unresolved external symbol @__security_check_cookie@4

bomz · April 03, 2013, 02:17:55 PM

Quote.386

.model flat, stdcall
option casemap :none

include \MASM32\INCLUDE\windows.inc
include \MASM32\INCLUDE\user32.inc
include \MASM32\INCLUDE\kernel32.inc
include \MASM32\INCLUDE\ntdll.inc
includelib \MASM32\LIB\user32.lib
includelib \MASM32\LIB\kernel32.lib
includelib \MASM32\LIB\ntdll.lib
includelib laotouwim.lib

LaotouMountImage   PROTO :DWORD,:DWORD,:DWORD,:DWORD

__security_cookie   equ 0E64EBB40h

EXTERNDEF SYSCALL @__security_check_cookie@4:PROC
__security_check_cookie equ <@__security_check_cookie@4>

.data
mestitle   db "Bomz",0
form      db "EAX: %010hu", 0

.data?
buffer      db 512 dup(?)

.code
start:

invoke LaotouMountImage, 0, 0, 0, 0
invoke wsprintf,ADDR buffer,ADDR form,eax
invoke MessageBox,0,ADDR buffer,ADDR mestitle,MB_ICONASTERISK
invoke ExitProcess,0
end start

How decide this with MASM?

Microsoft says use /GS- linker option or add

Quoteextern "C" const DWORD_PTR __security_cookie = 0xE64EBB40;

extern "C" void __fastcall __security_check_cookie(DWORD_PTR cookie)
{
if (cookie != __security_cookie)
__asm int 3;
}

http://code.google.com/p/nativeshell/source/browse/trunk/lib/?r=25
http://code.google.com/p/nativeshell/source/browse/trunk/?r=25#trunk%2Finc

dedndave · April 03, 2013, 09:32:56 PM

see if this works

Code Select

    INCLUDE    \masm32\include\masm32rt.inc
    INCLUDE    \masm32\include\ntstrsafe.inc
    INCLUDELIB \masm32\lib\ntstrsafe.lib

    .CODE

Start:
    call    CheckSecCookie
    INVOKE  MessageBox,0,uhex$(eax),0,MB_OK
    INVOKE  ExitProcess,eax

CheckSecCookie PROC

    LOCAL   dwCookie        :DWORD

    INVOKE  _security_check_cookie,addr dwCookie
    xor     eax,eax
    .if dwCookie==0E64EBB40h
        inc     eax
    .endif
    ret

CheckSecCookie ENDP

    END     Start

i am not sure how valid it will be with no compiler start-up code :P

at any rate, the function is prototyped in ntstrsafe.inc and imported with ntstrsafe.lib
use only 1 leading underscore: "_security_check_cookie"

TouEnMasm · April 03, 2013, 11:35:24 PM

/Gs is unused with asm,verify the security of memory buffer.

You find it in c++.

Quote
EXTRN   ___security_cookie:DWORD

start proc with :
   mov   ebp, esp
   sub   esp, 24               ; 00000018H
   mov   eax, DWORD PTR ___security_cookie
   xor   eax, ebp
   mov   DWORD PTR __$ArrayPad$[ebp], eax
   mov   eax, DWORD PTR _hdc$[ebp]

end proc with:
   mov   ecx, DWORD PTR __$ArrayPad$[ebp]
   xor   ecx, ebp
   call   @__security_check_cookie@4
   mov   esp, ebp
   pop   ebp
   ret   0

Don't use in ASM

bomz · April 04, 2013, 03:53:54 AM

may be you may show working code?

TouEnMasm · April 04, 2013, 04:17:45 AM

With c++ express just generate the more simple prog you can.
Then open the property of the project.
Then add /Fa in the command line of c++ .
Generate the project and you have now asm files with those proc.

bomz · April 04, 2013, 04:24:59 AM

A picture paints a thousand words
[One eyewitness is better than two hear-so's
Seeing once is better than hearing twice
The proof of the pudding is in the eating .
Words are but wind, but seeing is believing. ]

dedndave · April 04, 2013, 04:27:22 AM

i found a couple items you might want to read...

http://windowsmobilepro.blogspot.com/2005/08/manually-migrate-embedded-visual-c.html
http://support.microsoft.com/?id=894573

the first one seems to be by the same guy that wrote your lib

bomz · April 04, 2013, 04:31:11 AM

may be somebody may say what IOCTL send to WimFltr.sys

Adamanteus · April 04, 2013, 07:43:23 AM

Basically not clear what need - that's Microsoft's compiler runtime check for unfixing memory segment and EBP register, so to you need only replace int 3 command, by abort, exception or other abnormal program flow stuff.

bomz · April 04, 2013, 08:57:12 AM

you mean determine __security_check_cookie in my code?

Code Select

__security_check_cookie proc syscall security_cookie:DWORD
int 3h
ret
__security_check_cookie endp

bomz · April 04, 2013, 12:48:23 PM

Code Select

.386

.model flat, stdcall 
option casemap :none 

include \MASM32\INCLUDE\windows.inc
include \MASM32\INCLUDE\user32.inc
include \MASM32\INCLUDE\kernel32.inc
include \MASM32\INCLUDE\ntdll.inc
include \masm32\macros\Strings.mac
includelib laotouwim.lib

LaotouMountImage	PROTO :DWORD,:DWORD,:DWORD,:DWORD

__security_cookie	equ 0E64EBB40h

EXTERNDEF SYSCALL @__security_check_cookie@4:PROC
__security_check_cookie equ <@__security_check_cookie@4>


.data
mestitle	db "Bomz",0
form		db "EAX: %010hx", 0
TW0		"C:\\DDD",path
TW0		"C:\\winpe.wim",iname

.data?
buffer		db 512 dup(?)

.code
start:
invoke LaotouMountImage, addr path, addr iname, 1, 0
invoke wsprintf,ADDR buffer,ADDR form,eax
invoke MessageBox,0,ADDR buffer,ADDR mestitle,MB_ICONASTERISK
invoke ExitProcess,0

__security_check_cookie proc syscall security_cookie:DWORD
    .if security_cookie==__security_cookie
        int 3h
    .endif
    ret 0
__security_check_cookie endp

end start

something need to activation

Quote0xC0000034
STATUS_OBJECT_NAME_NOT_FOUND
The object name is not found.

http://bbs.wuyou.com/viewthread.php?tid=188616&page=14

need startservice. all Ok

Adamanteus · April 04, 2013, 10:19:27 PM

That's with addon in name i.e. @4 possible define in CPP file, so to you need compile it and link as object module with asm program.

bomz · April 04, 2013, 10:41:40 PM

Quote.386

.model flat, stdcall
option casemap :none

include \MASM32\INCLUDE\windows.inc
include \MASM32\INCLUDE\user32.inc
include \MASM32\INCLUDE\kernel32.inc
include \MASM32\INCLUDE\ntdll.inc
include \masm32\macros\Strings.mac
includelib laotouwim.lib

LaotouMountImage   PROTO :DWORD,:DWORD,:DWORD,:DWORD

__security_cookie   equ 0E64EBB40h

EXTERNDEF SYSCALL @__security_check_cookie@4:PROC
__security_check_cookie equ <@__security_check_cookie@4>

.data
mestitle   db "Bomz",0
form      db "EAX: %010hx", 0
TW0      "C:\\DDD",path
TW0      "C:\\winpe.wim",iname

.data?
buffer      db 512 dup(?)

.code
start:
invoke LaotouMountImage, addr path, addr iname, 1, 0
invoke wsprintf,ADDR buffer,ADDR form,eax
invoke MessageBox,0,ADDR buffer,ADDR mestitle,MB_ICONASTERISK
invoke ExitProcess,0

__security_check_cookie proc syscall security_cookie:DWORD
.if security_cookie==__security_cookie
int 3h
.endif
ret 0
__security_check_cookie endp

end start

This work. Need start service WimFltr first. I just end make command mount to my native command interpreter

bomz · April 05, 2013, 04:48:45 PM

http://support.microsoft.com/kb/894573/en-us

Get BufferOverflow.lib from DDK

QuoteThis library implements functionality for security cookie verification that can be used in the user mode. However, bufferoverflow.lib is different from bufferoverflowU.lib because bufferoverflow.lib can be used in services and in applications that do not use the Win32 API.

add only

Quote
includelib BufferOverflow.lib

EXTERNDEF SYSCALL @__security_check_cookie@4:PROC
__security_check_cookie equ <@__security_check_cookie@4>

all OK

dedndave · April 05, 2013, 09:45:50 PM

not much of a check, really - lol
they put a dword on the stack, and check that it hasn't changed
not much help if the buffer is global or allocated by one of the API's

in assembly language, you can do more to ensure that buffers are not overrun
it's only when you call a CRT function that it really seems to go nuts

The MASM Forum

News:

unresolved external symbol @__security_check_cookie@4

bomz

dedndave

TouEnMasm

bomz

TouEnMasm

bomz

dedndave

bomz

Adamanteus

bomz

bomz

Adamanteus

bomz

bomz

dedndave