Results 1 to 2 of 2

Thread: indirect __stdcall function

  1. #1
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    indirect __stdcall function

    Code:
                 POP ECX ;pop return address
                 POP EDX ;pop function pointer
                 PUSH ECX ;place function return back on stack
                 CALL EDX ;call function
                 XOR ECX,ECX ;zero ecx
                 ADD ECX,18 ;add 18
                 MOV EBX,DWORD PTR FS:[ECX] ;NtCurrentTeb to ebx
                 ;return the value of call of call to a generally
                 ;read/writable area Teb.NtTib.ArbritraryUserPointer
                 MOV DWORD PTR DS:[EBX+14],EAX
                 PUSH 0
                 PUSH -2
                 CALL ntdll.ZwSuspendThread
    ok so this is not all that special.. but maybe combined with the C++definition you will see something of my scheme

    Code:
    __declspec(naked) InvokeFunc(__in void*FunctionPtr, __in_opt ULONG NumberOfParameter,__in_opt ...);
    Ill try to explain where I'm going with this as best as I can...
    Indirect in or out of image call mechanism placed in all loaded images. hooks without recognizable hooks routines anyone?

    p.s. something of interest to me in this area was cod's post and other's regarding the subject "Where to find space in a dll" located at http://www.woodmann.com/forum/showthread.php?t=12748 if there is any further information on this subject, I would greatly appreciate it

    regards BanMe
    Last edited by BanMe; June 29th, 2009 at 01:25.

  2. #2
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    ok well I guess this didnt really interest anybody but me...lol as usual...so maybe I can better explain the circumstances in which this functionality could be used..a DYNAMIC THREAD POOL is one..I've noticed that if I dont set the PUSER_THREAD_START_ROUTINE in a call to RtlCreateUserThread then resetting it by changing the Context's EIP is impossible..absolutly doesnt work. So I got to thinking how can I redirect Threads that are suspended.One way is to Call RtlCreateUserThread and pass in this routine as the PUSER_THREAD_START_ROUTINE and then just manipulate the context a little.. which seems to me to be a decent solution for now.. your thoughts or suggestions? any way to implement a indirect __fastcall as this would also be helpfull.. but ill prolly get to it b4u

    regards BanMe
    Last edited by BanMe; July 8th, 2009 at 15:06.

Similar Threads

  1. bad function
    By blowfrank in forum The Newbie Forum
    Replies: 2
    Last Post: December 15th, 2010, 08:10
  2. __stdcall uses EAX?
    By Maximus in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: June 16th, 2010, 17:29
  3. Win32 calling conventions: __stdcall in assembler
    By Nynaeve in forum Blogs Forum
    Replies: 0
    Last Post: April 22nd, 2008, 22:00
  4. Add a new function to a dll
    By lllaaa in forum The Newbie Forum
    Replies: 0
    Last Post: March 2nd, 2003, 06:36
  5. SI, VB and function in DLL
    By JohnnyBoy in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: September 13th, 2001, 07:52

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •