Tag Archive : windows

/ windows

If previous article provide video tutorial for assembly programming in Linux, in this occasion we will cover about assembly in Windows.

Programming in Assembly is not as easy as higher level language. The main factor is because you can’t find syntax such as if, while, etc.

However one of our kind heart friend from SecurityTube has made us a very interesting video for learning Assembly. Here the list of video. Please bear in mind that I don’t made these and I have no claim over it. As stated in other page, this site and NEST is originally serve a purpose as personal documentation.

These videos are actually good starter for anyone who want to dive deeper in computer field, especially who have interest in cracking, exploitation, etc.

The tutorials consists of nine modules. For some modules, there are source code accompanying. You can either download each file individually or download it as a pack. Note that this series is continuation of previous series, therefore please read and at least know assembly before go to this page.

Module 1 – Processor Mode

we will look at the different processor modes – Real, Protected, Virtual 8086, SMM etc., then we will understand the different memory models – Flat and Segmented, and how they apply to Real and Protected mode. We will then look at the key differences between the AT&T and Intel syntax for assembly. Once we have understood all these basics, we will code a “Hello World” program which will run in real mode, using 16 bit assembly and assemble it using the Debug program which ships by default with Windows.

Download: EmbedUpload | MirrorCreator

Module 2 – Protected Mode Assembly

In this video, we will understand the basics of Protected mode operation and then look at Windows assembly basics. It is important to note that Windows runs in Protected mode. We then look at how to compile and link assembly language programs using MASM and LINK. We go on to create a HelloWorld program in 32-bit assembly.

Download: EmbedUpload | MirrorCreator

Module 3 – Win32 Assembly Using Masm32

In this video, you will be introduced to MASM32 and why it’s runtime library is a good choice. We will install and use MASM32 to program 3 examples in this video – Console mode HelloWorld, Windows HelloWorld and a simple program to print user input. These will teach you how to use the MASM32 library effectively.

Download: EmbedUpload | MirrorCreator

Files for this module: HelloMasm32.asm | HelloWindows.asm | Reflect.asm

Module 4 – Masm Data Types

In this video, we will look at different data types which can be defined in MASM – byte, word, dword, qword, fword, sbyte, sword etc. and also how to declare and initialize variables with them. Then we will learn about more complicated data types – arrays and strings. Finally, we will code a simple calculator program for addition and subtraction in assembly. The inputs will be read from the user.

Download: EmbedUpload | MirrorCreator

File for this Module: Numbers.asm

Module 5 – Procedures

In this video, we will understand how to write procedures in Assembly language. The whole idea is to first create a prototype definiation for the procedure, then the define it and finally call in in code.

Download: EmbedUpload | MirrorCreator

File for this Module: Concat.asm | InputProc.asm

Module 6 – Macros

In this video, we will understand how to write Macros in Assembly language. Most of you may have already used Macros in high level languages like C, and the assembly macro writing is almost similar.

Download: EmbedUpload | MirrorCreator

File for this Module: MacroDemo.asm

Module 7 – Program Control Using Jmp

In this video, we will learn how to change the program flow using JMP family of instructions – both conditional and unconditional.

Download: EmbedUpload | MirrorCreator

File for this Module: StringReverse.asm | MultiPrint.asm

Module 8 – Decision Directives

In this video, we will learn how to use conditional statements such as If, Else and Elseif to write code in assembly.

Download: EmbedUpload | MirrorCreator

File for this Module: IfDemo.asm

Module 9 – Loops

In this video, we will learn how to use loops in assembly. We will touch upon the basic LOOP mnemonic, its variations such as LOOPE, LOOPZ etc. based on processor flags, along with WHILE and REPEAT loops. An interesting fact is the use of the IF statement with the BREAK and CONTINUE ones, to change how a loop executes.

Download: EmbedUpload | MirrorCreator

File for this Module: LoopDemo.asm and WhileDemo.asm

Testing and debugging an operating system require an environment. Many people prefer to use emulator and virtualization software like QEMU, VMware, or VirtualBox for this job. However, testing a software build for that OS which run on top of virtualization require a method to copy files between host and the guest system. Software such as VirtualBox and VMware have a feature which enable user to activate shared directory. However not every operating system can do this because this feature act as device driver or kernel module. Moreover, QEMU doesn’t have this. The best and practical way to copy file on QEMU is copy all files into .iso images which is accessible by internet. Another way is mount the virtual hard disk or the disk image, which we will do in this article.

As the title suggested, we will discuss the way in various host operating system. Therefore, materials I use are:

  1. Slackware64 14.0 (Linux)
  2. Windows 7 32 bit (Windows)
  3. QEMU 1.4.0

Linux

Most linux distribution allow virtual disk mounting using mount command. The disk image should be mounted into a specific directory, let’s say /media/MyOS. Most of the operation need root privilege, so acquire root privilege before we do.

mkdir /media/MyOS

Make sure your virtual image file is in RAW format. If you think your disk image is in another format, use following command:

qemu-img convert <image-file> -O raw <image-file.raw>

Mounting the disk image is simple thing, as simple as mounting another storage device. Note that the actual partition start from offset 32256, after some structure on the disk such as MBR, partition table, etc. The following example assume you are using FAT as file system.

mount -o loop,offset=32256 <image-file> /media/MyOS -t vfat

The 32256 comes from the start of the very first partition * the size of a block. This is because before the first partition there are some data such as MBR. So if your first partition start from block 2048, multiplying it will result in 1048576. Of course the partition should have been formatted with the preferred format.

If the disk has several partition, and you want to mount specific partition (not the first) then you should change the offset to the start of the partition.

To unmount is even easier.

umount /media/MyOS

Windows

Basically, Windows doesn’t provide such powerful tools like Linux does. However, we can always use third party’s software. Like in Linux section, in this section our goal is to mount raw images.

OSFMount

OSFMount allow local disk image mounting in Windows with a drive letter (E:/, F:/, G:/, etc). You can download OSFMount here.

P2 eXplorer

Another tool which can be downloaded here. Note that it is not free product, but you can always use the demo version.

Building a Dynamic-Link Library using C++ MinGW

December 9, 2015 | Article | No Comments

Dynamic-Link Library or DLL, is implementation of shared library concept in Microsoft Windows and OS/2 operating system. Usually it has file extension DLL. The file formats for DLL are the same as for executable file – that is Portable Executable (PE) for 32-bit and 64-bit Windows, and New Executable (NE) for 16-bit Windows.

In this article, we will discuss about how we can create a .dll file using C++ and compiler MinGW.

The Files

We will use three files: my_dll.h, my_dll.cpp, and client.cpp

The my_dll.h is a header file where we place declarations:

// my_dll.h
#ifndef _MY_OWN_DLL_H__
#define _MY_OWN_DLL_H__
#ifdef __cplusplus
extern "C" {
#endif

#ifdef BUILD_MY_DLL
#define MY_DLL __declspec(dllexport)
#else
#define MY_DLL __declspec(dllimport)
#endif

void __stdcall MY_DLL hello(const char*s);

int MY_DLL Double(int x);

#ifdef __cplusplus
}
#endif

// This function is not declared extern "C"
void MY_DLL CppFunc(void);

// NOTE: This class must not be declared extern "C"
class MY_DLL MyClass {
public:
   MyClass() {}
   virtual ~MyClass() {}
   void func(void);
};
#endif

This one for my_dll.cpp will hold the implementation detail:

// my_dll.cpp
#include <stdio.h>
#include "my_dll.h"

__stdcall void hello(const char *s) {
   printf("Hello %s\n", s);
}
int Double(int x) {
   return (2*x);
}
void CppFunc(void) {
   puts("We are calling CppFunc");
}

void MyClass :: func(void) {
   puts("We are calling func() from class MyClass");
}

Those two files will be compiled as a single .dll file. Another source file, client.cpp, will be used as a “client”. This file will be compiled as a single executable file which will depend on the .dll file.

// client.cpp
#include <stdio.h>
#include "my_dll.h"

int main() {
   hello("World");
   printf("%d\n", Double(135));
   CppFunc();

   MyClass a;
   a.func();

   return 0;
}

Building DLL

To build the DLL, use following commands:

g++ -c -DBUILD_MY_DLL my_dll.cpp
g++ -shared -o my_dll.dll my_dll.o -Wl,--out-implib,libmy_dll.a

The -DBUILD_MY_DLL will be passed to compiler (see the .h file). This is because DLL’s functions need to be declared as “dllexport”, meaning that they will be “exported” from the DLL and available to client applications.

The “-shared” options tells the linker to create a DLL instead of an .exe, and the “–out-implib” linker option causes an import library to be created which is used later on.

Note:

The import library created by the “–out-implib” linker option is required if and only if the DLL shall be interfaced from some C/C++ compiler other than the MinGW toolchain. The MinGW toolchain is perfectly happy to directly link against the created DLL.

Building a Client Executable

To build the client, use following commands:

g++ -c client.cpp
g++ -o client.cpp client.o -L. -lmy_dll

The option “-L.” will add . (current directory) to where library will be searched. As we use current directory to store all the example, we will use this option. Then the “-lmy_dll” will tell the linker to link this code with library “libmy_dll.a”. The linker will search directory in current directory (remember the -L.) first.

We may built the same executable without an import library using following command:

g++ -o client.cpp client.o my_dll.dll

If this method work for your application, then there is usually no need for an import library. In my case, the application which doesn’t use import library result in smaller size.

Buildign and Using a DLL without the dllexport / dllimport Attributes

If you pass the “-no-undefined” and “–enable-runtime-pseudo-reloc” options to the linker, then you don’t have to add dllimport or dllexport attributes to the source code that the DLL is made with. All functions are imported /exported automatically by default, just like in unix;

There is an important thing to note with the above example functions:
Both hello(const char *) and Double(int) are surrounded by

#ifdef __cplusplus
extern "C" {
#endif
and

#ifdef __cplusplus
}
#endif

In the header file. This has the rather important consequence that their exported names use C-style name mangling (i.e. their names are “as is”).

The function CppFunc( void ) is not inside an extern “C” {…} block and thus uses C++-style name mangling. This has the consequence that the exported name depends on the compiler used to generate the DLL. It is by design that such generated names are different from compiler to compiler.

The important and often overlooked consequence of this is that from the above DLL only the functions hello(const char *) and Double(int) are seamlessly callable from e.g. MS VC++ while CppFunc(void) is not (assuming the DLL is created by MinGW).

A similar statement goes for C++ classes exported in a DLL, i.e. for the class MyClass. For further reading search the Web for the keyword “ABI” and possible in conjunction with “C++”. See also MixObjects.

A way to circumvent this problem is either using COM or create C-style wrapper functions to encapsulate the C++ ABI.

Emulation with QEMU

December 5, 2015 | Article | 1 Comment

On previous article, we have discuss about how to install QEMU-KVM on Slackware64 and Windows. In this article we will discuss about Virtualization and Emulation using QEMU.

QEMU – Overview

QEMU is an emulator and vitualization tool like VMware, KVM, VirtualBox, and Xen did. It emulates hardware, but with more options available. QEMU is available to emulates some hardware architectures, including embedded system. Processor architecture supported by QEMU are: x86, ARM, MIPS, etc.

QEMU is cross platform, available for many Operating System such including Linux, Microsoft Windows, and any Unix-like as its host operating system.

How it work

QEMU is like any virtualization tools, dividing resource for native OS (the host) and virtual machine (guest). It support virtualization with Xen Hypervisor or Linux KVM modules. With KVM, QEMU can emulate x86, server and embedded PowerPC, and also S390.

As result of resource division, there will be a decreasing in performance both on host and guest system. However, QEMU use dynamic translation to translate machine code of guest to host which makes the performance good enough.

Operating Mode

QEMU has two operating mode, which are:

  1. User Mode Emulation – QEMU can emulate own Linux process which is compiled to a CPU on different CPU.
  2. Full System Emulation – QEMU emulate whole system, including every resource (suh as processor and peripheral). This mode is useful to do some debugging and code testing on virtual machine. Using QEMU we can run some virtual machines simultaneously on a host (of course we should measure the resource needed).

Installation

The installation can be done easily. You can install QEMU by following this article for Linux and this article for Windows.

Running Kernel Image

You can read this article to run a simple Debian for ARM distribution.

Playing with Arguments

Following are arguments that can be used for running a system.

Function Command Notes
 Specifying amount of RAM  -m x  X is the amount of RAM in MB
 Use initial ramdisk  -initrd PATHANDFILENAME
 Add additional disks  -hdb DISK2 -hdc DISK3 -hdd DISK4
 Add cdrom drive  -cdrom FILE  FILE can be ISO or /dev/cdrom on UNIX
 Disable graphic  -nographic  Useful for emulate a headless raspi or to route the output directly to terminal
 Make QEMU exits when the system reboot  -no-reboot
 Pass argument to kernel  -append “KERNEL OPTIONS”  the kernel OPTIONS will be discussed on next section.

Kernel Options

Following are arguments that can be passed to kernel (the one QEMU boot).

Function Command Notes
 Specify what partition of disk will be the root partition  root=DEVICE
 Specify what file to run after kernel is loaded  init=FILE
 Prevent QEMU from simply freeze when the kernel is panic  panic=x  x is the number of seconds before rebooting. Usefule with the -no-reboot option
 Specify default console device for the output.  console=DEVICE

Disk Operation

In this section we will discuss about creating a disk image for QEMU. It is recommended to use Linux. The general syntax for creating a disk is:

qemu-img create <FILENAME> <SIZE>

Where <FILENAME> is filename and path if you don’t want to create the image on current directory. The size is written in numerical value followed by size unit in:

  • k or K for Kilobyte (1024 byte)
  • m or M for Megabyte (1025 kb)
  • g or G for Gygabyte (1024m mb)

The created file contain 0 (zero) and mean nothing to system.

To format a disk, we can use UNIX & Linux utility:

  • EXT2 => mkfs.ext2 <FILENAME>
  • EXT3 => mkfs.ext3 <FILENAME>
  • etc

We can also mounting <FILENAME> to modify it.

Repair Windows 8 EFI Bootloader

December 5, 2015 | Article | 2 Comments

Suppose you have installed Windows 8 on your machine. After an unexpected incidents you can not boot your Windows anymore, what will you do? Reinstall? No, let’s fix it!
This article will discuss about how to repair / fix Windows 8 Bootloader. For simplification, we have following assumption:

  1. Our machine is EFI-based with GPT disk (thus have EFI partition on first partition)
  2. You have Windows 8 installer (yes, we use installer DVD to do)

Now boot into your machine wit Windows 8 installer. Do normal method until you are prompted with list of volumes / partitions. Now press [Shift] + F10. This will bring you alovely black-themed cmd 😀

Now invoke following commands:

diskpart

Then you will be brought to a diskpart program. First we must now what your disk (the one windows 8 installed). To do so we will issue this command:

list disk

Now you will see a list of disk you have numbered by a value from 0. In this article I assume we have 1 disk and the installed windows on disk 0. If not, change 0 with appropriate number. Now execute this:

sel disk 0

Now list the volumes by invoking:

list vol

At minimal you have 1 EFI partition, 1 MSR partition, and 1 primary partition. Look at the output and write down the letter the partition use. In this article I assume the windows partition has letter C:  as shown below. The red square means the volume / partition of my EFI partition and blue one means the partition where my Windows installed.

diskpart

To change a volume letter (i.e: from b: to c:, etc) follow this commands:

sel vol #
assign letter n:

Where # is the volume you want to assign with and n is a drive letter (b,c,d, etc).

Now assign EFI partition to B: (in this article I have vol 1):

sel vol 1
assign letter b:

On successful attempt you will be prompted that the volume has been assign to letter b.Then exit diskpart with exit command. Now go to the EFI partition and fix the boot:

cd /d b:\EFI\Microsoft\Boot\
bootrec /fixboot

Now delete (or rename) the BCD file:

ren BCD BCD.bak

Then use bcdboot.exe to recreate BCD store.

bcdboot C:\Windows /l en-us /s B: /f ALL

Where C:\Windows is our installed windows on drive C: and B: is drive of our EFI partition. The /f ALL parameter updates the BIOS settings including UEFI firmware/NVRAM, while /l en-us is to localise for US locale, it will default to US English.

To re-enable Hyper-V, we should run the following commands:

bcdedit /set {default} hypervisorlaunchtype Auto
bcdedit /set {default} nx OptIn

Now reboot and wish you luck 😀

Social media & sharing icons powered by UltimatelySocial