4 replies to this topic

[jakash3]

For many days I have been trying to figure out how you can call an export from a dll in asm by specifying the address. Every solution I found never worked. It assembles correctly but when I run it, nothing happens.

Take the below code for example:

xor eax,eax

mov ebx, 77E61BEAh ;Address of Sleep from kernel32.dll

mov ax, 5000d      ;Sleep for 5000 ms

push eax

call ebx

mov ax,4C00h

int 21h

It was supposed to sleep for 5 seconds, then terminate. But upon execution it immediately terminated.

I came to the conclusion of that address of the Sleep function with this tool:

#include <windows.h>

#include <stdio.h>


/***************************************

arwin - win32 address resolution program

by steve hanna v.01

   vividmachines.com

   shanna@uiuc.edu

you are free to modify this code

but please attribute me if you

change the code. bugfixes & additions

are welcome please email me!

to compile:

you will need a win32 compiler with

the win32 SDK


this program finds the absolute address

of a function in a specified DLL.

happy shellcoding!

***************************************/



int main(int argc, char** argv)

{

	HMODULE hmod_libname;

	FARPROC fprc_func;

	

	printf("arwin - win32 address resolution program - by steve hanna - v.01\n");

	if(argc < 3)

	{

		printf("%s <Library Name> <Function Name>\n",argv[0]);

		exit(-1);

	}


	hmod_libname = LoadLibrary(argv[1]);

	if(hmod_libname == NULL)

	{

		printf("Error: could not load library!\n");

		exit(-1);

	}

	fprc_func = GetProcAddress(hmod_libname,argv[2]);

	

	if(fprc_func == NULL)

	{

		printf("Error: could find the function in the library!\n");

		exit(-1);

	}

	printf("%s is located at 0x%08x in %s\n",argv[2],(unsigned int)fprc_func,argv[1]);



}

So please, I am fairly new to assembly. And I would like to know how to call dll functions by their address, or even how to get the proper address for that matter.

[innerLOL]

xor eax,eax

mov ebx, 77E61BEAh ;Address of Sleep from kernel32.dll

mov ax, 5000d      ;Sleep for 5000 ms

push eax

call ebx

mov ax,4C00h

int 21h

wtf :confused::confused:


windows use stdcall, at least x86 version.

push 5000

call 0x77E61BEA

will work.

[dargueta]

Quote

The __stdcall calling convention is used to call Win32 API functions. The callee cleans the stack, so the compiler makes vararg functions __cdecl. Functions that use this calling convention require a function prototype.

The reason why the callee (function being called) cleans up the stack is because it reduces code size. cdecl forces the caller to clean up the stack, so it's only used for functions with variable number of arguments, since the function can't (in x86) clean up a variably-sized stack frame.

[Firebird_38]

Don't call functions in DLLs by a fixed address. This will crash something at some point for certain. DLLs get loaded at different addys at different times. Make an external declaration in your asm. How, I don't know, but you have to. It's been a while since I done any asm, but you can declare external functions. Please also be mindful of calling conventions.
The two functions (LoadLibrary abd GetProcAddress) used in your program you can use to load DLLs dynamically. But you'll need to statically link to at least the DLL with GetProcAddy and LoadLib.

[dargueta]

Quote

Connecting an application with API entry points exported by DLLs is something usually handled by the operating system loader, but these types of malware infection don't get the benefit of the loader's services. This hasn't posed a problem for malware on previous versions of Windows because for any given Windows release, system executable images and DLLs always load at the same location, allowing malware to assume that APIs reside at fixed addresses.

The Windows Vista Address Space Load Randomization (ASLR) feature makes it impossible for malware to know where APIs are located by loading system DLLs and executables at a different location every time the system boots.

You can pull it off for some versions of Windows, but not always. I'd suggest not doing so if you want your program to work on all versions.