Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   EXE files and apis (https://forum.exetools.com/showthread.php?t=8029)

Warren 08-28-2005 14:49
EXE files and apis
 
I want to insert some code at the beginning of a code segment of a .exe file so the application will close when this code will execute.I could write a illegal operation like 00 00 00 and the application will close becouse it tried to execute an illegal instruction.But i want to use windows API's to close the application.I want to use Exitproces API function but i don't know how to call it.
Can i find out the address of ExitProces function by looking in the PE header or how ?

Hero 08-28-2005 15:26
Hi
ExitProcess is a function that normally available in any file.
But I suggest that you make your own IT for this function too.
The best way is adding an small section,making an small IT,that contains ExitProcess
for you.Than in your program directly call The address that located in FirstThunk .
With this way,you can add any function and code to your addlication without any
problem and run it(that include API functions too).

sincerely yours

polygon_seven 09-01-2005 00:17
If you poped all your stuff from stack, and before your code nothing was pushed, then you could use "ret" instruction to return to Windows, but this may not work in all cases.

XWING 09-01-2005 02:58
I didnt understand what you want to do exactly Warren, you want your code to execute before the original application code? If yes, you can just add your assembly code to end of pe and do a jump to and back. Also i didnt understand what you mean by illegal operation, if you are just trying to intercept erros in a debug application then you could just use dbghelp to dump stack details and save a crash dump report to later analyses and replication of the process. Please explain and i will give you more details.

Cya

FoOLFoXs 09-01-2005 10:39
find out the exitprocess's RVA in FirstThunk ,and call it in your code.

nskSem 09-01-2005 12:35
If your application has one thread and it's stack is right (num push = num pop), you can try write "ret". Is't so because after thread proc follow an "ExitThread" call.

Nacho_dj 09-01-2005 16:17
Hello:

If you disassemble the code of your a.exe, you could see imports (with wdasm32, for instance) and there all the apis used by the application. Then, select in the import window "ExitProcess" and display it, then you are getting a "call [<address of ExitProcess>]".

You could write down in your new code a call like that you have got, or a jmp to the RVA of that call.

Cheers :cool:

Nacho_dj

MaRKuS-DJM 09-01-2005 20:26
you don't need an API.
MOV EAX,101
PUSH 0 (exit code)
PUSH -1
MOV EDX,ESP
INT 2E

code directly converted in short form from Debug Me 0.2 / Teerayoot ;)

SnipER.UA 09-02-2005 16:53
Quote:
Originally Posted by MaRKuS-DJM
you don't need an API.
MOV EAX,101
PUSH 0 (exit code)
PUSH -1
MOV EDX,ESP
INT 2E
Very interesting, but does this code work on Windows 9x? I think no. Maybe INT 20 (VxDCall) is usable for this...
Interrupts are platform dependent and using call to ExitProcess is much more versatelite. Interrupts are good to avoiding fast detection 'cause I look first for some API call or SEH usage but not for INT's.

MaRKuS-DJM 09-02-2005 16:59
yeah, i forgot to mention this only works on NT-based systems. Windows ME for example will show you the blue screen of death ;) also a way to get the application to shutdown, but not very nice ;)


All times are GMT +8. The time now is 11:13.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX