News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

Is there such thing?

Started by hfheatherfox07, December 03, 2012, 06:03:38 PM

Previous topic - Next topic

hfheatherfox07

I found this for Get Imagebase ,It works but we need to use kernel32.inc and kernel32.lib from MASMv8 SDK

http://www.masmforum.com/board/index.php?PHPSESSID=786dd40408172108b65a5a36b09c88c0&topic=12663;prev_next=next


It is 548 AM I want to scream

http://www.masmforum.com/board/index.php?PHPSESSID=786dd40408172108b65a5a36b09c88c0&topic=18294.0

http://masm32.com/board/index.php?topic=716.0
Your code and your skills will be assimilated. Your programming language is irrelevant.
We are the ASM Borg and you will become part of us. Compile and be assembled.

Dubby

To be safe subtract it with the PE's Image Base. its not always 400000.
we can get the image base of offline PE file from "IMAGE_OPTIONAL_HEADER.ImageBase" member.
but certain condition does apply.

Oh anyway for the reverse function (use the same routine)
replace:

VirtualAddress ==> PointerToRawData
PointerToRawData ==>VirtualAddress

simple isn't it..  :icon_redface:

hfheatherfox07

Looking at Iczelion's PE tut 5. http://win32assembly.programminghorizon.com/pe-tut5.html

He says "Read the value in VirtualAddress and add the value in ImageBase to it to get the virtual address the section should start from. "

Where does he do that?
I should really stop going to bed at 6AM .... Sorry if I am missing where that is
Your code and your skills will be assimilated. Your programming language is irrelevant.
We are the ASM Borg and you will become part of us. Compile and be assembled.

Dubby

well of course dude... it's totally true..
he means to get the VA of starting certain section in the memory, when the PE get loaded/executed ,don't mix it up with VirtualAddress of Section header member.

now better go get some sleep,,

hfheatherfox07

I should definitely clear my head before looking at this ..... :biggrin:

Than we can just subtract user input from that to calculate the raw offset ....

Something like:

.data
userVAAddress  db "403007", 0   OR  userVAAddress  db 403007h

.data?
hVAAddress dd ?

Invoke RVAToOffset, pMapping, hVAAddress
Your code and your skills will be assimilated. Your programming language is irrelevant.
We are the ASM Borg and you will become part of us. Compile and be assembled.

hfheatherfox07

OK It is 230 AM here and I am a little stuck ..... :(
Just trying to make a Bare Bones GetImagebase.ASM



.586
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
include \masm32\include\user32.inc
include \masm32\macros\macros.asm
include \masm32\include\masm32.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
includelib \masm32\lib\masm32.lib


; prototypes
WinMain   Proto :HINSTANCE, :DWORD, :LPSTR,:DWORD
_ImageBase Proto :DWORD
.data
ImageBase dd 0
ofn   OPENFILENAME <>
FilterString   db "Executable Files (*.exe, *.dll)",0,"*.exe;*.dll",0
               db "All Files",0,"*.*",0,0
Format  db "%d",0; d for asm number
cpt2     db "ImageBase:",0
.data?
Buffer   db 32 dup(?) ; buffer

.code

start:
Invoke GetModuleHandle, NULL
Mov Edx, Eax
Push Edx
Invoke GetCommandLine
Pop Edx
Invoke WinMain, Edx, NULL, Eax, SW_SHOW
invoke ExitProcess, 0

WinMain Proc hInstance: HINSTANCE, hPrevInstance:DWORD, lpCmdLine:  LPSTR,nCmdShow:DWORD
local LocalBuffer[512]:byte
.data
hFile dd ?
hMapping dd ?
pMapping dd ?
.code

mov ofn.lStructSize,SIZEOF ofn
mov  ofn.lpstrFilter, OFFSET FilterString
mov  ofn.lpstrFile, OFFSET Buffer
mov  ofn.nMaxFile,512
mov  ofn.Flags, OFN_FILEMUSTEXIST or \
                       OFN_PATHMUSTEXIST or OFN_LONGNAMES or\
                       OFN_EXPLORER or OFN_HIDEREADONLY               
invoke GetOpenFileName, ADDR ofn

.if eax==TRUE
invoke CreateFile, Addr Buffer, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL
.if Eax != INVALID_HANDLE_VALUE
Mov hFile, Eax
Invoke CreateFileMapping, Eax, NULL, PAGE_READONLY,0,0,0
.if Eax != NULL
Mov hMapping, Eax
Invoke MapViewOfFile, Eax, FILE_MAP_READ,0,0,0
Mov pMapping, Eax
lea Ecx, Buffer
Push Ecx
Invoke RtlZeroMemory, Ecx, sizeof Buffer
Invoke _ImageBase, pMapping
Pop Ecx
invoke wsprintf, ADDR Buffer, ADDR Format, eax
Invoke MessageBox, NULL, Addr Buffer, Addr cpt2, MB_OK
Invoke UnmapViewOfFile, pMapping
Invoke CloseHandle, hMapping
.endif
Invoke CloseHandle, hFile
.endif
.endif
ret
WinMain endp
_ImageBase proc MappedFile:DWORD

LOCAL FileAlignment: DWORD

mov eax, MappedFile
assume eax: PTR IMAGE_DOS_HEADER
add eax, dword ptr[eax].e_lfanew

assume eax: PTR IMAGE_NT_HEADERS32
push dword ptr[eax].OptionalHeader.FileAlignment
pop dword ptr[FileAlignment]

push dword ptr[eax].OptionalHeader.ImageBase
pop dword ptr[ImageBase]

ret

_ImageBase endp
end start


I found so many things online ...apparently we can use :

proc dwProc, dwImage:DWORD
LOCAL dwMem:DWORD

                MOV EAX, dwMem
MOV ECX, PHeaders
MOV ECX, IMAGE_NT_HEADERS.OptionalHeader.ImageBase[ECX]
SUB EAX, ECX
MOV dwDelta, EAX
;ECX CANT Be Modified here, has to stay same (ImageBase)
MOV EAX, dwImage
SUB EAX, ECX
MOV dwOldDelta, EAX



I am a little lost ...... :(

Also I found an OffsetToRVA Proc   :biggrin:
OffsetToRVA PROTO SectionHeader: DWORD, lOffset: DWORD, NumberOfSections: WORD

.data
NumberOfSections dw 0

and  SectionHeader would be defines as "LOCAL SectionHeader: DWORD" in another proc


invoke OffsetToRVA, dword ptr[SectionHeader], eax, word ptr[NumberOfSections]
mov edx, ebx
push edx



OffsetToRVA PROC SectionHeader: DWORD, lOffset: DWORD, lNumberOfSections: WORD
LOCAL Result: DWORD

pushad
mov eax, SectionHeader
mov ebx, lOffset
mov cx, lNumberOfSections
assume eax: PTR IMAGE_SECTION_HEADER

Begin:
mov edi, dword ptr[eax].PointerToRawData
add edi, dword ptr[eax].SizeOfRawData
cmp ebx, edi
jge @F
cmp ebx, dword ptr[eax].PointerToRawData
jb @F
sub ebx, dword ptr[eax].PointerToRawData
add ebx, dword ptr[eax].VirtualAddress
mov dword ptr[Result], ebx
jmp Finish

@@:
add eax, 28h
dec cx
or cx, cx
jnz Begin
mov dword ptr[Result], 0
Finish:
popad
mov ebx, dword ptr[Result]
Ret
OffsetToRVA EndP
Your code and your skills will be assimilated. Your programming language is irrelevant.
We are the ASM Borg and you will become part of us. Compile and be assembled.

Dubby

wsprintf, ADDR Buffer, ADDR Format, eax

the last one is EAX, which is the return value from _ImageBase function, but what happen inside it..?
mov eax, MappedFile
assume eax: PTR IMAGE_DOS_HEADER
add eax, dword ptr[eax].e_lfanew


this was the last value assigned into eax right..?
so return the imagebase into eax. something like
mov Eax, dword ptr[eax].OptionalHeader.ImageBase

also the %d of wsprintf format will print the value in decimal (base ten), %x will print the hexadecimal value.

I have add the return value inside _ImageBase proc and change the %d into %x and the expected value get popped in the messagebox
---------------------------
ImageBase:
---------------------------
400000
---------------------------
OK   
---------------------------

hfheatherfox07

Thank You .... :biggrin:

Works Now ! :greenclp:

By the way take a look Here: http://www.masmforum.com/board/index.php?PHPSESSID=786dd40408172108b65a5a36b09c88c0&topic=18148.0

What is  ImageRvaToVa from imagehlp.lib used for ? can we use it ?

invoke ImageRvaToVa,[pIMAGE_NT_HEADERS],[pMapFile],[edi+IMAGE_IMPORT_DESCRIPTOR.Name],NULL

GetImagebase.ASM

.586
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
include \masm32\include\user32.inc
include \masm32\macros\macros.asm
include \masm32\include\masm32.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
includelib \masm32\lib\masm32.lib


; prototypes
WinMain   Proto :HINSTANCE, :DWORD, :LPSTR,:DWORD
_ImageBase Proto :DWORD
.data
ImageBase dd 0
ofn   OPENFILENAME <>
FilterString   db "Executable Files (*.exe, *.dll)",0,"*.exe;*.dll",0
               db "All Files",0,"*.*",0,0
Format   db "%x",0; x for asm number ; %d of wsprintf format will print the value in decimal (base ten), %x will print the hexadecimal value.
cpt2     db "ImageBase:",0
.data?
Buffer   db 32 dup(?) ; buffer

.code

start:
Invoke GetModuleHandle, NULL
Mov Edx, Eax
Push Edx
Invoke GetCommandLine
Pop Edx
Invoke WinMain, Edx, NULL, Eax, SW_SHOW
invoke ExitProcess, 0

WinMain Proc hInstance: HINSTANCE, hPrevInstance:DWORD, lpCmdLine:  LPSTR,nCmdShow:DWORD
local LocalBuffer[512]:byte
.data
hFile dd ?
hMapping dd ?
pMapping dd ?
.code

mov ofn.lStructSize,SIZEOF ofn
mov  ofn.lpstrFilter, OFFSET FilterString
mov  ofn.lpstrFile, OFFSET Buffer
mov  ofn.nMaxFile,512
mov  ofn.Flags, OFN_FILEMUSTEXIST or \
                       OFN_PATHMUSTEXIST or OFN_LONGNAMES or\
                       OFN_EXPLORER or OFN_HIDEREADONLY               
invoke GetOpenFileName, ADDR ofn

.if eax==TRUE
invoke CreateFile, Addr Buffer, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL
.if Eax != INVALID_HANDLE_VALUE
Mov hFile, Eax
Invoke CreateFileMapping, Eax, NULL, PAGE_READONLY,0,0,0
.if Eax != NULL
Mov hMapping, Eax
Invoke MapViewOfFile, Eax, FILE_MAP_READ,0,0,0
Mov pMapping, Eax
lea Ecx, Buffer
Push Ecx
Invoke RtlZeroMemory, Ecx, sizeof Buffer
Invoke _ImageBase, pMapping
Pop Ecx
invoke wsprintf, ADDR Buffer, ADDR Format, eax
Invoke MessageBox, NULL, Addr Buffer, Addr cpt2, MB_OK
Invoke UnmapViewOfFile, pMapping
Invoke CloseHandle, hMapping
.endif
Invoke CloseHandle, hFile
.endif
.endif
ret
WinMain endp
_ImageBase proc MappedFile:DWORD

LOCAL FileAlignment: DWORD

mov eax, MappedFile
assume eax: PTR IMAGE_DOS_HEADER
add eax, dword ptr[eax].e_lfanew

assume eax: PTR IMAGE_NT_HEADERS32
push dword ptr[eax].OptionalHeader.FileAlignment
pop dword ptr[FileAlignment]
push dword ptr[eax].OptionalHeader.ImageBase
mov Eax, dword ptr[eax].OptionalHeader.ImageBase
pop dword ptr[ImageBase]

ret

_ImageBase endp
end start


Your code and your skills will be assimilated. Your programming language is irrelevant.
We are the ASM Borg and you will become part of us. Compile and be assembled.

Dubby

hello again,
yes we can utilize that function, but the result should be the same with RVA-To-Filemap.. just add the pMapFile to return value of RVAToOffset..
a link to MSDN should be clear..
http://msdn.microsoft.com/en-us/library/windows/desktop/ms680218(v=vs.85).aspx