News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Environment issue? Simple or not so simple?

Started by Nate523, September 13, 2024, 07:03:43 AM

Previous topic - Next topic

NoCforMe

Quote from: sinsi on September 18, 2024, 04:00:23 PMAlso why would ExitProcess write to memory?

Freeing handles? memory? GDI objects? other housekeeping?
Assembly language programming should be fun. That's why I do it.

sinsi

Quote from: NoCforMe on September 18, 2024, 11:27:58 AMOne thing, and pardon my ignorance of things 64-bit, but is this right in a 64-bit program?
INCLUDELIB kernel32.lib
Yes, the linker (in VS at least) looks in the correct folder.
The "32" is probably Microsoft's attempt in the early days to make it easier to port 32 to 64.
The DLL is called kernel32.dll, even the 64-bit version.
As usual with Microsoft, the 64-bit DLL is in System32 and the 32-bit version is on SysWOW64  :rolleyes:

Quote from: NoCforMe on September 18, 2024, 04:23:30 PMFreeing handles? memory? GDI objects? other housekeeping?
Or a typical Windows error code that doesn't actually tell you the error.
😁

Nate523

Nope didn't change the code, just ran the same program from my home computer to test the setup on my work computer. The only difference is one is the community version of .net and the other is the professional version. I wonder if it is just something about my work computer that is configured differently or has some secuirty feature that is causing issue, and I have no idea why ExitProcess would be writing anything.

Tried the two lines of code you added, but it still gives me a thrown exception when debugging, but runs. I attached a snippet image just for giggles. Just one of those things I guess...


Nate523

And here is an attached image with the extra two lines of code, still doing the same thing. Weird...

sinsi

Can you post the Output window text? Maybe something else is getting loaded.
'TestASM.exe' (Win32): Loaded 'E:\Desktop\TestASM\x64\Debug\TestASM.exe'. Symbols loaded.
'TestASM.exe' (Win32): Loaded 'C:\Windows\System32\ntdll.dll'. Symbols loaded without source information.
'TestASM.exe' (Win32): Loaded 'C:\Windows\System32\kernel32.dll'. Symbols loaded without source information.
'TestASM.exe' (Win32): Loaded 'C:\Windows\System32\KernelBase.dll'. Symbols loaded without source information.
The thread 23284 has exited with code 0 (0x0).
😁

Nate523

I have to push the stop debugging button to get the window here it is:

'TestASM.exe' (Win32): Loaded 'C:\C++\TestASM\x64\Debug\TestASM.exe'. Symbols loaded.
'TestASM.exe' (Win32): Loaded 'C:\Windows\System32\ntdll.dll'.
'TestASM.exe' (Win32): Loaded 'C:\Windows\System32\kernel32.dll'.
'TestASM.exe' (Win32): Loaded 'C:\Windows\System32\KernelBase.dll'.
'TestASM.exe' (Win32): Loaded 'C:\Windows\System32\ctiuser.dll'.
'TestASM.exe' (Win32): Loaded 'C:\Windows\System32\advapi32.dll'.
'TestASM.exe' (Win32): Loaded 'C:\Windows\System32\msvcrt.dll'.
'TestASM.exe' (Win32): Loaded 'C:\Windows\System32\sechost.dll'.
'TestASM.exe' (Win32): Loaded 'C:\Windows\System32\rpcrt4.dll'.
'TestASM.exe' (Win32): Loaded 'C:\Windows\System32\bcrypt.dll'.
'TestASM.exe' (Win32): Loaded 'C:\Windows\System32\fltLib.dll'.
'TestASM.exe' (Win32): Loaded 'C:\Windows\System32\ucrtbase.dll'.
The thread 28492 has exited with code 0 (0x0).
'TestASM.exe' (Win32): Loaded 'C:\Program Files\Avecto\Privilege Guard Client\PGHook.dll'.
The thread 26332 has exited with code 0 (0x0).
Exception thrown at 0x00007FF75D3D1039 in TestASM.exe: 0xC0000005: Access violation writing location 0x00000000B51CFCA7.

The program '[1100] TestASM.exe' has exited with code 0 (0x0).


sinsi

QuotePrivilege Guard Client
That's probably the culprit.

Are you running VS as administrator?
Does the exception occur if you build a release version?
😁

TimoVJL

Sometimes this helps:
Dependency Walker 2.2


ExitProcess function won't return, so no need for additional code after it.
May the source be with you

fearless

Probably dont need these:

/PGD:"C:\C++\TestASM\x64\Debug\TestASM.pgd"
/LTCGOUT:"TestASM\x64\Debug\TestASM.iobj"
/ILK:"TestASM\x64\Debug\TestASM.ilk"

Nate523

Unfortunately I don't think I can edit the Privilege Guard as it is a security application for my computer. I did run debugging in release mode and it didn't throw the exception and the program seemed to work? So maybe I can look in the release configuration for a difference in settings and might find something.

Really appreciate the help, I don't know if I can dig anymore on my work computer to solve the issue because I don't have full rights to edit stuff as administrator and might have to ask IT for some help digging things up, maybe an exception to some firewall or to the Privilege guard needs to be made.

Nate523

Okay so I don't know what this does:

Project Properties->Configuration Properties->Advanced "Whole Program Optimization"

I changed the setting from "No whole program optimization." to "Use Link Time Code Generation" because that was a setting that differed from debug to release. If I run the debugger without any breakpoints it runs and doesn't throw the exception, if I step through the program as soon as it hits the "call ExitProcess" It starts saying things about
kernel32.pdb and ntdll.dll not loaded, but as soon as I step out it finishes without the exception.

"kernel32.pdb contains the debug information required to find the source for the module kernel32.dll"

"ntdll.pdb contains the debug information required to find the source for the module ntdll.dll"

Dunno if that is exactly a full success or not, but it keeps the exception from being thrown. Might find some other settings that are different that might help change things.

tenkey

The problem is stack alignment in ExitProcess.

Add NOSTACKFRAME after include \masm64\include64\masm64rt.inc to prevent the creation of stack frame code by PROC. The stack frame code aligns the stack to 16-byte, so SUB RSP, 28H misaligns the stack.

include \masm64\include64\masm64rt.inc
NOSTACKFRAME                             ; <-- Add this line

.data

var QWORD 100                            ; initialize variable mem

.code
main PROC

SUB RSP, 28H                            ; Byte align the top of the stack to 16 bytes (keep this line)

TimoVJL

Example code with SUB RSP, 28H and without masm64rt.inc
Testing with Depends.exe
Started "TESTASM.EXE" (process 0x11EB8) at address 0x000000013FF80000.  Successfully hooked module.
Loaded "NTDLL.DLL" at address 0x0000000077960000.  Successfully hooked module.
Loaded "KERNEL32.DLL" at address 0x0000000077740000.  Successfully hooked module.
Loaded "KERNELBASE.DLL" at address 0x000007FEFD4D0000.  Successfully hooked module.
DllMain(0x000007FEFD4D0000, DLL_PROCESS_ATTACH, 0x0000000000000000) in "KERNELBASE.DLL" called.
DllMain(0x000007FEFD4D0000, DLL_PROCESS_ATTACH, 0x0000000000000000) in "KERNELBASE.DLL" returned 1 (0x1).
DllMain(0x0000000077740000, DLL_PROCESS_ATTACH, 0x0000000000000000) in "KERNEL32.DLL" called.
DllMain(0x0000000077740000, DLL_PROCESS_ATTACH, 0x0000000000000000) in "KERNEL32.DLL" returned 1073217537 (0x3FF80001).
Injected "DEPENDS.DLL" at address 0x0000000074F30000.
Entrypoint reached. All implicit modules have been loaded.
DllMain(0x0000000074F30000, DLL_PROCESS_ATTACH, 0x00000000001AF8A0) in "DEPENDS.DLL" called.
DllMain(0x0000000074F30000, DLL_PROCESS_ATTACH, 0x00000000001AF8A0) in "DEPENDS.DLL" returned 1 (0x1).
DllMain(0x0000000074F30000, DLL_PROCESS_DETACH, 0x0000000000000001) in "DEPENDS.DLL" called.
DllMain(0x0000000074F30000, DLL_PROCESS_DETACH, 0x0000000000000001) in "DEPENDS.DLL" returned 1 (0x1).
DllMain(0x0000000077740000, DLL_PROCESS_DETACH, 0x0000000000000001) in "KERNEL32.DLL" called.
DllMain(0x0000000077740000, DLL_PROCESS_DETACH, 0x0000000000000001) in "KERNEL32.DLL" returned 1 (0x1).
DllMain(0x000007FEFD4D0000, DLL_PROCESS_DETACH, 0x0000000000000001) in "KERNELBASE.DLL" called.
DllMain(0x000007FEFD4D0000, DLL_PROCESS_DETACH, 0x0000000000000001) in "KERNELBASE.DLL" returned 4294828033 (0xFFFDE001).
Exited "TESTASM.EXE" (process 0x11EB8) with code 78 (0x4E).
without SUB RSP, 28H
Started "TESTASM.EXE" (process 0x11F30) at address 0x000000013F700000.  Successfully hooked module.
Loaded "NTDLL.DLL" at address 0x0000000077960000.  Successfully hooked module.
Loaded "KERNEL32.DLL" at address 0x0000000077740000.  Successfully hooked module.
Loaded "KERNELBASE.DLL" at address 0x000007FEFD4D0000.  Successfully hooked module.
DllMain(0x000007FEFD4D0000, DLL_PROCESS_ATTACH, 0x0000000000000000) in "KERNELBASE.DLL" called.
DllMain(0x000007FEFD4D0000, DLL_PROCESS_ATTACH, 0x0000000000000000) in "KERNELBASE.DLL" returned 1 (0x1).
DllMain(0x0000000077740000, DLL_PROCESS_ATTACH, 0x0000000000000000) in "KERNEL32.DLL" called.
DllMain(0x0000000077740000, DLL_PROCESS_ATTACH, 0x0000000000000000) in "KERNEL32.DLL" returned 1064304641 (0x3F700001).
Injected "DEPENDS.DLL" at address 0x0000000074F30000.
Entrypoint reached. All implicit modules have been loaded.
DllMain(0x0000000074F30000, DLL_PROCESS_ATTACH, 0x00000000002FF8D0) in "DEPENDS.DLL" called.
DllMain(0x0000000074F30000, DLL_PROCESS_ATTACH, 0x00000000002FF8D0) in "DEPENDS.DLL" returned 1 (0x1).
DllMain(0x0000000074F30000, DLL_PROCESS_DETACH, 0x0000000000000001) in "DEPENDS.DLL" called.
Second chance exception 0xC0000005 (Access Violation) occurred in "NTDLL.DLL" at address 0x00000000779CB666.
Test code:INCLUDELIB kernel32.lib
ExitProcess PROTO
.data

var QWORD 100                            ; initialize variable mem

.code
mainCRTStartup PROC

SUB RSP, 28H                            ; Byte align the top of the stack to 16 bytes

XOR RCX, RCX                            ; Clear registry
XOR RDX, RDX                            ; Clear registry
MOV RCX, 33                             ; Assign reg/imm
MOV RDX, RCX                            ; Assign reg/reg
MOV RCX, var                            ; Assign reg/mem
MOV var, RDX                            ; assign mem/reg

MOV RCX, 78                             ; Did it exit afterwards?

call ExitProcess
mainCRTStartup ENDP
END
build command:ml64.exe TestASM.asm -link -subsystem:console
May the source be with you

Nate523

Quote from: TimoVJL on September 19, 2024, 01:43:56 PMExample code with SUB RSP, 28H and without masm64rt.inc
Testing with Depends.exe
Started "TESTASM.EXE" (process 0x11EB8) at address 0x000000013FF80000.  Successfully hooked module.
Loaded "NTDLL.DLL" at address 0x0000000077960000.  Successfully hooked module.
Loaded "KERNEL32.DLL" at address 0x0000000077740000.  Successfully hooked module.
Loaded "KERNELBASE.DLL" at address 0x000007FEFD4D0000.  Successfully hooked module.
DllMain(0x000007FEFD4D0000, DLL_PROCESS_ATTACH, 0x0000000000000000) in "KERNELBASE.DLL" called.
DllMain(0x000007FEFD4D0000, DLL_PROCESS_ATTACH, 0x0000000000000000) in "KERNELBASE.DLL" returned 1 (0x1).
DllMain(0x0000000077740000, DLL_PROCESS_ATTACH, 0x0000000000000000) in "KERNEL32.DLL" called.
DllMain(0x0000000077740000, DLL_PROCESS_ATTACH, 0x0000000000000000) in "KERNEL32.DLL" returned 1073217537 (0x3FF80001).
Injected "DEPENDS.DLL" at address 0x0000000074F30000.
Entrypoint reached. All implicit modules have been loaded.
DllMain(0x0000000074F30000, DLL_PROCESS_ATTACH, 0x00000000001AF8A0) in "DEPENDS.DLL" called.
DllMain(0x0000000074F30000, DLL_PROCESS_ATTACH, 0x00000000001AF8A0) in "DEPENDS.DLL" returned 1 (0x1).
DllMain(0x0000000074F30000, DLL_PROCESS_DETACH, 0x0000000000000001) in "DEPENDS.DLL" called.
DllMain(0x0000000074F30000, DLL_PROCESS_DETACH, 0x0000000000000001) in "DEPENDS.DLL" returned 1 (0x1).
DllMain(0x0000000077740000, DLL_PROCESS_DETACH, 0x0000000000000001) in "KERNEL32.DLL" called.
DllMain(0x0000000077740000, DLL_PROCESS_DETACH, 0x0000000000000001) in "KERNEL32.DLL" returned 1 (0x1).
DllMain(0x000007FEFD4D0000, DLL_PROCESS_DETACH, 0x0000000000000001) in "KERNELBASE.DLL" called.
DllMain(0x000007FEFD4D0000, DLL_PROCESS_DETACH, 0x0000000000000001) in "KERNELBASE.DLL" returned 4294828033 (0xFFFDE001).
Exited "TESTASM.EXE" (process 0x11EB8) with code 78 (0x4E).
without SUB RSP, 28H
Started "TESTASM.EXE" (process 0x11F30) at address 0x000000013F700000.  Successfully hooked module.
Loaded "NTDLL.DLL" at address 0x0000000077960000.  Successfully hooked module.
Loaded "KERNEL32.DLL" at address 0x0000000077740000.  Successfully hooked module.
Loaded "KERNELBASE.DLL" at address 0x000007FEFD4D0000.  Successfully hooked module.
DllMain(0x000007FEFD4D0000, DLL_PROCESS_ATTACH, 0x0000000000000000) in "KERNELBASE.DLL" called.
DllMain(0x000007FEFD4D0000, DLL_PROCESS_ATTACH, 0x0000000000000000) in "KERNELBASE.DLL" returned 1 (0x1).
DllMain(0x0000000077740000, DLL_PROCESS_ATTACH, 0x0000000000000000) in "KERNEL32.DLL" called.
DllMain(0x0000000077740000, DLL_PROCESS_ATTACH, 0x0000000000000000) in "KERNEL32.DLL" returned 1064304641 (0x3F700001).
Injected "DEPENDS.DLL" at address 0x0000000074F30000.
Entrypoint reached. All implicit modules have been loaded.
DllMain(0x0000000074F30000, DLL_PROCESS_ATTACH, 0x00000000002FF8D0) in "DEPENDS.DLL" called.
DllMain(0x0000000074F30000, DLL_PROCESS_ATTACH, 0x00000000002FF8D0) in "DEPENDS.DLL" returned 1 (0x1).
DllMain(0x0000000074F30000, DLL_PROCESS_DETACH, 0x0000000000000001) in "DEPENDS.DLL" called.
Second chance exception 0xC0000005 (Access Violation) occurred in "NTDLL.DLL" at address 0x00000000779CB666.
Test code:
INCLUDELIB kernel32.lib
ExitProcess PROTO
.data

var QWORD 100                            ; initialize variable mem

.code
mainCRTStartup PROC

SUB RSP, 28H                            ; Byte align the top of the stack to 16 bytes

XOR RCX, RCX                            ; Clear registry
XOR RDX, RDX                            ; Clear registry
MOV RCX, 33                             ; Assign reg/imm
MOV RDX, RCX                            ; Assign reg/reg
MOV RCX, var                            ; Assign reg/mem
MOV var, RDX                            ; assign mem/reg

MOV RCX, 78                             ; Did it exit afterwards?

call ExitProcess
mainCRTStartup ENDP
END
build command:
ml64.exe TestASM.asm -link -subsystem:console

So I tried this today, and it works both with and without the "sub rsp, 28h". Thank you for the solution. The biggest difference is this addtion:

mainCRTStartup PROC
and :

mainCRTStartup ENDP
I am not familiar enough to understand what the "mainCRTStartup" is, in the previous code I simply used "main" and in the linker advanced properties of the project I put in "main" as the entry point of the program. Why does mainCRTStartup work even without putting it as an entry point in the linker -> advanced properties, and also not have an exception thrown like before?

jj2007

Quote from: Nate523 on September 20, 2024, 03:43:25 AMit works both with and without the "sub rsp, 28h"

Not aligning the stack correctly is a recipe for disaster. Many Windows APIs work just fine, but every now and then you will get mysterious crashes...