The MASM Forum

I have converted what I know, but could use some help in some areas in converting some C code to assembly.

Andy


; Einbrecher.asm  Josh_Jackson,
;                 Is program under the "guidance" of a helper
;                 Code conversion from C -> assembly

.386
.model  flat,stdcall
option  casemap:none

include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\advapi32.inc

include \masm32\macros\macros.asm 

includelib  \masm32\lib\kernel32.lib
includelib  \masm32\lib\user32.lib
includelib  \masm32\lib\advapi32.lib


.data


item           db   "ntdll.dll",0
ProcName1      db   "begin",0
Holder    dd    0
Wasserzeichen  db   "SiegeWorks 2013 ♪ "
%Date        db     " &@Date " ; Compile date
%time        db     " &@Time"
; %version   db     " Masm Version &@Version"

.code

start:


; CheckProcessDebugFlags will return true if
; the EPROCESS->NoDebugInherit is == FALSE,
; the reason we check for false is because
; the NtQueryProcessInformation function returns the
; inverse of EPROCESS->NoDebugInherit so (!TRUE == FALSE)

inline bool CheckProcessDebugFlags()
{
    ; Much easier in ASM but C/C++ looks so much better
    typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)
        (HANDLE ,UINT ,PVOID ,ULONG , PULONG);

    DWORD NoDebugInherit = 0;
    NTSTATUS Status;

    ; Get NtQueryInformationProcess
  ;  pntqueryinformationprocess NtQIP = (pNtQueryInformationProcess)
   ;     GetProcAddress( GetModuleHandle( TEXT("ntdll.dll") ),
   ;     "NtQueryInformationProcess" );

; Map the executable module into the address space of the calling process.

invoke LoadLibrary, ADDR item
mov Holder, eax ; handle of executable module

Invoke GetProcAddress, eax, ADDR item


Status = NtQIP(GetCurrentProcess(),
            0x1f, ; ProcessDebugFlags
            &NoDebugInherit, 4, NULL);

    if (Status != 0x00000000)
        return false;

    if(NoDebugInherit == FALSE)
        return true;
    else
        return false;
}


invoke ExitProcess,0

end     start



include \masm32\include\masm32rt.inc

NTQUERYINFORMATIONPROCESS typedef proto stdcall :HANDLE,:UINT,:PVOID,:ULONG,:PULONG
PNTQUERYINFORMATIONPROCESS typedef ptr NTQUERYINFORMATIONPROCESS

CheckProcessDebugFlags macro
fn GetProcAddress,rv(GetModuleHandle,"ntdll.dll"),"NtQueryInformationProcess"
push eax
invoke GetCurrentProcess
mov ecx,esp
mov edx,[esp]
invoke PNTQUERYINFORMATIONPROCESS ptr edx,eax,1fh,ecx,4,NULL
pop edx
.if eax != 0
xor eax,eax
.elseif !edx
mov eax,-1
.endif
EXITM <eax>
endm

.code
start:

.if CheckProcessDebugFlags()
fn MessageBox,0,0,0,0
.endif

invoke ExitProcess,0

end start


Hi Andy,

Quote from: Magnum on January 15, 2013, 06:57:01 AM
I have converted what I know, but could use some help in some areas in converting some C code to assembly.

Andy

you can try QWord's macro or - and that's another way - pick up your C code and write it into a function. Then, let the compiler do the dirty work. The compiler switch -S at the command line will give you the compiler's assembly language source, which is your starting point. Go forward function by function and you'll have success.

Gunther

        INCLUDE \masm32\include\masm32rt.inc

        .DATA

szNtDll db 'ntdll.dll',0
szNtQIP db 'NtQueryInformationProcess',0

        .CODE

NtQip   PROC

    xor     eax,eax
    push    eax                                ;ProcessInformation
    mov     edx,esp                            ;EDX = pProcessInformation
    push    eax                                ;NtQueryInformationProcess:ReturnLength = 0
    push    sizeof DWORD                       ;NtQueryInformationProcess:ProcessInformationLength = 4
    push    edx                                ;NtQueryInformationProcess:pProcessInformation
    push    1Fh                                ;NtQueryInformationProcess:ProcessInformationClass = PROCESSINFOCLASS:ProcessDebugFlags
    INVOKE  GetCurrentProcess
    push    eax                                ;NtQueryInformationProcess:ProcessHandle
    INVOKE  GetModuleHandle,offset szNtDll
    INVOKE  GetProcAddress,eax,offset szNtQIP
    CALL    eax                                ;CALL NtQueryInformationProcess
    pop     edx                                ;EDX = ProcessInformation
    .if eax
        xor     eax,eax
    .elseif !edx
        inc     eax
    .endif
    ret

NtQip   ENDP

_main   PROC

    call    NtQip
    .if eax                                    ;MessageBox if debugging
        dec     eax
        INVOKE  MessageBox,eax,eax,eax,eax
    .endif
    INVOKE  ExitProcess,eax

_main   ENDP

        END     _main

EDIT: fixed a bug

Quote from: Gunther on January 15, 2013, 08:23:16 AM
Hi Andy,

Quote from: Magnum on January 15, 2013, 06:57:01 AM
I have converted what I know, but could use some help in some areas in converting some C code to assembly.

Andy

you can try QWord's macro or - and that's another way - pick up your C code and write it into a function. Then, let the compiler do the dirty work. The compiler switch -S at the command line will give you the compiler's assembly language source, which is your starting point. Go forward function by function and you'll have success.

Gunther

Are you talking about assembling C code with a C compiler and linker and getting an assembly listing ?

I used to write C and C++, before I went to asm and batch file coding.

Andy

Thanks Qword and DednDave.

Both "modules" are equal in size, maybe there is a speed difference ?

Andy

i doubt there is a signifigant difference in speed
mine is a proc, qWord's is a macro
but the system calls undoubtedly consume most the time
it's mainly a different programming style to achieve the same thing

by using CALL EAX, i avoided all the text involved in typedef'ing the function   :P

Hi Andy,

Quote from: Magnum on January 15, 2013, 11:46:32 AM
Are you talking about assembling C code with a C compiler and linker and getting an assembly listing ?

I used to write C and C++, before I went to asm and batch file coding.

Andy

yes, I'm speaking about the C compiler. You should write a C version of your code and compare your code versus C to learn whether you have done better than the compiler. You can use the - S option of gcc to have it produce an assembly language file. Studying this generated code may give you some ideas about how to write efficient assembly code. With Borland tools it is -S, too. I'm sure there is a similar command line switch for VC.

Gunther

For the Microsoft compilers you can use /FA.

I seem to recall that with GCC -S will prevent it from creating an EXE, but with the Microsoft compilers /FA does not have this effect.

Thanks Michael.

Versions 6.14 and 10.0 don't offer an asm listing, but  Fl gave one large file listing.

I have IDA, but I only use a couple of their bells and whistles.

to create a shorter listing...
        .XCREF
        .NOLIST
        INCLUDE \masm32\include\masm32rt.inc
        .LIST
;
;

.XCREF disables the cross-reference part of the listing
.NOLIST/.LIST turns off listing during all the includes, then back on for the rest of it

you can also use /Sa to get more detail in the part of the listing that is turned on

Thanks, learned something new again.

I noticed some of M.S. programs have debug info in them.

Maybe an oversight or they could be a work in progress.

Hi Andy,

Quote from: Magnum on January 17, 2013, 12:43:28 AM
Thanks, learned something new again.

I noticed some of M.S. programs have debug info in them.

yes, go forward and good luck.  :t

Gunther

Microsoft Security Essentials 2.0 flips Windows Automatic Update settings

If you have Windows check for updates but not install, latest version of MSE may change your setting without permission.

http://www.infoworld.com/t/anti-virus/microsoft-security-essentials-20-flips-windows-automatic-update-settings-004

http://www.infoworld.com/t/desktop-productivity/botched-patch-messes-outlook-2007-811

The same has some answers about the Java security flaws.

Thank you for the links and the information, Andy.  :t

Gunther