Using native system calls

автор | 21 Декабрь, 2008
рубрики Статьи Комментарии к записи Using native system calls отключены


Level : intermediate

OS : windows
Language : ASM

How to use interrupts directly instead of using the windows API.

Well, first what we need to do is to find out how the API works.
In my tutorial, we will take SetCursorPos () as an example.
First, you need to write a program that calls SetCursorPos ().

<br />
---snippet---<br />
.code<br />
start:<br />
invoke SetCursorPos, 100, 100 ;voila!<br />
invoke ExitProcess, 0<br />
end start<br />
---snippet---<br />

Now, let us debug our program. Run Ollydbg and start debugging your newly created program. Should look something like this, more or less:


<br />
---snippet---<br />
00401000 >/$ 6A 64          PUSH 64                                  ; /Y = 64 (100.)<br />
00401002  |. 6A 64          PUSH 64                                  ; |X = 64 (100.)<br />
00401004  |. E8 07000000    CALL           ; SetCursorPos<br />
00401009  |. 6A 00          PUSH 0                                   ; /ExitCode = 0<br />
0040100B  . E8 06000000    CALL          ; ExitProcess<br />
00401010   $-FF25 08204000  JMP DWORD PTR DS:[>;  user32.SetCursorPos<br />
00401016   .-FF25 00204000  JMP DWORD PTR DS:[;  KERNEL32.ExitProcess<br />
---snippet---<br />

Ok, trace until SetCursorPos, when you reach it trace into it.

<br />
---snippet---<br />
77E3577A > 6A 5F            PUSH 5F<br />
77E3577C   FF7424 0C        PUSH DWORD PTR SS:[ESP+C]<br />
77E35780   FF7424 0C        PUSH DWORD PTR SS:[ESP+C]<br />
77E35784   E8 A3EBFDFF      CALL user32.77E1432C<br />
---snippet---<br />

We see that 2 dwords are pushed. But what is that PUSH 5F? I can only thank _death for reminding me on this one 🙂


(Hey minos! 😉


5F is our ID for SetCursorPos. I don't think you can find a list of valid IDs somewhere on the net though.


We enter the call to see what's going on 🙂

<br />
---snippet---<br />
77E1432C   B8 3A110000      MOV EAX,113A<br />
77E14331   8D5424 04        LEA EDX,DWORD PTR SS:[ESP+4]<br />
77E14335   CD 2E            INT 2E<br />
77E14337   C2 0C00          RETN 0C<br />
---snippet---<br />

That's it? In your dump window, follow ESP+4 (press ctrl+g then type ESP+4). This is how it looks on my machine:

<br />
---snippet---<br />
0012FFAC  64 00 00 00 64 00 00 00  d...d...<br />
0012FFB4  5F 00 00 00              _...<br />
---snippet---<br />

That means 3 dwords. One dword for the x value, another one for the y value, and the third one for 5F000000.


An example of calling a native system call (SetCursorPos ()):

<br />
---snippet---<br />
<br />
thePos STRUCT<br />
x dd 0<br />
y dd 0<br />
z dd 5Fh<br />
thePos ENDS<br />
<br />
.data<br />
myApp db "BoR0's Native Syscaller",0<br />
succ db "Successfully set cursor!", 0<br />
erro db "Error while setting cursor!", 0<br />
<br />
mystr thePos <><br />
<br />
.code<br />
start:<br />
mov mystr.y, 300<br />
mov mystr.x, 300<br />
<br />
mov eax, 113Ah<br />
mov edx, offset mystr<br />
int 2Eh<br />
<br />
.IF eax == 1<br />
invoke MessageBox, 0, ADDR succ, ADDR myApp, MB_OK+MB_ICONINFORMATION<br />
.ELSE<br />
invoke MessageBox, 0, ADDR erro, ADDR myApp, MB_OK+MB_ICONERROR<br />
.ENDIF<br />
<br />
invoke ExitProcess,0<br />
<br />
end start<br />
---snippet---<br />

From here we notice how SetCursorPos works. EAX==113Ah;








The thing I've noticed about this is that you must have at LEAST one pointer to a function that is in user32.dll for the interrupt to work. (doesn't matter which function)


Q: Why is that?


A: I don't really know, there are some connections with the interrupts and the OS perhaps. Anyway, for our code it will work because MessageBox () is found in user32.dll.


Q: But why user32.dll?


A: Because SetCursorPos () is found there 🙂


Q: What are the advantages/disadvantages of using this instead simply calling SetCursorPos ()?


A: A debugger wont break if you set a breakpoint on SetCursorPos ()


And as well, disadvantages. The interrupt ID might change in other incoming Windows versions. So, this one is tested on 2K only and I've also heard rumours that the ID is not same within XP.


Good luck playing with your functions and native calls! 😉


My thanks goes to: _death, Detten, Zephyrous, cektop, CopyMasta (been a while mate!)


(no) copyright © BoR0


April, 2005


Using native system calls
Authored by: stingduk on Monday, April 04 2005 @ 06:36 PM CEST

nice tut boro


but there are certain problems with using the above methods


you have to keep in mind that that this may not be compatible between os as they are not documented and ms reserves the right to change the routines at thier will

for example the 113a routine is called NtuserCallTwoParam () in w2k while it is NtUserBuildPropList in xp 🙂

113A BF92D784 4 NtUserBuildPropList A0065714 03 NtUserCallTwoParam take a look at this site for all other system service


also if you have windbg you can set symbol path and grab all those symbol from ms servers

look into ollydbg forum for configuring and patching ollydbg to accept those .pdbs 🙂 and you can find the names to all calls in ollydbg itself 🙂

look below

77E385EA USER32.SetCursorPos      PUSH    5F<br />
77E385EC                          PUSH    DWORD PTR SS:[ESP+C]<br />
77E385F0                          PUSH    DWORD PTR SS:[ESP+C]<br />
77E385F4                          CALL    USER32.NtUserCallTwoParam<br />
77E385F9                          RETN    8<br />
77E385FC USER32.GetMenuItemInfoA  PUSH    EBP<br />

also if you grab the ntuser.h from ddk you can see the 5f etc is defined :) or look for wine header documentation like below for definitions

DWORD<br />
NtUserCallOneParam(<br />
  DWORD Param,<br />
  DWORD Routine);

#define TWOPARAM_ROUTINE_ENABLEWINDOW       0x53<br />
#define TWOPARAM_ROUTINE_UNKNOWN            0x54<br />
#define TWOPARAM_ROUTINE_VALIDATERGN        0x57<br />
#define TWOPARAM_ROUTINE_SETCARETPOS        0x60<br />
DWORD<br />
NtUserCallTwoParam(<br />
  DWORD Param1,<br />
  DWORD Param2,<br />
  DWORD Routine);<br />


Оценить эту тему:
1 звезда2 звезды3 звезды4 звезды5 звезд (1 голосов, средний: 5,00 из 5)
Популярность: 4 976 просмотров
Вы можете следить за любыми ответами на эту запись через RSS 2.0 feed. Комментарии в настоящее время закрыты.