Results 1 to 4 of 4

Thread: Vista Problem

  1. #1
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5

    Vista Problem

    Here is some classic import loading code that I am using. Locates the ASCII of the API in question in kernel32.dll with a z0mbie hash, then grabs its offset uses it as an index into AddressOfNameOrdinals, whose index is then used with AddressOfFunctions to grab the RVA of the procedure.

    Now, the code below works fine on WinXP and Win2k, but on Win Vista it only returns the address of LoadLibrary correctly, but returns a wrong address to GetProcAddress. However, if I grab the next RVA in the AddressOfFunctions table, that turns out to be the correct RVA of GetProcAddress.

    So, umm, what is going on here? Why is the RVA of GetProcAddress not where it's supposed to be? =/. Here is the code and the famous z0mbie hash. You can hash GetProcAddress, and then input that into the code I provided below and see what happens.

    Code:
    ; param is EAX (meaning EAX contains the actual hash)
    ; uses hashing algo by z0mbie
    ; returns loc of API in EAX
    
    
    _customGetProcAddress:
    
    	push edx					; saves edx
    	push ecx					; saves ecx
    	push ebx					; saves ebx
    	mov ecx, eax					; puts hash in ecx
    
    
    	mov edx, dword ptr[esi+010h]			; takes address of name ordinals
    	
    _Find_Hash_Loop:
    
    	inc edx
    	mov eax, edx					; put in eax the current location. its the param
    	mov ebx, edx					; put in ebx current loc also. We might need it later	
    	call _ComputeHash
    	cmp eax, ecx					; did we find the correct hash?
    	jne _Find_Hash_Loop
    
    	mov eax, ebx					; put in eax the location of the API name
    	sub eax, dword ptr[esi]				; take away the base of kernel32
    
    	mov edx, dword ptr[esi+0Ch]			; get AddressOfNames
    
    _Find_Name_Thingy_Loop:
    
    	cmp dword ptr[edx], eax
    	je _Found_Name_Thingy
    	add edx, 4
    	jmp _Find_Name_Thingy_Loop
    
    _Found_Name_Thingy:
    
    	mov eax, dword ptr[esi+0Ch]			; take address of names
    	sub edx, eax					; sub it from edx to get index
    
    	mov eax, dword ptr[esi+8]			; get address of functions
    	add eax, edx					; add index to it
    	mov eax, dword ptr[eax]				; get the value there
    	add eax, dword ptr[esi]				; add to it kernel base
    							; thats it, that should be the function
    
    	pop ebx						; pop values
    	pop ecx
    	pop edx
    
    ret							; and return. Address of func is in EAX.
    
    	
    
    
    ; takes eax as input
    ; returns hash in eax
    
    _ComputeHash:
    
    						
    	mov edx, eax
    	xor eax, eax
    
    _Hash_Loop:
    
    	rol eax, 7
    	xor al, byte ptr[edx]
    	inc edx
    	cmp byte ptr[edx], 0
    	jne _Hash_Loop
    	
    	ret
    
    	
    ret

  2. #2
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    Oh man, I wrote this code 2 years ago, and ever since then I've been c/ping it into my projects with little thought. Only now do I look back at it and realize how fucking stupid, high, and generally fucked up I must have been to write something like this. If this isn't the most fucked up way ever to grab exports from kernel32.dll, then you can fuck my sideways and call me sparky. I'm gonna go and rewrite the above piece of shit.

    However, the problem I mentioned in my above post still stands. If I get a valid address to the GetProcAddress ascii, it still gives me the wrong RVA when I use it to index into other tables, despite the fact that it returns the correct LoadLibrary RVA when I ask it for LoadLibraryA, and on WinXP is returns both GetProcAddress and LoadLibrary without problems.

  3. #3
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    Code:
    ; param is EAX (meaning EAX contains the actual hash)
    ; uses hashing algo by z0mbie
    ; returns loc of API in EAX
    
    
    _customGetProcAddress:
    
    	push edx					; saves edx
    	push ecx					; saves ecx
    	push ebx					; saves ebx
    	mov ecx, eax					; puts hash in ecx
    
    
    	mov edx, dword ptr[esi+0Ch]			; takes address of names
    	jmp _Find_Hash_Loop_Begin
    	
    _Find_Hash_Loop:
    
    	add edx, 4
    
    _Find_Hash_Loop_Begin:
    
    	mov eax, edx					; put in eax the current location. its the param to the hasher func.
    	mov eax, dword ptr[eax]
    	add eax, dword ptr[esi]				; add Kernel base to get pointer to ascii
    	mov ebx, edx
    	call _ComputeHash				; z0mbie hash it. 
    	mov edx, ebx
    	cmp eax, ecx					; did we find the correct hash?
    	jne _Find_Hash_Loop
    
    	sub edx, dword ptr[esi+0Ch]			; sub it from AddressOfNames base to get index
    	mov eax, edx
    	mov ecx, 2
    	mov edx, 0
    	idiv ecx					; transform it to deal with words, not dwords
    	mov edx, eax
    	add edx, dword ptr[esi+010h]			; use the index with AddressOfOrdinals
    	mov eax, edx
    	xor edx, edx
    	mov dx, word ptr[eax]				; get ordinal
    	mov eax, 4
    	imul edx
    	mov edx, eax
    	add edx, dword ptr[esi+8]			; use it as index into AddressOfFunctions
    	mov eax, dword ptr[edx]				; get RVA of function
    	add eax, dword ptr[esi]				; and add kernel base to it to get Address of Function :)
    							; thats it, that should be the function
    
    	pop ebx						; pop values
    	pop ecx
    	pop edx
    
    ret							; and return. Address of func is in EAX.
    
    	
    
    
    ; takes eax as input
    ; returns hash in eax
    
    _ComputeHash:
    
    						
    	mov edx, eax
    	xor eax, eax
    
    _Hash_Loop:
    
    	rol eax, 7
    	xor al, byte ptr[edx]
    	inc edx
    	cmp byte ptr[edx], 0
    	jne _Hash_Loop
    	
    	ret
    
    	
    ret
    There, that's the new code. Works fine on Vista, so problem solved I'll keep the crappy code in the original post so people can laugh at how stupid I was. Cheers

  4. #4
    Hey,
    Crappy code happens

    It's the learning process that counts .

    Woodmann

Similar Threads

  1. Ollydbg / Vista x64 Issues
    By uber.core in forum OllyDbg Support Forums
    Replies: 6
    Last Post: October 15th, 2008, 15:45
  2. 32-bit window(Vista) problems with 4GB RAM
    By Hero in forum Off Topic
    Replies: 3
    Last Post: June 29th, 2008, 10:35
  3. SEH in Vista with ASLR?
    By Dj_Oggy in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: March 17th, 2008, 02:28
  4. Windows Vista x64 & kb932596
    By JMI in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: August 22nd, 2007, 07:12
  5. Vista - drivers signing
    By begemott in forum Off Topic
    Replies: 22
    Last Post: February 23rd, 2006, 04:42

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •