News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Code conversion

Started by Magnum, January 15, 2013, 06:57:01 AM

Previous topic - Next topic

Magnum

I have converted what I know, but could use some help in some areas in converting some C code to assembly.

Andy


; Einbrecher.asm  Josh_Jackson,
;                 Is program under the "guidance" of a helper
;                 Code conversion from C -> assembly

.386
.model  flat,stdcall
option  casemap:none

include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\advapi32.inc

include \masm32\macros\macros.asm 

includelib  \masm32\lib\kernel32.lib
includelib  \masm32\lib\user32.lib
includelib  \masm32\lib\advapi32.lib


.data


item           db   "ntdll.dll",0
ProcName1      db   "begin",0
Holder    dd    0
Wasserzeichen  db   "SiegeWorks 2013 ♪ "
%Date        db     " &@Date " ; Compile date
%time        db     " &@Time"
; %version   db     " Masm Version &@Version"

.code

start:


; CheckProcessDebugFlags will return true if
; the EPROCESS->NoDebugInherit is == FALSE,
; the reason we check for false is because
; the NtQueryProcessInformation function returns the
; inverse of EPROCESS->NoDebugInherit so (!TRUE == FALSE)

inline bool CheckProcessDebugFlags()
{
    ; Much easier in ASM but C/C++ looks so much better
    typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)
        (HANDLE ,UINT ,PVOID ,ULONG , PULONG);

    DWORD NoDebugInherit = 0;
    NTSTATUS Status;

    ; Get NtQueryInformationProcess
  ;  pntqueryinformationprocess NtQIP = (pNtQueryInformationProcess)
   ;     GetProcAddress( GetModuleHandle( TEXT("ntdll.dll") ),
   ;     "NtQueryInformationProcess" );

; Map the executable module into the address space of the calling process.

invoke LoadLibrary, ADDR item
mov Holder, eax ; handle of executable module

Invoke GetProcAddress, eax, ADDR item


Status = NtQIP(GetCurrentProcess(),
            0x1f, ; ProcessDebugFlags
            &NoDebugInherit, 4, NULL);

    if (Status != 0x00000000)
        return false;

    if(NoDebugInherit == FALSE)
        return true;
    else
        return false;
}


invoke ExitProcess,0

end     start

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

qWord

include \masm32\include\masm32rt.inc

NTQUERYINFORMATIONPROCESS typedef proto stdcall :HANDLE,:UINT,:PVOID,:ULONG,:PULONG
PNTQUERYINFORMATIONPROCESS typedef ptr NTQUERYINFORMATIONPROCESS

CheckProcessDebugFlags macro
fn GetProcAddress,rv(GetModuleHandle,"ntdll.dll"),"NtQueryInformationProcess"
push eax
invoke GetCurrentProcess
mov ecx,esp
mov edx,[esp]
invoke PNTQUERYINFORMATIONPROCESS ptr edx,eax,1fh,ecx,4,NULL
pop edx
.if eax != 0
xor eax,eax
.elseif !edx
mov eax,-1
.endif
EXITM <eax>
endm

.code
start:

.if CheckProcessDebugFlags()
fn MessageBox,0,0,0,0
.endif

invoke ExitProcess,0

end start
MREAL macros - when you need floating point arithmetic while assembling!

Gunther

Hi Andy,

Quote from: Magnum on January 15, 2013, 06:57:01 AM
I have converted what I know, but could use some help in some areas in converting some C code to assembly.

Andy

you can try QWord's macro or - and that's another way - pick up your C code and write it into a function. Then, let the compiler do the dirty work. The compiler switch -S at the command line will give you the compiler's assembly language source, which is your starting point. Go forward function by function and you'll have success.

Gunther
You have to know the facts before you can distort them.

dedndave

        INCLUDE \masm32\include\masm32rt.inc

        .DATA

szNtDll db 'ntdll.dll',0
szNtQIP db 'NtQueryInformationProcess',0

        .CODE

NtQip   PROC

    xor     eax,eax
    push    eax                                ;ProcessInformation
    mov     edx,esp                            ;EDX = pProcessInformation
    push    eax                                ;NtQueryInformationProcess:ReturnLength = 0
    push    sizeof DWORD                       ;NtQueryInformationProcess:ProcessInformationLength = 4
    push    edx                                ;NtQueryInformationProcess:pProcessInformation
    push    1Fh                                ;NtQueryInformationProcess:ProcessInformationClass = PROCESSINFOCLASS:ProcessDebugFlags
    INVOKE  GetCurrentProcess
    push    eax                                ;NtQueryInformationProcess:ProcessHandle
    INVOKE  GetModuleHandle,offset szNtDll
    INVOKE  GetProcAddress,eax,offset szNtQIP
    CALL    eax                                ;CALL NtQueryInformationProcess
    pop     edx                                ;EDX = ProcessInformation
    .if eax
        xor     eax,eax
    .elseif !edx
        inc     eax
    .endif
    ret

NtQip   ENDP

_main   PROC

    call    NtQip
    .if eax                                    ;MessageBox if debugging
        dec     eax
        INVOKE  MessageBox,eax,eax,eax,eax
    .endif
    INVOKE  ExitProcess,eax

_main   ENDP

        END     _main


EDIT: fixed a bug

Magnum

Quote from: Gunther on January 15, 2013, 08:23:16 AM
Hi Andy,

Quote from: Magnum on January 15, 2013, 06:57:01 AM
I have converted what I know, but could use some help in some areas in converting some C code to assembly.

Andy

you can try QWord's macro or - and that's another way - pick up your C code and write it into a function. Then, let the compiler do the dirty work. The compiler switch -S at the command line will give you the compiler's assembly language source, which is your starting point. Go forward function by function and you'll have success.

Gunther

Are you talking about assembling C code with a C compiler and linker and getting an assembly listing ?

I used to write C and C++, before I went to asm and batch file coding.

Andy
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Magnum

Thanks Qword and DednDave.

Both "modules" are equal in size, maybe there is a speed difference ?

Andy
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

i doubt there is a signifigant difference in speed
mine is a proc, qWord's is a macro
but the system calls undoubtedly consume most the time
it's mainly a different programming style to achieve the same thing

by using CALL EAX, i avoided all the text involved in typedef'ing the function   :P

Gunther

Hi Andy,

Quote from: Magnum on January 15, 2013, 11:46:32 AM
Are you talking about assembling C code with a C compiler and linker and getting an assembly listing ?

I used to write C and C++, before I went to asm and batch file coding.

Andy

yes, I'm speaking about the C compiler. You should write a C version of your code and compare your code versus C to learn whether you have done better than the compiler. You can use the - S option of gcc to have it produce an assembly language file. Studying this generated code may give you some ideas about how to write efficient assembly code. With Borland tools it is -S, too. I'm sure there is a similar command line switch for VC.

Gunther
You have to know the facts before you can distort them.

MichaelW

For the Microsoft compilers you can use /FA.

I seem to recall that with GCC -S will prevent it from creating an EXE, but with the Microsoft compilers /FA does not have this effect.
Well Microsoft, here's another nice mess you've gotten us into.

Magnum

Thanks Michael.

Versions 6.14 and 10.0 don't offer an asm listing, but  Fl gave one large file listing.

I have IDA, but I only use a couple of their bells and whistles.

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

to create a shorter listing...
        .XCREF
        .NOLIST
        INCLUDE \masm32\include\masm32rt.inc
        .LIST
;
;


.XCREF disables the cross-reference part of the listing
.NOLIST/.LIST turns off listing during all the includes, then back on for the rest of it

you can also use /Sa to get more detail in the part of the listing that is turned on

Magnum

Thanks, learned something new again.

I noticed some of M.S. programs have debug info in them.

Maybe an oversight or they could be a work in progress.

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Gunther

Hi Andy,

Quote from: Magnum on January 17, 2013, 12:43:28 AM
Thanks, learned something new again.

I noticed some of M.S. programs have debug info in them.

yes, go forward and good luck.  :t

Gunther
You have to know the facts before you can distort them.

Magnum

Microsoft Security Essentials 2.0 flips Windows Automatic Update settings

If you have Windows check for updates but not install, latest version of MSE may change your setting without permission.

http://www.infoworld.com/t/anti-virus/microsoft-security-essentials-20-flips-windows-automatic-update-settings-004

http://www.infoworld.com/t/desktop-productivity/botched-patch-messes-outlook-2007-811

The same has some answers about the Java security flaws.
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Gunther

Thank you for the links and the information, Andy.  :t

Gunther
You have to know the facts before you can distort them.