Native Application Development Blog

  1. The dream is 'really higher up'... :P

    by , March 12th, 2011 at 21:40 (BanMe.From.Native_Development)
    OK so this is a 'blog' entry..what defines a blog?..usually its written by 1 person with some lore about something..sometimes it contains insight to the person writing it, and sometimes it's just nothing..well that isn't how I roll..The dark scowl, calculating eyes, and the 'fuck it I'll help' attitude. Sometimes it shortens, but I am not perfect..

    So I don't really like paying for things when I can find them for free just by trying..

    So I went out and got the intel manuals; indy repeats that everyone needs to read them over and over...( I got ear muffs and blinders as well)...Then while reading that, I needed to have fun or I would go crazy..So I wanted to learn more about I really didn't know shellcoding, before coding that beast in it.. I thought it to be a excellent tool to add to my asm knowledge..

    Then I thought how could I share it and not only teach myself interesting concepts but try to do it in a non destructive way..So I looked around and found the shell coders handbook(s)..along with accompanying code.

    Much of that code is non malicious and should provide a good learning base and its compilable..

    My concept of 'shell code' to explain the dream..:
    1. It should be PIC(position independent code) I.E. it should work, no matter where it is 'placed' in memory...
    2. It should demonstrate kernels of knowledge gathered from many different perspectives and 'schools of thought'.

    But how could I also entangle you the reader to contribute code,and what rules could we all follow to guide us in our explorations?

    I answer my own questions 'contributor rules'

    1. code must not be malicious or infectious(though it can have viral tendencies)
    2. code must not have nulls and the fastcall/syscall convention should be espoused..
    3. code may display omnimorphic qualities and must not have a 'data section' if compiled.
    4. code must not use the 'ldr_data portion of the peb' or API.
    5. other then the above you are free to do as you wish..

    to tickle your mind..
    	xor ecx,ecx;	\
    			;1 dword 'stack'
    	mov ecx,ebx;	/
    	db 064h;	\ useless prefix
    	db 08bh		;mov eax,ebx
    	db 0c3h;	/ret
    	db 0e8h;	\
    			;call to ret
    	dd 0fffffffah;	/
    	mov ecx,dword ptr [esp-4h]; get call return address on stack
    	add ecx,-08h ;minus 8 from return address to point to self stack 
    	mov esp,ecx  ;make the stack internal
    	push ecx;	\
    			;push address of mov eax,ebx to stack and return to it.
    	ret		/

    chapter 1 code..

    this looks simple..and remember it is in the trying that we all learn.

    int triangle (int width, int height){
    int array[5] = {0,1,2,3,4};
    int area;
    area = width * height/2;
    return (area);
    So conceptually compiling this to fastcall...(ie I didn't really do this 'yet').. This function would take width in ecx, and height in edx, then multiply them and divide by 2, and then return the result..

    Updated March 13th, 2011 at 12:19 by BanMe

  2. My Search for knowledge and my explorations There and back and most often in a circle

    by , January 27th, 2011 at 21:19 (BanMe.From.Native_Development)
    So I got tired of overloading 1 section. As I didnt feel I helped anything, glad someone said something...I tend to just do things without thinking it all through first,and then I redo it, over and over, slightly modifying or rethinking my steps it to understand it to the best of my ability... I know it sounds like hell..But I love it..So as Long as you are you and I am me, we are all good..glad to hear any responses..or criticisms..and most hopefully corrections..

    So from now on all my writings will be in this blog and separated more neatly into my areas that I seek to research and develop and that defensive coding or offensive coding neither can do what both can combined..

    So if you haven't read my posting on Optimizing a fastcall with POASM/masm which isnt about optimizing at all is about using the minimalistic approach to get the most done with what is already give to you..if you didn't catch that; sorry to have mislead you..

    My other posting was About Tls not using API..I still have more why this works..and more of my own study to determine how it all works..But anyway I thought of another experiment..I leave that for later(tls 'debug awareness' with a dll loaded into olly...)

    This is the continuation to the posting 'experiment with relocs:finding a API with relocations...If any others can site some research other then mine please I beg of you to do so..

    This is a idea I have NOT finished yet, but it sounds logical to do.. I have identifying factor(s) and a brain and some knowledge in coding.So Im gonna try..

    Locating a Api with the reloc section.I've somewhat explained this to a few people out there..

    So what have I learned about the reloc section in general..

    1.It might contain locations to data that is used by code.

    I am in process of making a hello world with touching EAT, but it wont be pretty..and this method might be suitable for EAF(a paper written by skypher reference below) environments..completely unportable and 'target down to module specific' yea ..unusable everywhere.. ;P

    Ok So ive had time to invest in this, so I wanted to have a 'target' for this example. So I chose the simplest thing I could think of MessageBoxA..But then I added some caveats to this, just to make it funner.. I want this to be a dll that ONLY works in a debugger that debugs dlls similar to Olly.I dont want to import any API's and I dont want any 'data' to be defined..within my code..

    So OFF I went...looking at user32 relocation section and MessageBoxA..and then my brain started to confuse itself... luckily I struck gold by picking this api as there is a cmp of actual data just 7 bytes into this function..

    7E45058A >   8BFF                MOV EDI,EDI
    7E45058C  /. 55                  PUSH EBP
    7E45058D  |. 8BEC                MOV EBP,ESP
    7E45058F  |. 833D [here]BC04477E[is data 'attack surface'] 00    CMP DWORD PTR DS:[7E4704BC],0
    so I know I was wrong in the now deleted code...I make mistake(s) so I decided to visualize it.

    First Collect all the variable for HIOR(DWORD)+LOOR(WORD)+variant between 0 and 0fff = Data vector Point ...

    so user32 has a base address of 7e410000(IN MY SYSTEM)(But note this should in theory work across all windows versions,as TLS and relocations haven't changed(Even though I was tricked by olly into seeing a windows 7 ntdll without relocations(didn't really look closely) and subsequently told otherwise upon discussion of it..)..and to get to my address which is ImageBase + 00000400 + the offset of 591..(a few tricks of the mind in there for my readers..)

    So I then verified this..

    7E49ED38  00 00 04 00 64 00 00 00 82 30 9B 30 EA 30 F7 30  ...d...‚0›000
    7E49ED48  0A 31 42 31 9D 31 BC 31 D3 31 D9 31 F7 31 18 32  .1B1𸜓󞨅12
    7E49ED58  2C 32 56 32 68 32 75 32 7D 32 8A 32 CB 32 DB 32  ,2V2h2u2}2Š2󆕆
    7E49ED68  EA 32 0A 33 17 33 34 33 3E 33 5A 33 6A 33 74 33  2.3343>3Z3j3t3
    7E49ED78  E7 33 FA 33 1C 34 2C 34 80 34 76 35 81 35 91 35  334,4€4v55‘5
    7E49ED88  A4 35 AA 35 B4 35 99 38 CD 38 94 39 85 3B 4A 3D  񏊛5™88”9…;J=
    Then I need to Modify my code in order to work under these circumstances. But this is small task seeing that I documented my code ...To be continued..

    If you got the TLS idea..then Tls debug awareness without debug api is achieved by reading a module section you dont load and 'olly' does...
  3. Dynamic Binary Code and Data Flow Analysis Instrumentation.

    by , July 30th, 2010 at 15:23 (BanMe.From.Native_Development)
    So I've been integrating Boomerang into Sin32 and I am releasing all future code under BSD and GPL licenses references therein.

    In doing this I dont want to use the GC stuff or the wierd LOG class provided to do the logging of all this important information that is gleaned out of this project, so a reimplementation of that is needed( all 367 or so calls that I commented out) as well as the reimplementation of the GUI..removing QT was fun.. But reworking the controller GUI to also view output of primary goal. But as seen with my post in rekindled hope(maybe) I'm trying to probe for remote console allocation for output as well as input commands.

    For the Most Part I am done with getting it to compile correctly, now I have to make the code not examine 'Binary Files' and examine 'mapped Binary portions' which isnt anything 'really different' from what it does anyways, my method is just runtime based ...

    But I know the 'some' benefits from the inclusion of the marvelous little tool, but there is so much to be done..But I will give you the source and the first 'complete compiling project'.. This update is only running what has been released in the past for the 'LPC Server portion of this maybe with minor updates' expect a BIG update on that regard soon.

    heres a download link for sources

    Updated July 30th, 2010 at 15:37 by BanMe

    BanMe.From.Native_Development , Lpc Server Development
  4. Binary-Auditing Solutions.

    by , September 3rd, 2009 at 23:39 (BanMe.From.Native_Development)
    I am Currently working on the C++ Fundementals,and will be presenting my solutions here. As the Downloads have just been released.. I currently dont have any solutions ready,but I'm working on the PH of Coffee and that solution should be ready tommorow..this will be updated soon with further posts and solutions soon, hopefully I will be able to complete 'most' solutions in code that only uses ntdll,but I know that not 'all solutions' will be allow me to take this route.

    If you are also working on this line of learning,
    Contact me and maybe we can do it together..