admin管理员组

文章数量:1352005

I decided to study SMC (self-modifying code). I thought it would be easier to make it in assembly language. But I encountered a problem that Windows does not allow me to pass control to the stack and throws exception_access_violation.
How can I do it?
Example I tried:

.386
.model flat, stdcall
option casemap:none

include smc.Inc; include win32api and define MsgCaption and MsgBox

.code
magic:
    mov eax, esp
    sub esp, 28
    mov dword ptr[espx], 1778421864; push MBOK; nop; push
    mov dword ptr[esp+4], offset MsgCaption
    mov dword ptr[esp+8], 2425393256; nop nop nop push
    mov dword ptr[esp+12], offset MsgBoxText
    mov dword ptr[esp+16], 1778421992; push NULL; nop; call
    mov dword ptr[esp+20], MessageBox
    mov dword ptr[esp+24], 3281031312; ret nop nop nop
    
    call dword ptr[esp]
    ret
start:
    ;invoke MessageBox, NULL,addr MsgBoxText, addr MsgCaption, MB_OK
    call magic
    invoke ExitProcess,NULL
end start

I decided to study SMC (self-modifying code). I thought it would be easier to make it in assembly language. But I encountered a problem that Windows does not allow me to pass control to the stack and throws exception_access_violation.
How can I do it?
Example I tried:

.386
.model flat, stdcall
option casemap:none

include smc.Inc; include win32api and define MsgCaption and MsgBox

.code
magic:
    mov eax, esp
    sub esp, 28
    mov dword ptr[espx], 1778421864; push MBOK; nop; push
    mov dword ptr[esp+4], offset MsgCaption
    mov dword ptr[esp+8], 2425393256; nop nop nop push
    mov dword ptr[esp+12], offset MsgBoxText
    mov dword ptr[esp+16], 1778421992; push NULL; nop; call
    mov dword ptr[esp+20], MessageBox
    mov dword ptr[esp+24], 3281031312; ret nop nop nop
    
    call dword ptr[esp]
    ret
start:
    ;invoke MessageBox, NULL,addr MsgBoxText, addr MsgCaption, MB_OK
    call magic
    invoke ExitProcess,NULL
end start
  • windows
  • assembly
  • winapi
  • x86
Share Improve this question edited Apr 1 at 20:27 Peter Cordes 367k49 gold badges717 silver badges979 bronze badges asked Apr 1 at 6:16 AsfhtgkDavidAsfhtgkDavid 499 bronze badges 6
  • A great deal of work has gone into Windows to segregate code, data and stack with the express purpose of preventing what you're trying to do. I'm not an expert on Windows security, but don't expect this to be straightforward. – Tangentially Perpendicular Commented Apr 1 at 6:22
  • 1 At first code was a wrong. Are [esp] containing some address ? So what sense in call [esp] ? May be call esp? And main - if want write such code - mandatory use a debugger and have ability go by instructions. But you don't do this – RbMm Commented Apr 1 at 6:27
  • @TangentiallyPerpendicular I know, I've been trying to figure out how to do it for a day. I found such a function, but it's not about the stack. I am developing in the field of program protection and I think it is easier to do it in the stack and it will be more difficult for a cracker. – AsfhtgkDavid Commented Apr 1 at 6:30
  • @RbMm , thank you for that observation, that was the problem. – AsfhtgkDavid Commented Apr 1 at 7:18
  • 1 That's not really self-modifying code; it just JITs some machine code into a buffer on the stack and jumps to it. At least you're basically filling in a template (with static addresses), not just copying a fixed blob of shellcode or something. You don't need those NOPs. Your first dword store could contain 3 useful bytes and one that you overwrite with mov dword ptr [esp+3], offset MsgCaption. And after that you could just use a byte store before the dword store of the next address. Padding to 4-byte chunks would make more sense if using push to get these immediates onto the stack. – Peter Cordes Commented Apr 1 at 20:23
 |  Show 1 more comment

3 Answers 3

Reset to default 2

Those several lines that are using a big decimal constant couldn't possibly have created the correct code.

eg. 1778421864 is 6A009068h in hexadecimal and the assembler, acknowledgeing that x86 is little endian, would have stored to memory the bytes 68h, 90h, 00h, and 6Ah. That's the opposite of what you need:

push MB_OK   ; 64h 00h
nop          ; 90h
push         ; 68h

The indirect call [mem] does not find an address.

The call dword ptr[esp] instruction wants to jump to the address that is stored at the location where the stackpointer is pointing. Sadly it's instructions that reside there, so not an address at all. You want call esp to set EIP = ESP, rather than loading a new EIP from a pointer in memory.

The ret won't find the return address.

The ret instruction is currently popping the first 4 bytes of your code snippet. There's no way this could go back to just below call magic and invoke ExitProcess. The block of machine code you're JITing is cdecl not stdcall, since it ends with plain C3 (ret) not C2 1C 00 (ret 28).

magic:
    sub  esp, 28
    mov  eax, esp
    mov  dword ptr [eax],    6890006Ah            ; push MB_OK : nop : push
    mov  dword ptr [eax+4],  offset MsgCaption
    mov  dword ptr [eax+8],  68909090h            ; nop : nop : nop : push
    mov  dword ptr [eax+12], offset MsgBoxText
    mov  dword ptr [eax+16], 0E890006Ah           ; push NULL : nop : call
    mov  dword ptr [eax+20], MessageBox
    mov  dword ptr [eax+24], 909090C3h            ; ret : nop : nop : nop
    
    call eax
    add  esp, 28
    ret
start:
    ;invoke MessageBox, NULL, addr MsgBoxText, addr MsgCaption, MB_OK
    call magic
    invoke ExitProcess, NULL
end start
  • [esp+...] requires the additional SIB-byte; using [eax+...] is one byte shorter. So copying ESP to EAX with 2-byte mov eax, esp more than pays for itself over the next 7 instructions. Not necessary for correctness. And if you were optimizing for code-size you'd be using 5-byte push imm32 instead of 7-byte mov [eax+disp8], imm32. Or using narrower stores to avoid NOPs, like just mov byte ptr [eax+24], 0C3h
  • add esp, 28 removes the 28-byte snippet so the return address is again at the top of the stack.
mov dword ptr[espx]

I hope this espx is a mere typo and that your assembler didn't approve this.

As @RbMm noticed, I used call [esp], i.e. I tell the processor to execute instructions at the address at the top of the stack, but it is not the address of the beginning of the code, but the code itself. That was the problem, I just have to do call esp instead and Windows doesn't swear.

I don't think Windows will allow you to execute code from memory regions because of DEP (Data Execution Prevention), try using VirtualAlloc or VirtualProtect or disable DEP (I don't recommend doing it on your PC), check https://learn.microsoft/en-us/windows/win32/memory/data-execution-prevention#programming-considerations

本文标签: windowsWriting and running selfmodifying code (or a simple JIT template) on modern systemsStack Overflow

版权声明:本文标题:windows - Writing and running self-modifying code (or a simple JIT template) on modern systems - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1743905599a2559466.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。