeader: DWORD" in another proc


invoke OffsetToRVA, dword ptr[SectionHeader], eax, word ptr[NumberOfSections]
mov edx, ebx
push edx



OffsetToRVA PROC SectionHeader: DWORD, lOffset: DWORD, lNumberOfSections: WORD
LOCAL Result: DWORD

pushad
mov eax, SectionHeader
mov ebx, lOffset
mov cx, lNumberOfSections
assume eax: PTR IMAGE_SECTION_HEADER

Begin:
mov edi, dword ptr[eax].PointerToRawData
add edi, dword ptr[eax].SizeOfRawData
cmp ebx, edi
jge @F
cmp ebx, dword ptr[eax].PointerToRawData
jb @F
sub ebx, dword ptr[eax].PointerToRawData
add ebx, dword ptr[eax].VirtualAddress
mov dword ptr[Result], ebx
jmp Finish

@@:
add eax, 28h
dec cx
or cx, cx
jnz Begin
mov dword ptr[Result], 0
Finish:
popad
mov ebx, dword ptr[Result]
Ret
OffsetToRVA EndP
Your code and your skills will be assimilated. Your programming language is irrelevant.
We are the ASM Borg and you will become part of us. Compile and be assembled.

Dubby

  • Member
  • **
  • Posts: 60
Re: Is there such thing?
« Reply #21 on: December 07, 2012, 02:00:03 AM »
wsprintf, ADDR Buffer, ADDR Format, eax

the last one is EAX, which is the return value from _ImageBase function, but what happen inside it..?
Code: [Select]
mov eax, MappedFile
assume eax: PTR IMAGE_DOS_HEADER
add eax, dword ptr[eax].e_lfanew

this was the last value assigned into eax right..?
so return the imagebase into eax. something like
Code: [Select]
mov Eax, dword ptr[eax].OptionalHeader.ImageBase

also the %d of wsprintf format will print the value in decimal (base ten), %x will print the hexadecimal value.

I have add the return value inside _ImageBase proc and change the %d into %x and the expected value get popped in the messagebox
---------------------------
ImageBase:
---------------------------
400000
---------------------------
OK   
---------------------------

hfheatherfox07

  • Member
  • ***
  • Posts: 464
Re: Is there such thing?
« Reply #22 on: December 07, 2012, 01:53:16 PM »
Thank You .... :biggrin:

Works Now ! :greenclp:

By the way take a look Here: http://www.masmforum.com/board/index.php?PHPSESSID=786dd40408172108b65a5a36b09c88c0&topic=18148.0

What is  ImageRvaToVa from imagehlp.lib used for ? can we use it ?

Code: [Select]
invoke ImageRvaToVa,[pIMAGE_NT_HEADERS],[pMapFile],[edi+IMAGE_IMPORT_DESCRIPTOR.Name],NULL
GetImagebase.ASM

Code: [Select]
.586
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
include \masm32\include\user32.inc
include \masm32\macros\macros.asm
include \masm32\include\masm32.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
includelib \masm32\lib\masm32.lib


; prototypes
WinMain   Proto :HINSTANCE, :DWORD, :LPSTR,:DWORD
_ImageBase Proto :DWORD
.data
ImageBase dd 0
ofn   OPENFILENAME <>
FilterString   db "Executable Files (*.exe, *.dll)",0,"*.exe;*.dll",0
               db "All Files",0,"*.*",0,0
Format   db "%x",0; x for asm number ; %d of wsprintf format will print the value in decimal (base ten), %x will print the hexadecimal value.
cpt2     db "ImageBase:",0
.data?
Buffer   db 32 dup(?) ; buffer

.code

start:
Invoke GetModuleHandle, NULL
Mov Edx, Eax
Push Edx
Invoke GetCommandLine
Pop Edx
Invoke WinMain, Edx, NULL, Eax, SW_SHOW
invoke ExitProcess, 0

WinMain Proc hInstance: HINSTANCE, hPrevInstance:DWORD, lpCmdLine:  LPSTR,nCmdShow:DWORD
local LocalBuffer[512]:byte
.data
hFile dd ?
hMapping dd ?
pMapping dd ?
.code

mov ofn.lStructSize,SIZEOF ofn
mov  ofn.lpstrFilter, OFFSET FilterString
mov  ofn.lpstrFile, OFFSET Buffer
mov  ofn.nMaxFile,512
mov  ofn.Flags, OFN_FILEMUSTEXIST or \
                       OFN_PATHMUSTEXIST or OFN_LONGNAMES or\
                       OFN_EXPLORER or OFN_HIDEREADONLY               
invoke GetOpenFileName, ADDR ofn

.if eax==TRUE
invoke CreateFile, Addr Buffer, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL
.if Eax != INVALID_HANDLE_VALUE
Mov hFile, Eax
Invoke CreateFileMapping, Eax, NULL, PAGE_READONLY,0,0,0
.if Eax != NULL
Mov hMapping, Eax
Invoke MapViewOfFile, Eax, FILE_MAP_READ,0,0,0
Mov pMapping, Eax
lea Ecx, Buffer
Push Ecx
Invoke RtlZeroMemory, Ecx, sizeof Buffer
Invoke _ImageBase, pMapping
Pop Ecx
invoke wsprintf, ADDR Buffer, ADDR Format, eax
Invoke MessageBox, NULL, Addr Buffer, Addr cpt2, MB_OK
Invoke UnmapViewOfFile, pMapping
Invoke CloseHandle, hMapping
.endif
Invoke CloseHandle, hFile
.endif
.endif
ret
WinMain endp
_ImageBase proc MappedFile:DWORD

LOCAL FileAlignment: DWORD

mov eax, MappedFile
assume eax: PTR IMAGE_DOS_HEADER
add eax, dword ptr[eax].e_lfanew

assume eax: PTR IMAGE_NT_HEADERS32
push dword ptr[eax].OptionalHeader.FileAlignment
pop dword ptr[FileAlignment]
push dword ptr[eax].OptionalHeader.ImageBase
mov Eax, dword ptr[eax].OptionalHeader.ImageBase
pop dword ptr[ImageBase]

ret

_ImageBase endp
end start

Your code and your skills will be assimilated. Your programming language is irrelevant.
We are the ASM Borg and you will become part of us. Compile and be assembled.

Dubby

  • Member
  • **
  • Posts: 60
Re: Is there such thing?
« Reply #23 on: December 09, 2012, 01:33:15 AM »
hello again,
yes we can utilize that function, but the result should be the same with RVA-To-Filemap.. just add the pMapFile to return value of RVAToOffset..
a link to MSDN should be clear..
http://msdn.microsoft.com/en-us/library/windows/desktop/ms680218(v=vs.85).aspx