Print Page - CreateFile - CreateFileMapping - MapViewOfFile Questions!!!

Title: CreateFile - CreateFileMapping - MapViewOfFile Questions!!!
Post by: s4ng3r on August 28, 2013, 06:14:27 AM

Hi guys!

I have the follow problem:

This is part of my code:

Code Select


	mov  ebp, esp
	sub  esp, 08h ;
	;mov  byte ptr DS:[ebp-09h], 6dh  ; 'm'
	mov  byte ptr DS:[ebp-08h], 73h  ; 's'
	mov  byte ptr DS:[ebp-07h], 67h  ; 'g'
	mov  byte ptr DS:[ebp-06h], 62h  ; 'b'
	mov  byte ptr DS:[ebp-05h], 2eh  ; '.'
	mov  byte ptr DS:[ebp-04h], 65h  ; 'e'
	mov  byte ptr DS:[ebp-03h], 78h  ; 'x'
	mov  byte ptr DS:[ebp-02h], 65h  ; 'e'
	mov  byte ptr DS:[ebp-01h], 00h  ; '0x00'
	lea  ebx, [ebp-08h]
	invoke CreateFile,ebx,GENERIC_EXECUTE+GENERIC_WRITE+GENERIC_READ,NULL,NULL,OPEN_EXISTING,NULL,NULL
	mov ebx,eax
	invoke CreateFileMapping,ebx,NULL,SEC_IMAGE+PAGE_EXECUTE_READWRITE,NULL,NULL,NULL
	mov ebx,eax
	invoke MapViewOfFile,ebx,FILE_MAP_ALL_ACCESS,NULL,NULL,NULL

I need see the code of the program sgb.exe, the EAX register gets the value 0x380000 when call MapViewOfFile but in the value 0x381000 i see:

Code Select


00381000   6A 00            PUSH 0
00381002   68 4B304000      PUSH 40304B
00381007   68 00304000      PUSH 403000
0038100C   6A 00            PUSH 0
0038100E   E8 07000000      CALL 0038101A                            ; JMP to kernel32.MapViewOfFile
00381013   6A 00            PUSH 0
00381015   E8 06000000      CALL 00381020                            ; JMP to kernel32.CreateFileMappingA
0038101A  -FF25 08204000    JMP DWORD PTR DS:[<&kernel32.MapViewOfFi>; kernel32.MapViewOfFile
00381020  -FF25 00204000    JMP DWORD PTR DS:[<&kernel32.CreateFileM>; kernel32.CreateFileMappingA

How i can get the code of the program sgb.exe? this only call any msgbox:

Code Select

    
    push 0
    push offset title
    push offset message
    push 0
    call MessageBox

thanks for your replys,

regards
s4ng3r 8)

Title: Re: CreateFile - CreateFileMapping - MapViewOfFile Questions!!!
Post by: Tedd on August 28, 2013, 11:26:22 PM

msgb.exe is malware.

Why would you like the source code?

That would be a nope.

Title: Re: CreateFile - CreateFileMapping - MapViewOfFile Questions!!!
Post by: s4ng3r on August 28, 2013, 11:43:17 PM

Quote from: Tedd on August 28, 2013, 11:26:22 PM
msgb.exe is malware.

Why would you like the source code?

That would be a nope.

clown!..

Title: Re: CreateFile - CreateFileMapping - MapViewOfFile Questions!!!
Post by: dedndave on August 28, 2013, 11:54:26 PM

http://www.amazon.com/How-Win-Friends-Influence-People/dp/0671723650 (http://www.amazon.com/How-Win-Friends-Influence-People/dp/0671723650)

Title: Re: CreateFile - CreateFileMapping - MapViewOfFile Questions!!!
Post by: Tedd on August 29, 2013, 12:26:24 AM

Quote from: s4ng3r on August 28, 2013, 11:43:17 PM
Quote from: Tedd on August 28, 2013, 11:26:22 PM
msgb.exe is malware.

Why would you like the source code?

That would be a nope.
clown!..

Funny, I'm the one laughing :greenclp:

Title: Re: CreateFile - CreateFileMapping - MapViewOfFile Questions!!!
Post by: qWord on August 29, 2013, 01:41:20 AM

Well, I assume msgbox.exe is this one

Quote from: s4ng3r on August 28, 2013, 06:14:27 AM
Code Select Expand
push 0 push offset title push offset message push 0 call MessageBox

and he want to load it unpacked- the question is for what purpose?
The rules of the forum (http://masm32.com/board/index.php?topic=4.0)

Title: Re: CreateFile - CreateFileMapping - MapViewOfFile Questions!!!
Post by: s4ng3r on August 29, 2013, 01:51:20 AM

Quote from: qWord on August 29, 2013, 01:41:20 AM
Well, I assume msgbox.exe is this one
Quote from: s4ng3r on August 28, 2013, 06:14:27 AM
Code Select Expand
push 0 push offset title push offset message push 0 call MessageBox
and he want to load it unpacked- the question is for what purpose?
The rules of the forum (http://masm32.com/board/index.php?topic=4.0)

To modify and repackaging, how a debugger :P

The MASM Forum

General => The Campus => Topic started by: s4ng3r on August 28, 2013, 06:14:27 AM