Page 3 of 3 FirstFirst 123
Results 31 to 33 of 33

Thread: Microsoft's Rich Signature (undocumented)

  1. #31
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Ring -1
    Blog Entries
    Hehe, been busy with some RL stuff yesterday. Nice work indeed Daniel, very interesting as always.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  2. #32
    Quote Originally Posted by Daniel Pistelli View Post
    The compiler of the visual studio needs certain environmnet variables set, that's why the direct cl bla.c approach won't work. Your procedure could be use when compiling through the VS prompt, but it takes certainly longer than just setting a system wide breakpoint or the very clean solution suggested by Admiral (which is certainly better than my one, as long as one remembers how to use windbg). Anyway, any method is imho valid as long as the job gets done.

    I'm a bit surprised that dELTA hasn't posted yet. He surely is interested in the latest findings which close the rich signature topic once and for all.
    Have you tried debugging linker with Visual Studio ring-3 debugger? It works You just need to patch exe where you want to break, set VS as just-in-time debugger and when you rebuild some project, it breaks. Press F10 and you are in the code just after the "breakpoint". And it's perfectly traceable. The only problem is that the SEH messes with registers, so you need to deal with this problem. It's also possible to break in Olly (using this method), but you can't trace, only check memory and registers.

    EDIT: OK, it's not so easy and more buggy than I first thought, but still possible. But I found a better way - Olly. Put manually breakpoint, rebuild project in VS, Olly breaks. Now open Process Explorer and kill both parent processes of linker and Olly. And now Olly can trace :-). I've run "run trace" and program exited without error after 6000000 commands, so it definitely works and is a solution. Also, Olly 2 beta can trace without killing those two processes, but program exits incorrectly after some time.
    Last edited by hnedka; January 12th, 2009 at 09:22.

  3. #33
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    I am Sorry to awaken a Sleeping Giant

    But recently i was wanting to run through the linker again to see who sets the pe header at Pe+0x3c (there is a difference of 0x18 bytes in vc2008) in pe header started at 0xb0
    now it is atr 0xc8
    so i fired up ollydbg again and this topic of not being able to step through in ollydbg for cbbuildprodid was awakened so i thought let me check

    it seems ollydbg can easily step through the code in linker

    all you need is this

    Daniel_Pistelli:\>dir /b /a
    Daniel_Pistelli:\>type compile.bat
    del frizz.exe & del frizz.obj
    "c:\Program Files\Microsoft Visual Studio 9.0\VC\bin\vcvars32.bat"  & cl  /c /O1
    Daniel_Pistelli:\>type linking.bat
    f:\odbg110\ollydbg cmd /c "link /ENTRY:WinMain C:\Docume~1\Admin\Desktop\vc2008~
    1\frizz\frizz.obj  C:\Progra~1\MI2578~1\Windows\v7.1\Lib\user32.lib  C:\Progra~1
    Daniel_Pistelli:\>type frizz.c
    #include <windows.h>
    __declspec(align(1)) char Msg[]                 = "Iczelion's tutorial no.2";
    __declspec(align(1)) char Title[]               = "Win32 Assembly is Great!";
    __declspec(naked) int WINAPI WinMain(   HINSTANCE hIstance,
                                            HINSTANCE hPrevInstance,
                                            LPSTR lpCmdLine,
                                            int nShowCmd
                    push MB_OK
                    push OFFSET Msg
                    push OFFSET Title
                    push 0
                    call MsgBox
                    push 0
                    call ExitProc
                    jmp dword ptr [MessageBox]
                    jmp dword ptr [ExitProcess]

    and the plugin modified commandline plugin By anonymouse with Childdbg functionality

    just hit alt +f1
    type childdbg 1
    and hit f9 to land in

    004A2249|. E8 D2B3FDFF CALL link.wmain

    you can trace through the whole procedure

    0046CA74| E8 079EFFFF CALL link.IMAGE::CbBuildProdidBlock; \IMAGE::CbBuildProdidBlock

    Call stack of main thread
    Address    Stack      Procedure / arguments                                                                                Called from                                                         Frame
    0013EEF4   0046CA79   link.IMAGE::CbBuildProdidBlock                                                                       link.IMAGE::BuildImage+1154                                         0013F380
    0013EEF8   011F5D00     Arg1 = 011F5D00
    0013EEFC   0013EF7C     Arg2 = 0013EF7C
    0013F384   004731E8   link.IMAGE::BuildImage                                                                               link.004731E3                                                       0013F380
    0013F7E0   0047DAEB   Maybe link.00472822                                                                                  link.0047DAE9                                                       0013F7DC
    0013F7E4   00000005     Arg1 = 00000005
    0013F7E8   003C4E58     Arg2 = 003C4E58 ASCII "pN<"
    0013FF80   004A224E   link.wmain                                                                                           link.__tmainCRTStartup+10A                                          0013FF7C
    0114CD98          21 74 82 CF 65 15 EC 9C 65 15 EC 9C 65 15 EC 9C  !t��e�e�e�
    0114CDA8          6C 6D 7F 9C 60 15 EC 9C 65 15 ED 9C 67 15 EC 9C  lm�`�e�g�
    0114CDB8          6C 6D 6F 9C 64 15 EC 9C 6C 6D 7D 9C 64 15 EC 9C  lmo�d�lm}�d�
    0114CDC8          52 69 63 68 65 15 EC 9C 00 00 00 00 00 00 00 00  Riche�........
    0013EEF4   0046CA79  RETURN to link.IMAGE::BuildImage+1159 from link.IMAGE::CbBuildProdidBlock
    004668B5                     |.  C740 04 09789100         MOV     DWORD PTR DS:[EAX+4], 917809 changed 
    00466A96                     |.  C706 52696368            MOV     DWORD PTR DS:[ESI], 68636952
    00466A96          C7 06 52 69 63 68                                �Rich
    Well let This Giant Sleep Again
    I am yet to find why Pe header is Starting at oxc8 instead of 0xb0 and
    also still have to find who Decides on the Case Of Import Library and the hints on imports

Similar Threads

  1. AMD processors "undocumented" debugging features and MSRs (DbgCtlMSR2 & al.)
    By Czernobyl in forum Advanced Reversing and Programming
    Replies: 51
    Last Post: December 1st, 2010, 07:31
  2. Microsoft Inline Assembler
    By OHPen in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: January 25th, 2010, 17:32
  3. Windows undocumented native API, interesting article updated
    By dELTA in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: November 29th, 2004, 12:02
  4. Microsoft C# and Basic .NET
    By fifthelement in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: July 21st, 2004, 15:21
  5. Replies: 0
    Last Post: March 7th, 2003, 14:20


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts