Using Irvine32 DumpRegs causes antivirus to stop my program from running? - windows

I am taking Assembly this semester. I am trying to use DumpRegs to display my registers, however, I get an error when running without debugging. The program builds (successfully it says), hangs and then my cmd prompt displays: "The system cannot execute the specified program."
If I debug, Visual Studio says "Insufficient resources exist to complete the requested service", then my antivirus attempts to quarantine "Generic RX BM-OC!257C1442E357 " at the time of running. I just ran a scan and I have no viruses, only downloads have been the Irvine library off of his site earlier today. Any ideas? I'm on a 64 bit machine, but their site said it was tested for 32 bit and 64 bit machines.
Here is the incredibly simple code:
include Irvine32.inc
.code
main PROC
mov eax,5
add eax,6
call DumpRegs
exit
main ENDP
END main

Related

How to revert changes to a kernel driver?

So i installed a kernel driver on my windows machine but accidentally left a while(1) in there (I know pretty stupid) and now OS just hangs when i start it. Is there a way to revert the driver to an earlier stage or revert to "previous commit" like we do in git? i can see thought WinDbg that it just hangs there. Even though i can break into it I can't seem to make it move on from that infinite loop.
you'd typically have the below assembly controlling the while(1) loop. From inside the debugger change to assembly source mode and then alter rax register from 0 to 1. That should branch out the subsequent je.
xor eax,eax
cmp eax,1
je xyz
Generally, you'd have to change the driver's start type to "disabled" and fix up other registry entries if it is a filter to any other boot critical devices (eg upper/lower filter)

Does the operating system assumes anything about callee-saved registers when control returns to it?

Does the operating system assumes anything about callee-saved registers when control returns to it?
I've wondered whether the OS, say Windows, assumes anything about the callee-saved registers like ebp, esi, edi?
In other words, does the OS require the value in any of these registers preserved, when control transfers back to it (ret in main)?
I cannot find anything specified, but I guess the answer is no (having looked at compiler generated code). Is there any documentation on the topic?
Windows 32 is designed to have process isolation.
Nothing* that a process does can cause another process (including) the operating system itself to fail.
For this reason it does not matter what you do with the registers upon exit.
The only exception is esp. If the stack pointer is messed up your application will terminate with a stack fault or access violation.
This will still not affect the OS however, it will merely terminate your app slightly early.
*Obviously this does not include the effects on the system by legitimate system calls, or the exploitation of bugs.
Note that the ret in main does not return control to the OS. Almost all Win32 c applications have a runtime library included. If so the ret in main returns to some initialization code that look like this:
//pseudo-init
do set up (setup command line params for main to read).
call main;
call Windows.ExitProcess();
Having a 'clean' exit to Windows is important to an application so it can clean up its own resources (close files etc). The OS does not really care. If an application does not clean up after itself, the OS will do the job for it.
Much worse than having a crashing up is a 'hung' one. If an application is stuck in an endless loop, or worse an endless loop that keeps claiming more and more resources then the system can be brought to its knees quite easily.

Setting up an assembler on 64-bit Windows [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I really need some help here. I've been searching online for about 2 days now and can't seem to find an answer to the problems that I got.
I downloaded nasm and installed it it seems to work but I can't seem to find any example code that works on windows 64bit (it would be awesome if you could make a simple hello world example for me or something).
(And how to compile it)
How would I turn the .o file into a .exe?
How would I accesses the screen or gpu memory (I think) to print stuff on the screen (like some sort of console application)?
There a a few things to consider when programming in assembly using NASM under Windows:
NASM is just an assembler
A linker is needed to create an executable.
Windows API are implemented as a user space library.
The library is not entirely in user space, some functions cross the boundary, but the interface to the application is a set of DLL, most notably: kernel32.dll, user32.dll and so on.
Windows' executables can have different subsystems.
Among the others the IMAGE_SUBSYSTEM_WINDOWS_GUI and IMAGE_SUBSYSTEM_WINDOWS_CUI are the most used, the former being used by applications that create windows and the latter by applications that use a console1.
The linker takes to COFF object (.obj) file generated by the assembler, takes a set of library definitions (.lib) and perform these important steps:
It resolves the call to external functions found in the object file.
A function marked as external is meant to be found in one of the library definition, the linker then fixes the call instruction to point to a location where the address of the function will be found at run-time.
It add the dependency libraries to the final executable.
This is done with the help of the PE file format, basically if F if found on the library L then L is added to the dependencies list along with a location where to write the address of F.
The loader will do the rest.
The linking is actually more complex than that.
It is also responsible for setting the various PE flags and settings, including the subsytem and the entrypoint.
To write an executable using NASM with need:
A linker.
The set of library definitions.
These can be found in the Windows SDK2.
The linker we will use in this example is the Microsoft LINK linker.
As #CodyGray pointed out in its comment (quoting because I'm lazy):
The Windows 7 version of the SDK that you linked does include all of the build tools. The Windows 8 SDK changed and no longer ships with the command-line build tools, forcing you to download a Visual Studio package
Once we have the tools, we can start programming.
We will use WriteFile to write a string to the standard output (like we would in Linux assembly).
The handler to the standard output must be retrieved with GetStdHandle though.
In Windows you can exit a process with a ret even with no CRT (C run-time) linked (i.e. in a bare process).
I won't explain the Window 64 ABI nor the trickery of programming in 64-bit.
BITS 64
DEFAULT REL ;RIP relative addressing by default
GLOBAL main ;Main must be visible to the linker
;Function the linker will look for in other modules (libs or objs)
EXTERN WriteFile
EXTERN GetStdHandle
STD_OUTPUT_HANDLE EQU -11
SECTION .data
strHelloWorld db "Hello world!", 13, 10, 0
lenHelloWorld dd $-strHelloWorld
hOut dd 0 ;Will store STDOUT handler
SECTION .text
main:
sub rsp, 30h ;20h (Home space) + 10h (params)
;Get STDOUT handler (Handler are 32-bit values)
mov ecx, STD_OUTPUT_HANDLE
call GetStdHandle
mov DWORD [hOut], eax ;Useless as now, for future reuse
;Write strHelloWorld to STDOUT
mov ecx, eax
lea rdx, [strHelloWorld]
mov r8d, DWORD [lenHelloWorld]
xor r9, r9
mov QWORD [rsp+20h], r9
call WriteFile
add rsp, 30h
ret
To create an executable from this source, we first assemble it into a 64-bit object file:
nasm -fwin64 hello.asm -o hello.obj
then we link it against the kernel32 library (the only one we need):
link /MACHINE:X64 /SUBSYSTEM:CONSOLE /OUT:hello.exe /NODEFAULTLIB /ENTRY:main kernel32.lib hello.obj
the CLI switches are pretty straightforward, NODEFAULTLIB avoid linking with MSVCVRXX.lib, the Microsoft CRT.
Those are the minimal switches necessary to build an executable in this example.
I assume you are smart enough to fix the path issues when issuing the commands above, particularly you can tell link where to find the lib files.
For this example I just copied them from the SDK installation folder.
As proposed in other answers, you can use other assemblers that may came with a linker.
Another possible developing environment is to use gcc (either inside cygwin or as mingw) to perform the linker step.
1 In this case Windows automatically create a console for the application and set the standard handlers appropriately. GUI application can recreate the console too (or more than one), so IMAGE_SUBSYSTEM_WINDOWS_GUI must be intended as "No console by default".
2 The version linked is the first Google result, invest more time in finding a suitable version. Also, I'm not sure if there is a linker in the Windows SDK or you need to download a Visual Studio instead.
Download Flat Assembler.(Download->flat assembler for windows)
http://flatassembler.net/
Extract zip.
Goto 'examples/win64/pe64demo/'
open 'pe64demo.exe'
(source code is in 'pe64demo.asm')

How to bypass isDebuggerPresent with x64dbg

I found a guide how to bypass it in ollydbg:
see here
But how to do that for an x64 application?
I have found following:
How must i manipulate this to don't get it detect the debugger?
You can do it the same way as described in the guide (i.e. by patching the code of IsDebuggerPresent).
Or you can set a breakpoint at the "movzx eax, byte ptr ds:[rax+2]" instruction, and when the program stops at the breakpoint, go to RAX+2 in the Dump pane and then change the byte from 1 to 0.

Why does stepping every instruction crashes while launching the program works? [debugging]

I'm trying to follow the execution instructions of a simple program I compiled with C++ (it calculates some prime numbers then exits) in a debugger (ollydbg) but I have several questions:
Why the first instruction isn't the entry point of the "CODE" section? It is different
As soon as I "step over" a few instructions the debugger crashes and writes "Single step event at ntdll.someaddress, press shift+F7/F8/F9 to pass the exception to the program" and crashes. If I run the program without stepping the instructions it works fine and the program loads without problems
Why does this happen? This doesn't happen only with my program but with several others (almost every other 32 bit exe in my system)
If you're running OllyDbg under a 64-bit OS, that I believe you are out of luck, because OllyDbg doesn't support x86-64 Windows, not even as a debugger used to debug 32-bit apps. See this forum thread, it's from 2006, but I don't thing anything has changed since that. What they suggest is using a different debugger, for example the 64-bit version of WinDbg (which is a great debugger).
Why the first instruction isn't the entry point of the "CODE" section? It is different
You can set this in OllyDbg: Options - Debugging options - Events - "Make first pause at". You can start at the "system breakpoint", which is located in ntdll and is called even before the starting module's entry point is called.

Resources