Quote.386
.model flat, stdcall
option casemap :none
include \MASM32\INCLUDE\windows.inc
include \MASM32\INCLUDE\user32.inc
include \MASM32\INCLUDE\kernel32.inc
include \MASM32\INCLUDE\ntdll.inc
includelib \MASM32\LIB\user32.lib
includelib \MASM32\LIB\kernel32.lib
includelib \MASM32\LIB\ntdll.lib
includelib laotouwim.lib
LaotouMountImage PROTO :DWORD,:DWORD,:DWORD,:DWORD
__security_cookie equ 0E64EBB40h
EXTERNDEF SYSCALL @__security_check_cookie@4:PROC
__security_check_cookie equ <@__security_check_cookie@4>
.data
mestitle db "Bomz",0
form db "EAX: %010hu", 0
.data?
buffer db 512 dup(?)
.code
start:
invoke LaotouMountImage, 0, 0, 0, 0
invoke wsprintf,ADDR buffer,ADDR form,eax
invoke MessageBox,0,ADDR buffer,ADDR mestitle,MB_ICONASTERISK
invoke ExitProcess,0
end start
How decide this with MASM?(http://smiles.kolobok.us/light_skin/vava.gif)
Microsoft says use /GS- linker option or add
Quoteextern "C" const DWORD_PTR __security_cookie = 0xE64EBB40;
extern "C" void __fastcall __security_check_cookie(DWORD_PTR cookie)
{
if (cookie != __security_cookie)
__asm int 3;
}
http://code.google.com/p/nativeshell/source/browse/trunk/lib/?r=25
http://code.google.com/p/nativeshell/source/browse/trunk/?r=25#trunk%2Finc
see if this works
INCLUDE \masm32\include\masm32rt.inc
INCLUDE \masm32\include\ntstrsafe.inc
INCLUDELIB \masm32\lib\ntstrsafe.lib
.CODE
Start:
call CheckSecCookie
INVOKE MessageBox,0,uhex$(eax),0,MB_OK
INVOKE ExitProcess,eax
CheckSecCookie PROC
LOCAL dwCookie :DWORD
INVOKE _security_check_cookie,addr dwCookie
xor eax,eax
.if dwCookie==0E64EBB40h
inc eax
.endif
ret
CheckSecCookie ENDP
END Start
i am not sure how valid it will be with no compiler start-up code :P
at any rate, the function is prototyped in ntstrsafe.inc and imported with ntstrsafe.lib
use only 1 leading underscore: "_security_check_cookie"
/Gs is unused with asm,verify the security of memory buffer.
You find it in c++.
Quote
EXTRN ___security_cookie:DWORD
start proc with :
mov ebp, esp
sub esp, 24 ; 00000018H
mov eax, DWORD PTR ___security_cookie
xor eax, ebp
mov DWORD PTR __$ArrayPad$[ebp], eax
mov eax, DWORD PTR _hdc$[ebp]
end proc with:
mov ecx, DWORD PTR __$ArrayPad$[ebp]
xor ecx, ebp
call @__security_check_cookie@4
mov esp, ebp
pop ebp
ret 0
Don't use in ASM
may be you may show working code?
With c++ express just generate the more simple prog you can.
Then open the property of the project.
Then add /Fa in the command line of c++ .
Generate the project and you have now asm files with those proc.
A picture paints a thousand words
[One eyewitness is better than two hear-so's
Seeing once is better than hearing twice
The proof of the pudding is in the eating .
Words are but wind, but seeing is believing. ]
i found a couple items you might want to read...
http://windowsmobilepro.blogspot.com/2005/08/manually-migrate-embedded-visual-c.html (http://windowsmobilepro.blogspot.com/2005/08/manually-migrate-embedded-visual-c.html)
http://support.microsoft.com/?id=894573 (http://support.microsoft.com/?id=894573)
the first one seems to be by the same guy that wrote your lib
may be somebody may say what IOCTL send to WimFltr.sys
Basically not clear what need - that's Microsoft's compiler runtime check for unfixing memory segment and EBP register, so to you need only replace int 3 command, by abort, exception or other abnormal program flow stuff.
you mean determine __security_check_cookie in my code?
__security_check_cookie proc syscall security_cookie:DWORD
int 3h
ret
__security_check_cookie endp
.386
.model flat, stdcall
option casemap :none
include \MASM32\INCLUDE\windows.inc
include \MASM32\INCLUDE\user32.inc
include \MASM32\INCLUDE\kernel32.inc
include \MASM32\INCLUDE\ntdll.inc
include \masm32\macros\Strings.mac
includelib laotouwim.lib
LaotouMountImage PROTO :DWORD,:DWORD,:DWORD,:DWORD
__security_cookie equ 0E64EBB40h
EXTERNDEF SYSCALL @__security_check_cookie@4:PROC
__security_check_cookie equ <@__security_check_cookie@4>
.data
mestitle db "Bomz",0
form db "EAX: %010hx", 0
TW0 "C:\\DDD",path
TW0 "C:\\winpe.wim",iname
.data?
buffer db 512 dup(?)
.code
start:
invoke LaotouMountImage, addr path, addr iname, 1, 0
invoke wsprintf,ADDR buffer,ADDR form,eax
invoke MessageBox,0,ADDR buffer,ADDR mestitle,MB_ICONASTERISK
invoke ExitProcess,0
__security_check_cookie proc syscall security_cookie:DWORD
.if security_cookie==__security_cookie
int 3h
.endif
ret 0
__security_check_cookie endp
end start
something need to activation
Quote0xC0000034
STATUS_OBJECT_NAME_NOT_FOUND
The object name is not found.
http://bbs.wuyou.com/viewthread.php?tid=188616&page=14
need startservice. all Ok
That's with addon in name i.e. @4 possible define in CPP file, so to you need compile it and link as object module with asm program.
Quote.386
.model flat, stdcall
option casemap :none
include \MASM32\INCLUDE\windows.inc
include \MASM32\INCLUDE\user32.inc
include \MASM32\INCLUDE\kernel32.inc
include \MASM32\INCLUDE\ntdll.inc
include \masm32\macros\Strings.mac
includelib laotouwim.lib
LaotouMountImage PROTO :DWORD,:DWORD,:DWORD,:DWORD
__security_cookie equ 0E64EBB40h
EXTERNDEF SYSCALL @__security_check_cookie@4:PROC
__security_check_cookie equ <@__security_check_cookie@4>
.data
mestitle db "Bomz",0
form db "EAX: %010hx", 0
TW0 "C:\\DDD",path
TW0 "C:\\winpe.wim",iname
.data?
buffer db 512 dup(?)
.code
start:
invoke LaotouMountImage, addr path, addr iname, 1, 0
invoke wsprintf,ADDR buffer,ADDR form,eax
invoke MessageBox,0,ADDR buffer,ADDR mestitle,MB_ICONASTERISK
invoke ExitProcess,0
__security_check_cookie proc syscall security_cookie:DWORD
.if security_cookie==__security_cookie
int 3h
.endif
ret 0
__security_check_cookie endp
end start
This work. Need start service WimFltr first. I just end make command mount to my native command interpreter
http://support.microsoft.com/kb/894573/en-us
Get BufferOverflow.lib from DDK
QuoteThis library implements functionality for security cookie verification that can be used in the user mode. However, bufferoverflow.lib is different from bufferoverflowU.lib because bufferoverflow.lib can be used in services and in applications that do not use the Win32 API.
add only
Quote
includelib BufferOverflow.lib
EXTERNDEF SYSCALL @__security_check_cookie@4:PROC
__security_check_cookie equ <@__security_check_cookie@4>
all OK
not much of a check, really - lol
they put a dword on the stack, and check that it hasn't changed
not much help if the buffer is global or allocated by one of the API's
in assembly language, you can do more to ensure that buffers are not overrun
it's only when you call a CRT function that it really seems to go nuts
Microsoft (R) COFF/PE Dumper Version 10.00.40219.01
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file BufferOverflow.lib
File Type: LIBRARY
__DllMainCRTStartupForGS@12:
00000000: 8B FF mov edi,edi
00000002: 55 push ebp
00000003: 8B EC mov ebp,esp
00000005: 83 7D 0C 01 cmp dword ptr [ebp+0Ch],1
00000009: 75 0E jne 00000019
0000000B: E8 00 00 00 00 call ___security_init_cookie
00000010: FF 75 08 push dword ptr [ebp+8]
00000013: FF 15 00 00 00 00 call dword ptr [__imp__LdrDisableThreadCalloutsForDll@4]
00000019: 33 C0 xor eax,eax
0000001B: 40 inc eax
0000001C: 5D pop ebp
0000001D: C2 0C 00 ret 0Ch
__DllMainCRTStartupForGS2@12:
00000000: 8B FF mov edi,edi
00000002: 55 push ebp
00000003: 8B EC mov ebp,esp
00000005: 83 7D 0C 01 cmp dword ptr [ebp+0Ch],1
00000009: 75 05 jne 00000010
0000000B: E8 00 00 00 00 call ___security_init_cookie
00000010: 33 C0 xor eax,eax
00000012: 40 inc eax
00000013: 5D pop ebp
00000014: C2 0C 00 ret 0Ch
_NtGetTickCount@0:
00000000: EB 02 jmp 00000004
00000002: F3 90 pause
00000004: 8B 0D 24 03 FE 7F mov ecx,dword ptr ds:[7FFE0324h]
0000000A: 8B 15 20 03 FE 7F mov edx,dword ptr ds:[7FFE0320h]
00000010: A1 28 03 FE 7F mov eax,dword ptr ds:[7FFE0328h]
00000015: 3B C8 cmp ecx,eax
00000017: 75 E9 jne 00000002
00000019: A1 04 00 FE 7F mov eax,dword ptr ds:[7FFE0004h]
0000001E: F7 E2 mul eax,edx
00000020: C1 E1 08 shl ecx,8
00000023: 0F AF 0D 04 00 FE imul ecx,dword ptr ds:[7FFE0004h]
7F
0000002A: 0F AC D0 18 shrd eax,edx,18h
0000002E: C1 EA 18 shr edx,18h
00000031: 03 C1 add eax,ecx
00000033: C3 ret
___report_gsfailure:
00000000: 8B FF mov edi,edi
00000002: 55 push ebp
00000003: 8B EC mov ebp,esp
00000005: 51 push ecx
00000006: 51 push ecx
00000007: A3 B0 00 00 00 mov dword ptr [_GS_ContextRecord+0B0h],eax
0000000C: 89 0D AC 00 00 00 mov dword ptr [_GS_ContextRecord+0ACh],ecx
00000012: 89 15 A8 00 00 00 mov dword ptr [_GS_ContextRecord+0A8h],edx
00000018: 89 1D A4 00 00 00 mov dword ptr [_GS_ContextRecord+0A4h],ebx
0000001E: 89 35 A0 00 00 00 mov dword ptr [_GS_ContextRecord+0A0h],esi
00000024: 89 3D 9C 00 00 00 mov dword ptr [_GS_ContextRecord+9Ch],edi
0000002A: 66 8C 15 C8 00 00 mov word ptr [_GS_ContextRecord+0C8h],ss
00
00000031: 66 8C 0D BC 00 00 mov word ptr [_GS_ContextRecord+0BCh],cs
00
00000038: 66 8C 1D 98 00 00 mov word ptr [_GS_ContextRecord+98h],ds
00
0000003F: 66 8C 05 94 00 00 mov word ptr [_GS_ContextRecord+94h],es
00
00000046: 66 8C 25 90 00 00 mov word ptr [_GS_ContextRecord+90h],fs
00
0000004D: 66 8C 2D 8C 00 00 mov word ptr [_GS_ContextRecord+8Ch],gs
00
00000054: 9C pushfd
00000055: 8F 05 C0 00 00 00 pop dword ptr [_GS_ContextRecord+0C0h]
0000005B: 8B 45 00 mov eax,dword ptr [ebp]
0000005E: A3 B4 00 00 00 mov dword ptr [_GS_ContextRecord+0B4h],eax
00000063: 8B 45 04 mov eax,dword ptr [ebp+4]
00000066: A3 B8 00 00 00 mov dword ptr [_GS_ContextRecord+0B8h],eax
0000006B: 8D 45 08 lea eax,[ebp+8]
0000006E: A3 C4 00 00 00 mov dword ptr [_GS_ContextRecord+0C4h],eax
00000073: A1 B8 00 00 00 mov eax,dword ptr [_GS_ContextRecord+0B8h]
00000078: A3 0C 00 00 00 mov dword ptr [_GS_ExceptionRecord+0Ch],eax
0000007D: A1 00 00 00 00 mov eax,dword ptr [___security_cookie]
00000082: C7 05 00 00 00 00 mov dword ptr [_GS_ContextRecord],10001h
01 00 01 00
0000008C: C7 05 00 00 00 00 mov dword ptr [_GS_ExceptionRecord],0C0000409h
09 04 00 C0
00000096: C7 05 04 00 00 00 mov dword ptr [_GS_ExceptionRecord+4],1
01 00 00 00
000000A0: 89 45 F8 mov dword ptr [ebp-8],eax
000000A3: A1 00 00 00 00 mov eax,dword ptr [___security_cookie_complement]
000000A8: 68 00 00 00 00 push offset _GS_ExceptionPointers
000000AD: 89 45 FC mov dword ptr [ebp-4],eax
000000B0: E8 00 00 00 00 call _RtlUnhandledExceptionFilter@4
000000B5: 68 09 04 00 C0 push 0C0000409h
000000BA: 6A FF push 0FFFFFFFFh
000000BC: E8 00 00 00 00 call _NtTerminateProcess@8
000000C1: C9 leave
000000C2: C3 ret
___security_init_cookie_ex:
00000000: 8B FF mov edi,edi
00000002: 55 push ebp
00000003: 8B EC mov ebp,esp
00000005: EB 02 jmp 00000009
00000007: F3 90 pause
00000009: 8B 0D 24 03 FE 7F mov ecx,dword ptr ds:[7FFE0324h]
0000000F: 8B 15 20 03 FE 7F mov edx,dword ptr ds:[7FFE0320h]
00000015: A1 28 03 FE 7F mov eax,dword ptr ds:[7FFE0328h]
0000001A: 3B C8 cmp ecx,eax
0000001C: 75 E9 jne 00000007
0000001E: A1 04 00 FE 7F mov eax,dword ptr ds:[7FFE0004h]
00000023: F7 E2 mul eax,edx
00000025: C1 E1 08 shl ecx,8
00000028: 0F AF 0D 04 00 FE imul ecx,dword ptr ds:[7FFE0004h]
7F
0000002F: 0F AC D0 18 shrd eax,edx,18h
00000033: 03 C1 add eax,ecx
00000035: 8B 4D 08 mov ecx,dword ptr [ebp+8]
00000038: C1 EA 18 shr edx,18h
0000003B: 33 C1 xor eax,ecx
0000003D: 89 01 mov dword ptr [ecx],eax
0000003F: 74 07 je 00000048
00000041: 3D 4E E6 40 BB cmp eax,0BB40E64Eh
00000046: 75 06 jne 0000004E
00000048: C7 01 4F E6 40 BB mov dword ptr [ecx],0BB40E64Fh
0000004E: 5D pop ebp
0000004F: C3 ret
___security_init_cookie:
00000000: A1 00 00 00 00 mov eax,dword ptr [___security_cookie]
00000005: 85 C0 test eax,eax
00000007: 74 07 je 00000010
00000009: 3D 4E E6 40 BB cmp eax,0BB40E64Eh
0000000E: 75 10 jne 00000020
00000010: 68 00 00 00 00 push offset ___security_cookie
00000015: E8 00 00 00 00 call ___security_init_cookie_ex
0000001A: A1 00 00 00 00 mov eax,dword ptr [___security_cookie]
0000001F: 59 pop ecx
00000020: F7 D0 not eax
00000022: A3 00 00 00 00 mov dword ptr [___security_cookie_complement],eax
00000027: C3 ret
@__security_check_cookie@4:
00000000: 3B 0D 00 00 00 00 cmp ecx,dword ptr [___security_cookie]
00000006: 75 03 jne $failure$29928
00000008: C2 00 00 ret 0
$failure$29928:
0000000B: E9 00 00 00 00 jmp ___report_gsfailure
Summary
31C .bss
8 .data
6B8C .debug$S
5B1C .debug$T
9 .drectve
54 .rdata
1B6 .text
I am not sure that CRT function works in native mode. for native C project use /GS-