; ---[ STYLE.ASM ]--------------------------------[ http://www.harmonysecurity.com ]--- ; ; This x86 asm snippet provides a standard routine for retrieving addresses of windows ; api functions. when the function 'gomad' retrieves the address of a function it simply ; saves that adress over the first four bytes of that functions name so if you need to ; call that function you just call the 4 bytes held at the functions string as the actual ; address will be patched in at run time. to call 'gomad' we need topass the address of ; the library where these functions are held, we also need to pass the address of an ; array of offsets and los pass the number of functions for that library. the array of ; offsets is just the offset of each string from the address of the library name. take ; a look at the source to get a better idea. if your testing this code it would be best ; to attach a debugger as no output will be displayed to the console. ; ; THE STACK: ; [ebp-0x04] = dword DATA_ADDRESS ; [ebp-0x08] = dword SAVED_LIB_HANDLE ; [ebp-0x0c] = dword LIB_ADDR ; [ebp-0x10] = dword ARRAY_ADDR ; [ebp-0x14] = dword NUM_FUNCS ; ; to compile use the (FREE) nasm assembler: ; nasmw -s -fbin -o style.s style.asm ; and to test use my eggtest application (get it at my site): ; eggtest style.s kernel32.dll ; ; ---[ Author :: Steve Fewer ]-------------------------[ info@harmonysecurity.com ]--- LOADLIBRARYA EQU 0xBFF776D4 ; make sure these three addresses are correct GETPROCADDRESS EQU 0xBFF76DAC ; for your (target) machine... EXITPROCESS EQU 0xBFF8D4CA ; BITS 32 ; 32bit addressing ORG 0x0 ; for relative jumps etc... jmp data ; jump down to our data section start: ; "another junkie player pushing dope for the man" - curtis mayfiled pop edi ; save data address push ebp ; save old base pointer mov ebp, esp ; create new stack frame sub esp, 0x14 ; grow stack mov [ebp-0x04], edi ; save data address mov [ebp-0x14], dword 0x02 ; store num of funcs to do mov eax, [ebp-0x04] ; eax = addr of lib name mov [ebp-0x0c], eax ; store it add eax, 0x23 ; align to addr of string lenght array mov [ebp-0x10], eax ; store it call gomad ; call func gomad mov [ebp-0x14], dword 0x03 ; store num of funcs mov eax, [ebp-0x04] ; eax = base data address add eax, 0x25 ; eax = address of lib name mov [ebp-0x0c], eax ; store it add eax, 0x35 ; align to address of string length array mov [ebp-0x10], eax ; store it call gomad ; call func gomad jmp exit ; finished gomad: ; "sipping on gin an juice, laid back" - dre & snoop mov eax, [ebp-0x0c] ; eax = addr of lib string push eax ; push it for func call mov edx, LOADLIBRARYA ; edx = addr of LoadLibraryA call edx ; call LoadLibraryA ### MUST DO: test and handle error ### test eax, eax ; test for fail jz exit ; quit if failed mov [ebp-0x08], eax ; save lib base addr mov esi, [ebp-0x10] ; for lodsb, esi points to byte array of string lenght mov ecx, [ebp-0x14] ; cx = num times to loop || num funcs to find sloop: ; "only for the fact that its not" - me :) mov ebx, [ebp-0x0c] ; ebx = addr of lib string xor eax, eax ; clear eax lodsb ; eax = length of next func string add ebx, eax ; ebx aligned to next func string mov eax, [ebp-0x08] ; eax = lib base addr pushad ; save our regs push ebx ; ebx = addr of func string push eax ; eax = handle of loaded lib mov edx, GETPROCADDRESS ; edx = address of GetProcAddress call edx ; call GetProcAddress, ### MUST DO: test and handle error ### mov [ebx], eax ; save func address over first 4 bytes of func name popad ; restore our regs loop sloop ; loop and go again ret ; finished the loop exit: ; "a total lack of respect for the law" - the prodigy xor eax, eax ; clear eax push eax ; push it mov eax, EXITPROCESS ; addr of ExitProcess call eax ; call ExitProcess data: ; "ive decided to take my work back underground" - the prodigy call start ; call the start of code and pop off data address db "user32.dll",0 ; [ebp-0x04] + 0x00 db "MessageBoxA",0 ; [ebp-0x04] + 0x0B db "MessageBoxW",0 ; [ebp-0x04] + 0x17 db 0x0B, 0x17 ; [ebp-0x04] + 0x23 db "kernel32.dll",0 ; [ebp-0x04] + 0x25 db "GetProcAddress",0 ; [ebp-0x04] + 0x32 db "LoadLibraryA",0 ; [ebp-0x04] + 0x41 db "ExitProcess",0 ; [ebp-0x04] + 0x4e db 0x0D, 0x1c, 0x29 ; [ebp-0x04] + 0x5a db 0x90, 0x90 ; dummy bytes