Why does this code enable me to detect a debugger?
The link above told me the way to use prefetch queue to anti-debug, then I tried to use the code below to test, but I failed. Can anyone help me point out if my code is wrong. My cpu is Intel(R) Core(TM) i7-2630QM 2.00GHz. Thanks a lot
ML: D:\Programs\masm32\Bin\ML.EXE /c /coff /Cp /nologo /I"D:\Programs\masm32\Include" "AntiDebug.asm"
Link: D:\Programs\masm32\Bin\LINK.EXE /SECTION:.text,RWE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"D:\Programs\masm32\Lib" /OUT:"AntiDebug.exe" "AntiDebug.obj"
It always executes the debug label no matter I am debugging or not, and it will never execute 'jmp normal'.
.386
.model flat, stdcall ;32 bit memory model
option casemap :none ;case sensitive
include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib
.data
szDebug db 'Hey, you are debugging!!!',0
szError db 'Error',0
szNormal db 'You are running it without debugging',0
szPrompt db 'Prompt',0
.code
start:
call IsDebug
debug:
invoke MessageBox, NULL, addr szDebug, addr szError, MB_OK
invoke ExitProcess, -1
normal:
invoke MessageBox, NULL, addr szNormal, addr szPrompt, MB_OK
invoke ExitProcess, 0
IsDebug:
mov al, 0c3h
mov edi, offset IsDebug
mov cx, 20h
rep stosb
jmp normal
end start
i don't know what does your isdebug proc doing.
here is my code and it work fine in my computer.
.386
.model flat, stdcall ;32 bit memory model
option casemap :none ;case sensitive
include c:\masm32\include\windows.inc
include c:\masm32\include\kernel32.inc
include c:\masm32\include\user32.inc
includelib C:\masm32\lib\kernel32.lib
includelib C:\masm32\lib\user32.lib
.data
szDebug db 'Hey, you are debugging!!!',0
szError db 'Error',0
szNormal db 'You are running it without debugging',0
szPrompt db 'Prompt',0
.code
start:
call IsDebug
debug:
invoke MessageBox, NULL, addr szDebug, addr szError, MB_OK
invoke ExitProcess, -1
normal:
invoke MessageBox, NULL, addr szNormal, addr szPrompt, MB_OK
invoke ExitProcess, 0
IsDebug:
invoke IsDebuggerPresent
test eax,eax
je normal
ret
end start
Related
I have to write a TASM program which creates and removes directory, but I found example of creating file only.
model small
.data
handle dw 0
filename db "file2.txt",0
.stack 256
.code
main:
mov ax,#data
mov ds,ax
mov ah,3ch
mov cx,1
lea dx,filename
int 21h
jc exit
mov handle,ax
exit:
mov ax,4c00h
int 21h
end main
How i can modify this code for creating directory instead of file? And how I can remove created firectory?
I had to use masm and winapi. Here is the my sample code
.586
.model flat, stdcall
option casemap:none
includelib kernel32.lib
includelib shell32.lib
include windows.inc
include kernel32.inc
.const
sDir db 'folder', 0
.code
Main PROC
invoke CreateDirectoryA, OFFSET sDir, NULL
invoke Sleep, 2000d
invoke RemoveDirectoryA, OFFSET sDir
invoke Sleep, 2000d
invoke ExitProcess, NULL
Main ENDP
end Main
Using this code (mostly just added the irvine32.inc to the github code here: https://gist.github.com/michaellindahl/7782978
TITLE MASM PlaySound (PlaySoundExample.asm)
includelib winmm.lib
INCLUDE Irvine32.inc
INCLUDE macros.inc
PlaySound PROTO,
pszSound:PTR BYTE,
hmod:DWORD,
fdwSound:DWORD
.data
deviceConnect BYTE "DeviceConnect",0
SND_ALIAS DWORD 00010000h
SND_RESOURCE DWORD 00040005h
SND_FILENAME DWORD 00020000h
file BYTE "t.wav",0
.code
main PROC
INVOKE PlaySound, OFFSET deviceConnect, NULL, SND_ALIAS
INVOKE PlaySound, OFFSET file, NULL, SND_FILENAME
exit
main ENDP
END main
You need to add SND_ASYNC flag additionally.
The sound is played asynchronously and PlaySound returns immediately
after beginning the sound. To terminate an asynchronously played
waveform sound, call PlaySound with pszSound set to NULL.
In MASM32, you need to OR their binary bits, so your function arg has both bits set like SND_ASYNC | SND_FILENAME in C.
#define SND_ASYNC 0x0001
#define SND_FILENAME 0x00020000L
Code Sample:
.model flat, stdcall
option casemap: none
include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib
includelib Winmm.lib
PlaySoundA PROTO,
pszSound:PTR BYTE,
hmod:DWORD,
fdwSound:DWORD
.data
file BYTE "t.wav",0
szCaption db "Hello", 0
szText db "Hello World!", 0
.code
main PROC
INVOKE PlaySoundA, OFFSET file, NULL, 20001H ; SND_ASYNC | SND_FILENAME
INVOKE MessageBox, NULL, addr szText, addr szCaption, MB_OK
INVOKE ExitProcess, 0
main ENDP
END main
I want to write a MASM program similar to the following C++ program :
#include <Windows.h>
#include <iostream>
typedef UINT (_stdcall *FuncPtr)(LPCSTR lpCmdLine, UINT uCmdShow);
int main(void)
{
HMODULE hDll = LoadLibrary(TEXT("Kernel32.dll"));
FuncPtr func_addr = reinterpret_cast<FuncPtr>(GetProcAddress(hDll, "WinExec"));
(*func_addr)("C:\\WINDOWS\\system32\\calc.exe", SW_SHOWDEFAULT);
FreeLibrary(hDll);
return (0);
}
As you can see, this code execute the microsoft calculator. I just want to do the same thing using MASM but the execution fails.
Here's the MASM source code :
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc
include \masm32\include\msvcrt.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib
includelib \masm32\lib\msvcrt.lib
.data
LpFileName db "kernel32.dll", 0
procName db "WinExec", 0
display db "addr_func = 0x%x", 0
.data?
hModule HMODULE ?
procAddr FARPROC ?
.code
start:
invoke LoadLibrary, offset LpFileName
mov hModule, eax
invoke GetProcAddress, hModule, ADDR procName
mov procAddr, eax
INVOKE crt_printf, ADDR display, procAddr
mov esi, procAddr
call esi
db "C:\WINDOWS\system32\calc.exe"
invoke FreeLibrary, hModule
invoke ExitProcess, NULL
end start
The crt_printf output is correct. The same address is printed like withe the C++ program. So the address passed to call is the same one. However the execution fails.
Here's a MASM32 code which works but this time the address of the function WinExec is hardcoded like this :
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
.code
start:
jmp _Debut
_Final:
TCHAR 233
dword 42424242h
_Suite:
mov esi, 779e304eh
call esi
jmp _Final
_Debut:
xor eax, eax
push eax
call _Suite
db "C:\WINDOWS\system32\calc.exe"
end start
See the line mov esi, 779e304eh. But dynamically, there is a problem. If I disassemble the code just above we can see that the order of bytes is reversed.
8EEH047E379
Maybe it's not the case dynamically and maybe I need a keyword in the following line (between the comma and procAddr):
mov esi, procAddr
I cannot find the solution. I'm lost. Can anyone help me?
Thanks a lot in advance for your help.
The execution fails because you are not passing it's parameters.
Here you just call the function without any arguments or rather with invalid arguments (because whatever is currently on the stack will be taken and the stack is corrupted in the process).
mov esi, procAddr
call esi
You should do
push SW_SHOWDEFAULT
push offset YourPathToCalc
mov esi, procAddr
call esi
In your samplecode this is what is done here implicitly
xor eax, eax
push eax ; uCmdShow
call _Suite ; Returnadress is the address of the commandline so this is bascially the "push path"
Another thing you are missing is, that when WinExec returns, it will start executing the path in your case so you need a jmp somewhere after the call.
And as Gunner pointed out, the path must be 0 terminated.
To add to the correct answer Devolus posted, your path to calc is not NULL terminated.
This
"C:\WINDOWS\system32\calc.exe" is not correct!
Instead it should be:
"C:\WINDOWS\system32\calc.exe", 0
Also, if you are going to put strings in the code section to use, you need to give them a label in order to use them and you need to jump over them otherwise the CPU will try to execute the bytes.
INVOKE crt_printf, ADDR display, procAddr
mov esi, procAddr
push SW_SHOWDEFAULT
push offset Calc
call esi
jmp #F
Calc db "C:\WINDOWS\system32\calc.exe", 0
##:
invoke FreeLibrary, hModule
invoke ExitProcess, NULL
* EDIT *
To convert that code to Assembly using MASM, all that is needed is this:
.data
LpFileName db "kernel32", 0
procName db "WinExec", 0
Calc db "calc", 0
.code
start:
invoke LoadLibrary, offset LpFileName
push eax
invoke GetProcAddress, eax, ADDR procName
push SW_SHOWDEFAULT
push offset Calc
call eax
call FreeLibrary
invoke ExitProcess, NULL
end start
I'm trying to write a program in assembly and one of the first things that I need is the handle of the main window of a specific process. I've been trying to get it using FindWindow, but no luck so far; FindWindow apparently keeps returning zero. Can anyone point out what am I missing here? Thanks.
.486
.model flat, stdcall
option casemap :none
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
NtpTitle db "Untitled - Notepad",0
MsgNoNtp db "Notepad not found.",0
MsgNtp db "Found Notepad.",0
NullString db 0
hWndNtp dd 0
.code
start:
invoke FindWindow, offset NullString, offset NtpTitle
mov hWndNtp, eax
jz noNotepad
invoke MessageBox, 0, offset MsgNtp, 0, 40h
invoke ExitProcess, 0
noNotepad:
invoke MessageBox, 0, offset MsgNoNtp, 0, 10h
invoke ExitProcess, 1
end start
You should set lpClassName to NULL, not the address to an empty string.
invoke FindWindow, 0, offset NtpTitle
You are not testing the return value of FindWindow; mov does not modify flags.
test eax,eax
jz noNotepad
I am trying to create a window in x86 assembly with masm32 using the CreateWindowEx API. I have gotten my code to have no compile-time errors or anything of the sort- it compiles just fine. Yet when I run the exe, nothing happens. I don't see any obvious errors, and I have practically copied the code out of Iczelion's Win32 Tutorial (Part 3 - A Simple Window). What is wrong with it?
Here is my code:
.386
.model flat, stdcall
option casemap :none
WinMain proto :DWORD,:DWORD, :DWORD,:DWORD
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\gdi32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\gdi32.lib
.data
ClassName db "Testwin", 0
AppName db "Testing Window", 0
.data?
hInstance HINSTANCE ?
CommandLine LPSTR ?
.code
start:
push NULL
call GetModuleHandle
mov hInstance,eax
call GetCommandLine
mov CommandLine, eax
push SW_SHOWDEFAULT
push CommandLine
push NULL
push hInstance
call WinMain
push eax
call ExitProcess
WinMain proc hInst:HINSTANCE,hPrevInst:HINSTANCE, CmdLine:LPSTR,CmdShow:DWORD
; local vars:
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hwnd:HWND
; defining the window:
mov wc.cbSize,SIZEOF WNDCLASSEX
mov wc.style, CS_HREDRAW or CS_VREDRAW
mov wc.lpfnWndProc, OFFSET WndProc
mov wc.cbClsExtra,NULL
mov wc.cbWndExtra,NULL
push hInst
pop wc.hInstance
mov wc.hbrBackground,COLOR_WINDOW+1
mov wc.lpszMenuName,NULL
mov wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov wc.hIcon,eax
mov wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov wc.hCursor,eax
invoke RegisterClassEx, addr wc
;create the window
invoke CreateWindowEx,NULL,ADDR ClassName,ADDR AppName,\
WS_OVERLAPPEDWINDOW,CW_USEDEFAULT,\
CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,NULL,NULL,\
hInst,NULL
invoke ShowWindow,hwnd,SW_SHOWNORMAL
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
cmp uMsg, WM_DESTROY
jne _next
invoke PostQuitMessage, NULL
_next:
WndProc endp
end start
Where have I gone wrong? I suspect it has something to do with CreateWindowEx, considering it takes 12 parameters, most of which I don't understand.
Thanks in advance.
I believe you have not assigned the window handle returned by CreateWindowEx to the hwnd variable.
So add the following line after invoke CreateWindowEx and before invoke ShowWindow -
mov hwnd, eax
We do not compile anything when using Assebmly! We Assemble and Link.
This is not C or any other high level language, you do not need WinMain.
The biggie, where is your message loop
After your CreateWindowEx and ShowWindow, you need something like this right after that:
.while TRUE
invoke GetMessage,addr msg,NULL,0,0
.break .if !eax
;invoke IsDialogMessage,hModelessDialog,addr msg
;.if !eax
;invoke TranslateAccelerator,hWnd,hAccel,addr msg
;.if !eax
invoke TranslateMessage,addr msg
invoke DispatchMessage,addr msg
;.endif
;.endif
.endw
You are also missing ret at the end of your procs