I am trying to use the win32 api in x86 assembly to show graphics in a window. But I can't seem to find any tutorials/examples that does that. I did find a few tutorials that did this however they used other assemblers like MASM but I use NASM.
Does anybody know how to do that?
Related
What is this Common Language Runtime that I've been hearing about?
I've recently started a project to create my own, small, personal windows application. I've used DirectX for drawing in the window and such before, for games and whatnot, however this time, I wanted to make it a more standard style application, with menus, and selectable text, and right clicking.
I've searched, but I found no information on how to actually write code for such things, I've only found things telling me to use the drag-and-drop form interface, for windows.
Anyways, I've found that using the forms, actually lets me see the code behind it, too, so I guess I could learn that way....
...but its forcing me to compile using CLR. Why? What is CLR? Can I not create this style of windows application without it?
-Stefan
CLR (Common Language Runtime) is a Virtual Machine. Whenever you compile your .Net programs they are converted into an intermediate language whereas a regular compiler would compile to native code of the target platform. Now whenever there is a CLR implementation available for an OS your program will run on that OS. This is how your .Net programs are portable! Read more here http://en.wikipedia.org/wiki/Write_once,_run_anywhere
The CLR is the runtime for the .Net framework.
You can only run .Net code on the CLR.
Since WinForms is a .Net library, you can only use WinForms in .Net.
At Microsoft BUILD conference, I saw this figure.
I'm wondering whether the position of Win32 is correct or not. What is the role and position of Win32 API in modern Windows architecture?
My concept of Win32 API is a sort of assembly of all modern Windows architecture. Win32 API (or DDK) bridges "Windows Kernel Services" to the other technologies.
I thought that Internet Explorer/.NET/Silverlight are all build upon Win32 API. Even if a fancy new Metro Apps, I conjecture that Win32 is at the bottom place. However, this figure defies my knowledge.
As you can see, IE/.NET/SL/Metro are sitting horizontally with Win32.
Questions:
Does this figure necessarily mean that Win32 is not the framework of all other modern technologies?
What is "Windows Kernel Services"? How programmers can access them? Isn't it through Win32 API and DDK?
The diagram is wrong.
While there were originally other subsystems (e.g. POSIX) which accessed ntdll.dll (the "Kernel Services" gateway) without going through Win32 (kernel32.dll, user32.dll) these are all now defunct.
All modern application frameworks for Windows are built on Win32. The other subsytems are no longer supported. In some cases (drivers, and boot-time system utilities such as chkdsk) code is written directly against the native API, but these scenarios are very rare.
I'm not very familiar with WinRT, but I think Win32 fits underneath it as well (or it may use a combination of Win32 and direct ntdll.dll services).
According to Sasha Goldshtein,
Next, a C++ Metro application will still load Win32 DLLs such as kernel32 and ntdll. Moreover, the WinRT APIs call into the Win32 DLLs – so they are not a replacement but rather a wrapper, an API flavor, on top of Win32. (Historical note: Windows used to have a feature called “environment subsystems”, which can be roughly described as API flavors. WinRT is not an environment subsystem – it is a library on top of the Win32 environment subsystem.)
The diagram is (presumably) correct, but only for Windows 8. Windows 8 has a significantly different architecture from previous versions.
I believe applications can make requests directly to the kernel, but the interface is mostly undocumented. Device drivers use the kernel directly.
Is it possible to decompile a Mac kernel extension?
In theory it is possible to decompile any binary code.
Kernel extensions are a little bit tricky because
a) they're C++, so virtual methods make the code harder to follow.
b) linking happens differently in kernel extensions, so any decompiler would need be specially designed to handle kernel extensions in order to find dependencies and symbol names.
you can use gdb (as nate c suggested) to inspect the assembly code of a kernel extension. i'm not aware of any decompilers for kernel extensions specifically.
you can use the kextload tool to create a symbols file that you can load into gdb. this will let you see decoded symbol names for functions, &c. there's a crash (haha get it?) tutorial here: http://praveenmatanam.wordpress.com/2008/05/22/kext-debugging-on-mac/
why do you want to do this?
It is no problem to decompile 32bit kext's using the hexrays decompiler.
Decompiling c++ code, means you have to define your structs in the right way: when an object has virtual methods, the first item in the object will be a pointer to the object's vtable.
if you declare the vtable in IDA or hexrays as well, and make sure all the types of the function pointers are correct, hexrays will produce quite readable code.
But chances are that the parts of the kext you are interested in were written in C-like C++, and you don't need to worry about that at all.
For reversing 64-bit kexts, acquire ida pro and x64 Decompiler (any of mac/lin/win).
Also, you can usually debug a kext (without symbols) using lldb remote setup. (gdb is gone.)
If you happen to work for a large security shop, do the song-and-dance: sign an NDA, give rights to first born and just get the OSX source.
Also, here's a large list of decompilers:
https://en.wikibooks.org/wiki/X86_Disassembly/Disassemblers_and_Decompilers
do you know where I can find Windows Low Level Assembly examples programs?
I have some exemples using macros (NASM, MASM) but I want pure assembly, in order I can build a shellcode later.
Thanks a lot guys!
This tutorial might be usefull for you: winamtut
Also this topic in MASM forum is great too.
If your architeture is x64 so try this link too.
And finally if you're interested in some theory, maybe this link could be nice.
Doing Windows GUI stuff in assembly language is a lot of work. This is why the examples you've found use macros - it takes away some of the pain.
If you really want pure assembly language, a great way is to ask your compiler. Write some C code to call CreateWindow or whatever, and then generate an assembly listing from the compiler (or step through it with a debugger).
If by "pure assembly" you mean "not done as a macro or library" then this is what you have to do:
download the masm32 package
check through the copius amount of samples, there will be many using CreateWindow or CreateWindowEx
start your own program
link in windows.h
use the invoke macro to call CreateWindow or CreateWindowEx
if you don't want to use invoke then just push the parameters onto the stack and call the functions directly - as this is what invoke does for you anyway
You can also get lots of help using the MASM package from the masm forum.
The best way to really (and quickly) learn win32 assembly is to decompile simple win32 programs. You could download lena's reversing tutorials from tutsforyou.com. Alternative you could tryout the reverse me's from osix.net - they have some pretty straight forward programs for you to reverse, and the best part is you get to see the masm32 sourcecode after completing the level.
tools: ollydbg, masm32 etc.
books: win32 assembler coding by Goppit, the arteam's PE compendium, intel developers handbook
hxxp://osix.net
hxxp://tuts4you.com/download.php?list.17
hxxp://www.intel.com/products/processor/manuals/
I'm not very pleased with your "in order I can build a shellcode later." - it's stuff like that which gives assembly a bad name.
I'd suggesty you take a look at FASM instead of MASM, though, since it's "closer to the metal", and directly supports binary output.
For learning to build shellcode I would suggest creating a very simple c program that does what you want the shellcode to do and than disassemble that using IDA or Immunity (or whatever debugger / dissasembler that you are familiar with). Than you can see what the instructions are that are being used.
I would also recommend the following books:
Hacking: The Art of Exploitation (2nd Edition)
The Shellcoder's Handbook
How can I operate on files in masm.
I mean using standard libraries included to microsoft (masm).
Or somethning available in windows without linkink libraries.
Start with the MASM32 site (it will provide you with the basic includes you need).
Use the Win32 API as your RTL (nothing to statically link).
For console IO, see the GetStdHandle call to get you started.
Use INVOKE to handle the Win32 parms call parameters.
Also remember that you can define local variables in a MASM function and MASM will generate all the BP relative addressing for you, as well as the entry and exit sequence. MASM (32-bit) has a number of very handy HLL features (that are broken in 64-bit MASM, btw).
Have fun!