I think i need some code that would work like
that

AddImportsForModule("KERNEL32.DLL", "ExitProcess", "GetModuleHandleA",
"GetProcAddress");

AddImportsForModule("msvcrt.dll", "fopen", "free", "printf", "exit", "fclose",
"fread");



well maybe it would be more like

char* import_names[] = {"fopen", "free", "printf", "exit", "fclose", "fread");

AddImportsForModule("msvcrt.dll", import_names);

but this is detail

the code just need to build binary block of .idata section that i can flush to exe
file
when flushing exe to disk in my assembler

im howewer a bit confused how weirdly this .idata binary is build, so maybe some
hints on that?

btw some best info i found on this topic is here

https://github.com/macton/x64-fasm-examples/blob/mas
ter/Windows/00_BasicOS/00_pe_return_03.asm

or around here, so if someone would like to focus on this and give me some hints may
use it

tnx

do góry

W dniu sobota, 19 sierpnia 2017 15:22:46 UTC+2 użytkownik fir napisał:
> I think i need some code that would work like
> that
>
> AddImportsForModule("KERNEL32.DLL", "ExitProcess", "GetModuleHandleA",
"GetProcAddress");
>
> AddImportsForModule("msvcrt.dll", "fopen", "free", "printf", "exit", "fclose",
"fread");
>
>
>
> well maybe it would be more like
>
> char* import_names[] = {"fopen", "free", "printf", "exit", "fclose", "fread");
>
> AddImportsForModule("msvcrt.dll", import_names);
>
> but this is detail
>
> the code just need to build binary block of .idata section that i can flush to exe
file
> when flushing exe to disk in my assembler
>
> im howewer a bit confused how weirdly this .idata binary is build, so maybe some
hints on that?
>
> btw some best info i found on this topic is here
>
> https://github.com/macton/x64-fasm-examples/blob/mas
ter/Windows/00_BasicOS/00_pe_return_03.asm
>
> or around here, so if someone would like to focus on this and give me some hints
may use it
>
> tnx

after contemplating that sht for a while

https://github.com/macton/x64-fasm-examples/blob/mas
ter/Windows/00_BasicOS/02_pe_messagebox_03.asm

it seems to me that i need to do such things
(say i got N modules of import)

- flush N of those 40-byte-long module describing records and finish it with zero
record

- flush N module names

- flush so called ILT and IAT for each module (slightly confused here)

- flush all function names (intermixed with 'hints')

would it be all? if so it seems less confusing i previously thought (though those
import-adding-api should be redefined as i need to build a wholle collection before
flushing it in last step

somethink like

AddImport("KERNEL32.DLL", "ExitProcess");
AddImport("KERNEL32.DLL", "GetModuleHandleA");
AddImport("KERNEL32.DLL", "GetProcAddress");

AddImport("msvcrt.dll", "fopen");
AddImport("msvcrt.dll", "free");
AddImport("msvcrt.dll", "printf");
AddImport("msvcrt.dll", ""exit");
AddImport("msvcrt.dll", "fclose");
AddImport("msvcrt.dll", "fread");

FlushIDataSection();

do góry

Profesorze!
ale czemu po angielsku?
to taka zjebka frajerstwa?

do góry

W dniu niedziela, 20 sierpnia 2017 20:21:00 UTC+2 użytkownik wół, wół roboczy, wół
dojno roboczo obronny 'POPIS/EU napisał:
> Profesorze!
> ale czemu po angielsku?
> to taka zjebka frajerstwa?

bo bylo pisane by glowni zadac na grupe anglojezyczną - a jak che zapostowac na
polska to szkoda czasu z przepisywaniem



ogolnie chodzi o to zew pliku exe masz zaszytą liste importów - cos w stylu

"
kernel32.dll: ExitProcess
user32.dll: MessageBoxA
msvcrt.dll: printf fopen fclose fread fwrite

"

oprocz tego (tj oprocz tych nazw w postaci tekstowej) jest praktycznie tam tylko po
jednym miejscu na 4-bajtowy wskaznik przy kazdej z tych funkcji - wskaznik ktory jest
w execu pusty ale wypelnie go windows przy ladowaniu (oprocz tego sa tam jeszcze
jakies hinty, tez chyba jeden short na kazda nazwe funkcji ale chyba nie sa newet
uzywane)

kod z exe odwoluje sie do tych wskaznikow przy tych nazwach (boz na ich miejsce w
pamieci po tym jak exe zostanie wczytany do pamieci) z kolei windowsowy loader wie co
tam wstawic

no i tyle jest to raczej proste nieststy w exeku jako tresc sekscji .idata jest to
jak zwykle sp*** i zaszyte co nieco dziwnie i nie che mi sie pisac i testowac kodu
ktory by przerabial te dane na zawartosc sekcji idata

moze komus sie chce to zrobic? ;c
.idata jest dobrze opisana w necie w roznych tutorialach, sam napisalem draft kodu na
sucho (choc nie caly bo tam trzebe jeszcze dodac tablice tych
recordow z ktorych kazdy opisuje modul i ma wskazniki pokazujace na miejsca w idata
gdzie sa odnoscne tablice z nazwami


jakby ktos chcial zerknad do dokumentacji sekcji importow i napisac ten kod to nei
jest takie trudne ale ja sie chwilowo troche wypalilem

draft kodu ->




char idata[0x200];

void FillIdataSection()
{

char* module_names[] = {"kernel32.dll", "user32.dll", "msvcrt.dll"};
char* function_names[] = {"ExitProcess", "MessageBoxA", "printf", "fwrite", "fread",
"fopen", "flose" };

int2 module_function_list[] = {{0,0}, {1,1}, {2,2}, {2,3}, {2,4}, {2,5}, {2,6} };

OUTPUT - things need to be done probably should be like this

- save module names list
- save hint-function-names list

- save function names pointers lists
- save IAT (name-pointers pointer) list

- save module 'descriptors' (records)


///// fill descriptors


/////////////// fill module names

int module_names_max = 3;

int module_names_offset = 0x180;
int module_names_step = 0x20;

for(int i=0; i<module_names_max; i++)
CopyStringZ(module_names[i], idata + module_names_offset + i * module_names_step):


/////////////// fill hint + function names

int function_names_max = 7;

int function_names_offset = 0x100;
int function_names_step = 0x20;

for(int i=0; i<function_names_max; i++)
{

*(short*)&idata[function_names_offset + i * function_names_step] = 0;

CopyStringZ(function_names[i], idata + 2 + function_names_offset + i *
function_names_step):
}




/// fill function name pointers lists

int function_namepointers_offset = 0x80;
int n = 0;

for(int i=0; i<module_function_list_max; i++)
{

*(int*)&idata[function_namepointers_offset + n * 4 ] = 0x2000 +
function_names_offset + module_function_list[i].y * function_names_step;

n++;
if( (i+1<module_function_list_max) &&
(module_function_list[i].y!=module_function_list[i+1
].y) )
{
*(int*)&idata[function_namepointers_offset + n * 4 ] = 0;
n++
}
else if( (i+1>=module_function_list_max) )
{
*(int*)&idata[function_namepointers_offset + n * 4 ] = 0;
n++
}



}


/// fill iats

int function_IAT_offset = 0xc0;

for(int i=0; i<function_names_max; i++)
{

*(int*)&idata[function_IAT_offset + i * 8 ] = 0x2000 + function_names_offset +
i * function_names_step;
*(int*)&idata[function_IAT_offset + i * 8 + 4] = 0;

}




}

do góry