; NtYieldExecution.asm
; "Make them work a little."
; Ollydbg, Windbg, and IDA Pro aren't aware of it, yet...:-)
;
; SiegeWorks 2013 - Present A.P.K.
include \masm32\include\masm32rt.inc
.CONST
.data
WaterMark db "SiegeWorks 2013 - Present ð__ð" ; Alt 240 char
%Date db " &@Date " ; Compile date
%time db " &@Time" ; and time
startInfo STARTUPINFO <>
processInfo PROCESS_INFORMATION <>
caption db "Fine",0
text db "Hi!",0
text1 db "Bye!",0
Invalid dw 0
.code
start:
assume fs:nothing ;set up an SEH just in case
push _seh
push fs:[0]
mov fs:[0],esp
invoke MessageBox,NULL,addr text,addr caption,MB_OK
call @call
@call:
pop eax ; delta offset
add eax,0Eh ; add eax with the no. of bytes (14 decimal) that will land at the actual code.
jmp eax ; jump to the actual code to be executed.
dd 00E95564h ;garbage bytes
dd 0E9830048h ;
cmp eax,1 ;actual code
jne next
jmp goon
next:
invoke MessageBox,NULL,addr text1,addr caption,MB_OK
goon:
;Begin a new process with an invalid name for the process name
INVOKE CreateProcess,addr Invalid,NULL,NULL,NULL,TRUE,00000008h,NULL,NULL,addr startInfo,addr processInfo
; Undocumented function NtYieldExecution
; Neither Ollydbg nor IDA know what this is
xor edx,edx ;
MOV EAX,116h ; Move "NtYieldExecution" Syscall number into EAX
int 2eh ; Yield Execution to running process using Interrupt
.IF EAX == 0 ; not under debugger
.else
fn MessageBox,0,str$(eax),"BUSTED",MB_OK
.endif
invoke ExitProcess,0
_seh:
pop fs:[0]
mov ebx,[esp+4]
mov esp,ebx
jmp next
End_Mark db "Last byte in program."
end start
what is so funny on NtYieldExecution aka SwitchToThread()?
Thanks Qword, 2 ways to do the same thing.
Know of other functions with multiple ways ?
Andy
Hi Magnum,
Sorry if I could not understand but what's the reason of preferring an undocumentad native API function?
I wasn't aware until Qword brought to my attention.
I prefer the documented functions.
Andy
I can't get SwitchToThread to work as anti RE measure like the undocumented method.
A calculator program overwrote my win.ini and sys.ini.
It should have appended it instead.
Are those used anymore ?
Hi Magnum,
win.ini and system.ini are used for 16-bit support.
they are loaded at boot-time
you can bring up MsConfig.exe and selectively alter them
If everythings still works in cmd.exe, I won't worry about restoring them.
i am running XP MCE2005, SP3
mine look like this - pretty standard stuff, i think
win.ini
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
MAPIX=1
OLEMessaging=1
CMC=1
CMCDLLNAME=mapi.dll
CMCDLLNAME32=MAPI32.DLL
MAPIXVER=1.0.0.1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo
m2v=MPEGVideo
mod=MPEGVideo
[SciCalc]
layout=0
system.ini
; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON