### Author Topic: Length limit to MB_OK | MB_ICONEXCLAMATION  (Read 13211 times)

#### Magnum

• Member
• Posts: 2314
##### Length limit to MB_OK | MB_ICONEXCLAMATION
« on: April 15, 2013, 01:03:19 AM »
When I added 20 more characters to the end of DbgFoundText, the program chokes.

Is there a length limit to MB_OK | MB_ICONEXCLAMATION?

Code: [Select]
`DbgFoundText     db "Debugger found!",0hPUSH 30h ; Show badboyPUSH offset DbgFoundTitlePUSH offset DbgFoundTextPUSH 0CALL MessageBox`
Take care,
Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

#### dedndave

• Member
• Posts: 8825
• Still using Abacus 2.0
##### Re: Length limit to MB_OK | MB_ICONEXCLAMATION
« Reply #1 on: April 15, 2013, 01:56:01 AM »
no - it will almost fill the screen, if it needs to
actually - there may be some practical limit, but it will wrap and crop text, too
i think i put 32 k of text in one, once - something like that

i am guessing that you are overwriting something when you add 20 characters

as you have it shown, the text is in the code section
you would be overwriting the message box code   :P

Code: [Select]
`DbgFoundText     db "Debugger found!",0h,20 dup(?)PUSH 30h ; Show badboyPUSH offset DbgFoundTitlePUSH offset DbgFoundTextPUSH 0CALL MessageBox`

#### Magnum

• Member
• Posts: 2314
##### Re: Length limit to MB_OK | MB_ICONEXCLAMATION
« Reply #2 on: April 15, 2013, 10:30:15 AM »
It's not in the code section, just had it there to show my text.

Here is the entire code, it may be another issue.

More comments at the end to show what the code does and 2 modifications that need to be done to the P.E header.

Code: [Select]
`; TLS_Callback.asm;; Now, clicking back in the Data Directories, double-click in the TLS Directory RVA and change it to 3046.; Then change the TLS Size to 18. Now save the binary.; Random,; .586.model flat, stdcalloption casemap :noneinclude \masm32\include\windows.incinclude \masm32\include\user32.incinclude \masm32\include\kernel32.incinclude \masm32\include\comdlg32.inc includelib \masm32\lib\user32.libincludelib \masm32\lib\kernel32.libincludelib \masm32\lib\comdlg32.lib.dataDbgNotFoundTitle db "Debugger status:",0hDbgFoundTitle    db "Debugger status:",0hDbgNotFoundText  db "Debugger not found!",0hDbgFoundText     db "Debugger found!",0h; TLS Structuredd offset StartAddressdd offset EndAddressdd offset AddressOfIndexdd offset TlsCallBack TlsCallBack     dd  offset TLS ; Address of our callback                dd     0 ; Spacer                dd     0       ; SpacerStartAddress    dd     0EndAddress     dd     0AddressOfIndex  dd     0TlsCallBack2    dd     offset TLSSizeOfZeroFill  dd     0Characteristics dd     0 .data?TLSCalled db ? ; Flag for if TLS has been called.codestart:invoke ExitProcess,0 ; Main routine does nothingret ; TLSCallback                                                  TLS: CMP BYTE PTR[TLSCalled],1 ; If callback has already been runJE @exit ; ignore itMOV BYTE PTR[TLSCalled],1 ; Set flag for next timeCALL IsDebuggerPresentCMP EAX,1 ; Are we being debugged?JE @DebuggerDetected ; yesPUSH 40h ; Show goodboyPUSH offset DbgNotFoundTitlePUSH offset DbgNotFoundTextPUSH 0CALL MessageBoxJMP @exit@DebuggerDetected:PUSH 30h ; Show badboyPUSH offset DbgFoundTitlePUSH offset DbgFoundTextPUSH 0CALL MessageBox @exit:RETend startIntroductionTLS stands for Thread Local Storage. As you probably know, threads are execution entities that run insideof a process. Programs make use of threads when they wish to accomplish multiple actions concurrently,even though sometimes ‘concurrently’ is just an illusion. For example, let’s say you want to print adocument. You press the ‘print’ button and the program formats the document and sends it to the printer.This activity would be run in a separate thread. The reason for this is we do not want to stop down theentire application until the document is done printing. We want it to start the print process and thenimmediately return to us, perhaps to do some work while it’s printing.If you have multiple processors, each thread can run on a separate processor. This can speed upapplications as multiple processors can be doing work at the same time. Concurrency can also benefitfrom a single processor system. Take for example our print scenario above. Once the application sends thedocument off to the printer, the application will sit around, waiting for the printing activity to finish. This is a LOT of time, especially for a processor. During this waiting time, we can be doing other things. Threads allow a processor to split up activities, and while waiting for a response from one, can be working onanother.When these multiple threads are created, they usually share the same memory. For example, if we havean address book application and we decide to print a contact, the print thread will begin and have accessto the main contact data. If, right after we start the print thread, we want to start another thread that begins showing the contact data on the screen (after all, the print dialog covered some of it), this new thread also has access to the contact data.Threads access this pooled memory by calling the same addresses. In other words, thread A calls address1000 to get the first contact, and thread B calls 1000 and gets the same data. The two addresses are thesame. But what happens when we want a thread to have it’s own data? Perhaps we want the printingthread to have a variable for if the printing was successful or not. All threads do not need to have thisvariable. Therefore, this thread needs a ‘local’ variable, one that only that specific thread has access to.This becomes really important when a single thread needs access to a large class or union. We do notwant every thread started to have access to such a large chunk of memory.Windows provides a way that a thread can have it’s own ‘local storage’. This storage is similar to a stack,but is only accessible to a specific thread. There is a certain chunk of memory that will be reserved for thisthread, and variables can be stored in it. This way, only this one thread has access.We can also set up the threads so that they all have a local copy of a variable, but they all access itthrough the same address. For example, we could have a count variable in every thread, and every threadaccesses it through memory location 1000. But they are all different. Even though they are all the sameaddress, Windows separates each thread’s storage, so that location 1000 to thread A will not be the samevariable (in memory) as thread B.This TLS storage area can be used for other, often malicious, activities. Code can be put into this TLSsection and can be run. The interesting thing about this is that the TLS code will run BEFORE the mainentry point of the binary is run. When the Windows loader first loads the binary into memory, right after itloads in the DLLs needed, it checks a location in the PE header to see if there is a TLS section set up, andif there is, it looks for a callback address. If one is provided, this address is called, and the code in thissection is run. After this runs, the loader then hands control over to the main application.What all this boils down to is that when you load a binary into a debugger, often times we have thedebugger set to stop at the module’s main entry point. Once our debugger has stopped here, our TLScode has already been run. This code can do many things including checking for a debugger, infecting asystem, or formatting a hard drive. And an unwary (or unskilled) programmer will load this binary intoOlly, and before you know it, your system is infected (or worse).You may see this behavior empirically when you load a binary into Olly and the program immediatelyterminates, without ever touching any code in the actual main module. If this ever happens, your firstthought should always be check for a TLS section.`
Take care,
Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

#### dedndave

• Member
• Posts: 8825
• Still using Abacus 2.0
##### Re: Length limit to MB_OK | MB_ICONEXCLAMATION
« Reply #3 on: April 15, 2013, 11:39:41 AM »
still - it wouldn't hurt to declare an extra buffer for the appended text
see my previous post
DbgFoundText     db "Debugger found!",0h,20 dup(?)

#### japheth

• Guest
##### Re: Length limit to MB_OK | MB_ICONEXCLAMATION
« Reply #4 on: April 15, 2013, 05:29:02 PM »
More comments at the end to show what the code does and 2 modifications that need to be done to the P.E header.

There's no need at all to patch the PE header manually to add a TLS directory. There's an official way to make the linker add this info: define public variable _tls_used ( type IMAGE_TLS_DIRECTORY32 ).

#### Magnum

• Member
• Posts: 2314
##### Re: Length limit to MB_OK | MB_ICONEXCLAMATION
« Reply #5 on: April 15, 2013, 11:21:08 PM »
I tried this but it said "in structure."

Code: [Select]
`_tls_used   IMAGE_TLS_DIRECTORY32`
Take care,
Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

#### qWord

• Member
• Posts: 1473
• The base type of a type is the type itself
##### Re: Length limit to MB_OK | MB_ICONEXCLAMATION
« Reply #6 on: April 15, 2013, 11:58:43 PM »
I tried this but it said "in structure."

Code: [Select]
`_tls_used   IMAGE_TLS_DIRECTORY32`
poor script kiddie
MREAL macros - when you need floating point arithmetic while assembling!

#### dedndave

• Member
• Posts: 8825
• Still using Abacus 2.0
##### Re: Length limit to MB_OK | MB_ICONEXCLAMATION
« Reply #7 on: April 16, 2013, 12:34:53 AM »
poor script kiddie

lol - it's the campus, qWord   :P

Andy, try this
Code: [Select]
`_tls_used IMAGE_TLS_DIRECTORY32 <>`
if you want to know how it's defined, you can use the windows explorer search tool
go to the \masm32\include folder
search for files containing the text "IMAGE_TLS_DIRECTORY32"
you will see that it's defined in windows.inc
now, open windows.inc with notepad, and search for the same string

there are at least 3 ways to make it public - i'll let you figure that out

#### Magnum

• Member
• Posts: 2314
##### Re: Length limit to MB_OK | MB_ICONEXCLAMATION
« Reply #8 on: April 16, 2013, 01:14:46 AM »
Thanks dave.

I think qWord was bullied as a kiddie and he thinks his anger is normal.

Take care,
Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

#### dedndave

• Member
• Posts: 8825
• Still using Abacus 2.0
##### Re: Length limit to MB_OK | MB_ICONEXCLAMATION
« Reply #9 on: April 16, 2013, 02:51:21 AM »
qWord and japheth are excellent coders
when you are very, very good at something, it's easy to forget what it was like when you started out

#### Gunther

• Member
• Posts: 3585
• Forgive your enemies, but never forget their names
##### Re: Length limit to MB_OK | MB_ICONEXCLAMATION
« Reply #10 on: April 16, 2013, 03:20:22 AM »
Hi Dave,

qWord and japheth are excellent coders
when you are very, very good at something, it's easy to forget what it was like when you started out

but it's always good to know where you come from.

Gunther
Get your facts first, and then you can distort them.

#### japheth

• Guest
##### Re: Length limit to MB_OK | MB_ICONEXCLAMATION
« Reply #11 on: April 16, 2013, 03:59:01 AM »
I tried this but it said "in structure."

"In structure" seems not to be a known Masm error.   :icon_eek:

We're in the campus, that means you should try to express yourself in full sentences with proper citations and not use some kind of "Texas slang".

Here's a full sample how static TLS can be used: http://www.japheth.de/JWasm/Win32Tls.html

#### Gunther

• Member
• Posts: 3585
• Forgive your enemies, but never forget their names
##### Re: Length limit to MB_OK | MB_ICONEXCLAMATION
« Reply #12 on: April 16, 2013, 05:26:23 AM »
Hi Andreas,

Here's a full sample how static TLS can be used: http://www.japheth.de/JWasm/Win32Tls.html

Gunther
Get your facts first, and then you can distort them.

#### Magnum

• Member
• Posts: 2314
##### Re: Length limit to MB_OK | MB_ICONEXCLAMATION
« Reply #13 on: April 16, 2013, 06:25:06 AM »
Gunther and Dave,

Don't worry about me, I have a good working example.

If someone throws out a suggestion to improve my code, then I check it out.

It's a fact of life that some folks are just miserable and don't cheerfully want to help others.

For every cranky one, there are 50 others who gladly help.

So, I stay happy and they stay unhappy.

Andy
Take care,
Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

#### japheth

• Guest
##### Re: Length limit to MB_OK | MB_ICONEXCLAMATION
« Reply #14 on: April 16, 2013, 08:27:48 PM »