My Search for knowledge and my explorations There and back and most often in a circle

Rate this Entry
So I got tired of overloading 1 section. As I didnt feel I helped anything, glad someone said something...I tend to just do things without thinking it all through first,and then I redo it, over and over, slightly modifying or rethinking my steps it to understand it to the best of my ability... I know it sounds like hell..But I love it..So as Long as you are you and I am me, we are all good..glad to hear any responses..or criticisms..and most hopefully corrections..

So from now on all my writings will be in this blog and separated more neatly into my areas that I seek to research and develop and that defensive coding or offensive coding neither can do what both can combined..

So if you haven't read my posting on Optimizing a fastcall with POASM/masm which isnt about optimizing at all is about using the minimalistic approach to get the most done with what is already give to you..if you didn't catch that; sorry to have mislead you..

My other posting was About Tls not using API..I still have more why this works..and more of my own study to determine how it all works..But anyway I thought of another experiment..I leave that for later(tls 'debug awareness' with a dll loaded into olly...)

This is the continuation to the posting 'experiment with relocs:finding a API with relocations...If any others can site some research other then mine please I beg of you to do so..

This is a idea I have NOT finished yet, but it sounds logical to do.. I have identifying factor(s) and a brain and some knowledge in coding.So Im gonna try..

Locating a Api with the reloc section.I've somewhat explained this to a few people out there..

So what have I learned about the reloc section in general..

1.It might contain locations to data that is used by code.

I am in process of making a hello world with touching EAT, but it wont be pretty..and this method might be suitable for EAF(a paper written by skypher reference below) environments..completely unportable and 'target down to module specific' yea ..unusable everywhere.. ;P

Ok So ive had time to invest in this, so I wanted to have a 'target' for this example. So I chose the simplest thing I could think of MessageBoxA..But then I added some caveats to this, just to make it funner.. I want this to be a dll that ONLY works in a debugger that debugs dlls similar to Olly.I dont want to import any API's and I dont want any 'data' to be defined..within my code..

So OFF I went...looking at user32 relocation section and MessageBoxA..and then my brain started to confuse itself... luckily I struck gold by picking this api as there is a cmp of actual data just 7 bytes into this function..

7E45058A >   8BFF                MOV EDI,EDI
7E45058C  /. 55                  PUSH EBP
7E45058D  |. 8BEC                MOV EBP,ESP
7E45058F  |. 833D [here]BC04477E[is data 'attack surface'] 00    CMP DWORD PTR DS:[7E4704BC],0
so I know I was wrong in the now deleted code...I make mistake(s) so I decided to visualize it.

First Collect all the variable for HIOR(DWORD)+LOOR(WORD)+variant between 0 and 0fff = Data vector Point ...

so user32 has a base address of 7e410000(IN MY SYSTEM)(But note this should in theory work across all windows versions,as TLS and relocations haven't changed(Even though I was tricked by olly into seeing a windows 7 ntdll without relocations(didn't really look closely) and subsequently told otherwise upon discussion of it..)..and to get to my address which is ImageBase + 00000400 + the offset of 591..(a few tricks of the mind in there for my readers..)

So I then verified this..

7E49ED38  00 00 04 00 64 00 00 00 82 30 9B 30 EA 30 F7 30  ...d...‚0›000
7E49ED48  0A 31 42 31 9D 31 BC 31 D3 31 D9 31 F7 31 18 32  .1B1𸜓󞨅12
7E49ED58  2C 32 56 32 68 32 75 32 7D 32 8A 32 CB 32 DB 32  ,2V2h2u2}2Š2󆕆
7E49ED68  EA 32 0A 33 17 33 34 33 3E 33 5A 33 6A 33 74 33  2.3343>3Z3j3t3
7E49ED78  E7 33 FA 33 1C 34 2C 34 80 34 76 35 81 35 91 35  334,4€4v55‘5
7E49ED88  A4 35 AA 35 B4 35 99 38 CD 38 94 39 85 3B 4A 3D  񏊛5™88”9…;J=
Then I need to Modify my code in order to work under these circumstances. But this is small task seeing that I documented my code ...To be continued..

If you got the TLS idea..then Tls debug awareness without debug api is achieved by reading a module section you dont load and 'olly' does...

Submit "My Search for knowledge and my explorations There and back and most often in a circle" to Digg Submit "My Search for knowledge and my explorations There and back and most often in a circle" to Submit "My Search for knowledge and my explorations There and back and most often in a circle" to StumbleUpon Submit "My Search for knowledge and my explorations There and back and most often in a circle" to Google