Is there such thing?  (Read 12990 times)

Re: Is there such thing?
Reply #15 on: December 05, 2012, 09:46:59 PM
Re: Is there such thing?
Reply #16 on: December 06, 2012, 01:55:33 AM
To be safe subtract it with the PE's Image Base. its not always 400000.
we can get the image base of offline PE file from "IMAGE_OPTIONAL_HEADER.ImageBase" member.
but certain condition does apply.

Oh anyway for the reverse function (use the same routine)
replace:
Code: [Select]
`VirtualAddress ==> PointerToRawData PointerToRawData ==>VirtualAddress`simple isn't it..  :icon_redface:

Re: Is there such thing?
Reply #17 on: December 06, 2012, 04:34:34 AM
Looking at Iczelion's PE tut 5. http://win32assembly.programminghorizon.com/pe-tut5.html

He says "Read the value in VirtualAddress and add the value in ImageBase to it to get the virtual address the section should start from. "

Where does he do that?
I should really stop going to bed at 6AM .... Sorry if I am missing where that is
Re: Is there such thing?
Reply #18 on: December 06, 2012, 04:47:40 AM
well of course dude... it's totally true..
he means to get the VA of starting certain section in the memory, when the PE get loaded/executed ,don't mix it up with VirtualAddress of Section header member.

now better go get some sleep,,

Re: Is there such thing?
Reply #19 on: December 06, 2012, 05:04:25 AM
I should definitely clear my head before looking at this .....

Than we can just subtract user input from that to calculate the raw offset ....

Something like:

.data

.data?

Re: Is there such thing?
Reply #20 on: December 06, 2012, 06:37:39 PM
OK It is 230 AM here and I am a little stuck ..... :(
Just trying to make a Bare Bones GetImagebase.ASM

Code: [Select]
`.586.model flat,stdcalloption casemap:noneinclude \masm32\include\windows.incinclude \masm32\include\kernel32.incinclude \masm32\include\comdlg32.incinclude \masm32\include\user32.incinclude \masm32\macros\macros.asminclude \masm32\include\masm32.inc includelib \masm32\lib\user32.libincludelib \masm32\lib\kernel32.libincludelib \masm32\lib\comdlg32.libincludelib \masm32\lib\masm32.lib; prototypesWinMain   Proto :HINSTANCE, :DWORD, :LPSTR,:DWORD_ImageBase Proto :DWORD.dataImageBase dd 0ofn   OPENFILENAME <>FilterString   db "Executable Files (*.exe, *.dll)",0,"*.exe;*.dll",0               db "All Files",0,"*.*",0,0Format  db "%d",0; d for asm number cpt2     db "ImageBase:",0.data?Buffer   db 32 dup(?) ; buffer.codestart: Invoke GetModuleHandle, NULL Mov Edx, Eax Push Edx Invoke GetCommandLine Pop Edx Invoke WinMain, Edx, NULL, Eax, SW_SHOW invoke ExitProcess, 0 WinMain Proc hInstance: HINSTANCE, hPrevInstance:DWORD, lpCmdLine:  LPSTR,nCmdShow:DWORDlocal LocalBuffer[512]:byte.data hFile dd ? hMapping dd ? pMapping dd ?.code mov ofn.lStructSize,SIZEOF ofn mov  ofn.lpstrFilter, OFFSET FilterString mov  ofn.lpstrFile, OFFSET Buffer mov  ofn.nMaxFile,512 mov  ofn.Flags, OFN_FILEMUSTEXIST or \                       OFN_PATHMUSTEXIST or OFN_LONGNAMES or\                       OFN_EXPLORER or OFN_HIDEREADONLY                invoke GetOpenFileName, ADDR ofn .if eax==TRUE invoke CreateFile, Addr Buffer, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL .if Eax != INVALID_HANDLE_VALUE Mov hFile, Eax Invoke CreateFileMapping, Eax, NULL, PAGE_READONLY,0,0,0 .if Eax != NULL Mov hMapping, Eax Invoke MapViewOfFile, Eax, FILE_MAP_READ,0,0,0 Mov pMapping, Eax lea Ecx, Buffer Push Ecx Invoke RtlZeroMemory, Ecx, sizeof Buffer Invoke _ImageBase, pMapping Pop Ecx invoke wsprintf, ADDR Buffer, ADDR Format, eax Invoke MessageBox, NULL, Addr Buffer, Addr cpt2, MB_OK Invoke UnmapViewOfFile, pMapping Invoke CloseHandle, hMapping .endif Invoke CloseHandle, hFile .endif .endif retWinMain endp_ImageBase proc MappedFile:DWORDLOCAL FileAlignment: DWORDmov eax, MappedFileassume eax: PTR IMAGE_DOS_HEADERadd eax, dword ptr[eax].e_lfanewassume eax: PTR IMAGE_NT_HEADERS32push dword ptr[eax].OptionalHeader.FileAlignmentpop dword ptr[FileAlignment]push dword ptr[eax].OptionalHeader.ImageBasepop dword ptr[ImageBase]ret_ImageBase endpend start`
I found so many things online ...apparently we can use :
Code: [Select]
` proc dwProc, dwImage:DWORDLOCAL dwMem:DWORD                MOV EAX, dwMem MOV ECX, PHeaders MOV ECX, IMAGE_NT_HEADERS.OptionalHeader.ImageBase[ECX] SUB EAX, ECX MOV dwDelta, EAX ;ECX CANT Be Modified here, has to stay same (ImageBase) MOV EAX, dwImage SUB EAX, ECX MOV dwOldDelta, EAX`

I am a little lost ...... :(

Also I found an OffsetToRVA Proc
Code: [Select]
`OffsetToRVA PROTO SectionHeader: DWORD, lOffset: DWORD, NumberOfSections: WORD.dataNumberOfSections dw 0and  SectionHeader would be defines as "LOCAL SectionHeader: DWORD" in another proc invoke OffsetToRVA, dword ptr[SectionHeader], eax, word ptr[NumberOfSections]mov edx, ebxpush edxOffsetToRVA PROC SectionHeader: DWORD, lOffset: DWORD, lNumberOfSections: WORDLOCAL Result: DWORDpushadmov eax, SectionHeadermov ebx, lOffsetmov cx, lNumberOfSectionsassume eax: PTR IMAGE_SECTION_HEADERBegin:mov edi, dword ptr[eax].PointerToRawDataadd edi, dword ptr[eax].SizeOfRawDatacmp ebx, edijge @Fcmp ebx, dword ptr[eax].PointerToRawDatajb @Fsub ebx, dword ptr[eax].PointerToRawDataadd ebx, dword ptr[eax].VirtualAddressmov dword ptr[Result], ebxjmp Finish@@:add eax, 28hdec cxor cx, cxjnz Beginmov dword ptr[Result], 0Finish:popadmov ebx, dword ptr[Result]RetOffsetToRVA EndP`
Re: Is there such thing?
Reply #21 on: December 07, 2012, 02:00:03 AM

the last one is EAX, which is the return value from _ImageBase function, but what happen inside it..?
Code: [Select]
`mov eax, MappedFileassume eax: PTR IMAGE_DOS_HEADERadd eax, dword ptr[eax].e_lfanew`
this was the last value assigned into eax right..?
so return the imagebase into eax. something like
Code: [Select]
`mov Eax, dword ptr[eax].OptionalHeader.ImageBase`

also the %d of wsprintf format will print the value in decimal (base ten), %x will print the hexadecimal value.

I have add the return value inside _ImageBase proc and change the %d into %x and the expected value get popped in the messagebox
---------------------------
ImageBase:
---------------------------
400000
---------------------------
OK
---------------------------

Re: Is there such thing?
Reply #22 on: December 07, 2012, 01:53:16 PM
Thank You ....

Works Now !

By the way take a look Here: http://www.masmforum.com/board/index.php?PHPSESSID=786dd40408172108b65a5a36b09c88c0&topic=18148.0

What is  ImageRvaToVa from imagehlp.lib used for ? can we use it ?

Code: [Select]
`invoke ImageRvaToVa,[pIMAGE_NT_HEADERS],[pMapFile],[edi+IMAGE_IMPORT_DESCRIPTOR.Name],NULL`
GetImagebase.ASM

Code: [Select]
`.586.model flat,stdcalloption casemap:noneinclude \masm32\include\windows.incinclude \masm32\include\kernel32.incinclude \masm32\include\comdlg32.incinclude \masm32\include\user32.incinclude \masm32\macros\macros.asminclude \masm32\include\masm32.inc includelib \masm32\lib\user32.libincludelib \masm32\lib\kernel32.libincludelib \masm32\lib\comdlg32.libincludelib \masm32\lib\masm32.lib; prototypesWinMain   Proto :HINSTANCE, :DWORD, :LPSTR,:DWORD_ImageBase Proto :DWORD.dataImageBase dd 0ofn   OPENFILENAME <>FilterString   db "Executable Files (*.exe, *.dll)",0,"*.exe;*.dll",0               db "All Files",0,"*.*",0,0Format   db "%x",0; x for asm number ; %d of wsprintf format will print the value in decimal (base ten), %x will print the hexadecimal value. cpt2     db "ImageBase:",0.data?Buffer   db 32 dup(?) ; buffer.codestart: Invoke GetModuleHandle, NULL Mov Edx, Eax Push Edx Invoke GetCommandLine Pop Edx Invoke WinMain, Edx, NULL, Eax, SW_SHOW invoke ExitProcess, 0 WinMain Proc hInstance: HINSTANCE, hPrevInstance:DWORD, lpCmdLine:  LPSTR,nCmdShow:DWORDlocal LocalBuffer[512]:byte.data hFile dd ? hMapping dd ? pMapping dd ?.code mov ofn.lStructSize,SIZEOF ofn mov  ofn.lpstrFilter, OFFSET FilterString mov  ofn.lpstrFile, OFFSET Buffer mov  ofn.nMaxFile,512 mov  ofn.Flags, OFN_FILEMUSTEXIST or \                       OFN_PATHMUSTEXIST or OFN_LONGNAMES or\                       OFN_EXPLORER or OFN_HIDEREADONLY                invoke GetOpenFileName, ADDR ofn .if eax==TRUE invoke CreateFile, Addr Buffer, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL .if Eax != INVALID_HANDLE_VALUE Mov hFile, Eax Invoke CreateFileMapping, Eax, NULL, PAGE_READONLY,0,0,0 .if Eax != NULL Mov hMapping, Eax Invoke MapViewOfFile, Eax, FILE_MAP_READ,0,0,0 Mov pMapping, Eax lea Ecx, Buffer Push Ecx Invoke RtlZeroMemory, Ecx, sizeof Buffer Invoke _ImageBase, pMapping Pop Ecx invoke wsprintf, ADDR Buffer, ADDR Format, eax Invoke MessageBox, NULL, Addr Buffer, Addr cpt2, MB_OK Invoke UnmapViewOfFile, pMapping Invoke CloseHandle, hMapping .endif Invoke CloseHandle, hFile .endif .endif retWinMain endp_ImageBase proc MappedFile:DWORDLOCAL FileAlignment: DWORDmov eax, MappedFileassume eax: PTR IMAGE_DOS_HEADERadd eax, dword ptr[eax].e_lfanewassume eax: PTR IMAGE_NT_HEADERS32push dword ptr[eax].OptionalHeader.FileAlignmentpop dword ptr[FileAlignment]push dword ptr[eax].OptionalHeader.ImageBasemov Eax, dword ptr[eax].OptionalHeader.ImageBasepop dword ptr[ImageBase]ret_ImageBase endpend start`