Update:Data and Code in stack

I was testing how to implement code execution or storing data in stack I found that using forward pointer from esp e.g.: add esp,4 will not help for large size codes/data cause it result in Access violation ,so instead using a backward pointer from esp e.g sub esp,100h is better and I think it is more reliable .
Another thing regarding code execution in stack ,I heard vista will not let that happen ,as a protective way against shellcodes in exploits usage ,correct me if I am wrong .

Smilar pages

Code execution in stack

It's been a while since the last time I submit a post. Life getting ugly day by day...Things are changing ,so I am some how busy more than ever before, but wait,I always do have time to code even if the apocolypse is right now :)

Remember my previous post on using stack instead of data section, well here I use stack to put my code there and call it as a function ,see next:

;-----------------------code
.386
.model flat,stdcall
option casemap:none

include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib



.data
text_1 db "hello there!",0

.code
start:
mov edi,esp
add edi,4
push edi
lea esi,[espcode]
mov ecx,(endesp-espcode)
rep movsb
pop edi
mov ecx,MessageBoxA ;here we need the actual address of that api.
call edi

exit:
invoke ExitProcess,0

espcode:
push eax
mov eax,edx
pop eax
xor eax,eax ;
dec eax ;was some rabbish code!!
push 0
push 0
push offset text_1
push 0
call ecx
ret
endesp:

end start
;-----------------------end of code

As you may see the only thing was we needed either to change esp or make our code beyond esp value so as our executed code will not get corrupted while execution, I used "add edi,4" so as my code will not get overlapped with stack.

I think the code is self explanatory...

bye for now
------------------------

Smilar pages

code snippet-1

call @f
db "hello!! marhaba :) ",0
@@:
invoke MessageBox,0,[esp+8],0,0
pop eax
ret

Smilar pages

SEH the proper way

SEH[Structured Exception Handling] it is a routine to carry out handling errors in our program rather than the system ,take windows for example it is by default shows an error message when ever your program tries to read from non-accessable memory ,do int 3 ...etc for more informations [see wikipedia or Microsoft System Journal]
I always did the following inorder to setup SEH :

assume fs:nothing
push offset handle_errors ;our procedure in handling errors
push fs:[0]
mov fs:[0],esp
int 3 ;inorder to raise the exception

handle_errors:
invoke ExitProcess,0


but what was bothering me is that I didnt know how return the old registers values back especially esp. Then I found out that SEH procedure takes parameters [thanx to y0da for this info] as this:

SehHandler PROC pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD

so from that I fgured out that after SEH is completed and our SEH procedure is launched system will give us an important pointer which is a pointer to Context structure !!
since I didnt like the PROC method ,and like labels method :) I did this inorder to get esp back!!

assume fs:nothing
push offset handle_errors
push fs:[0]
mov fs:[0],esp
int 3

handle_errors:
mov eax,[esp+12] ;3 x 4bytes !! fugure out why :)
mov eax,dword ptr [eax+184+12] ;184 will point to eip and the +12 will point to esp!!
mov esp,eax
pop fs:[0]
pop eax ;now esp is restored :D

ofcourse you can use the following

assume eax:PTR CONTEXT ;CONTEXT STRUCT is defined in windows.inc in masm32 package
mov eax,[esp+12]
mov esp,[eax].regEsp
pop fs:[0]
pop eax ;and we have the esp back !


thats all

Smilar pages

Twisted way to loop!!

Hey there ,
Today I was messing around with esp (again) and found a funny way to create an infinite loop :)

call @f
@@:
sub dword ptr [esp],5 ;where call @f takes five bytes!
invoke Sleep,1000
ret

Of course an infinite loop could be something like this :

@@:
invoke Sleep,1000
jmp @b

I put the Sleep() so as not to consume 100% cpu resources ,so you can simply ommit it, any other thoughts and code snippets I would be glad to see placed comments

*The above code snippets was tested on masm32
-------------------------------------------------------------------
[Note: The @f will point to the next @@ ,and @b will point to the previous @@]

Smilar pages

away from data section!

Greetings miserable peopl
*[if you are not miserable you are not welocmed here :) ]

Couple of days ago I figured out a very distinctive way to use stack memory as your own data memory storage ,downsides that it will be a brainfuck to you in building large codes,and another thing each 'push' puts 4 bytes in the stack memory so for large sentences then you need more than one push ! .

;code sample provided by bug-code 2006
;demontrates how you can use stack memory to store some data in

;--------------------------------------------------------------------

.386
.model flat,stdcall
option casemap:none

include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib


.data
db "sample",0

.code

start:
push 0 ;putting zero ended string for MessageBoxA()
push "teel" ;reverse byte oder so it become leet :)
push 0
mov eax,esp
add eax,4
push eax
push eax
push 0
call MessageBox

invoke ExitProcess,0
end start

;---------------------------------------------------------------

the above example to be assembled by using masm32.

---------------------------------------------------------------
Edited -9 Oct.

Smilar pages