Mensajes

el masm para arquitectura de 64 bits existe?

yo tengo uno que es el masm32.per es no es el de 64 bits verdad?

lo digo porque mi Windows es 7 professional de 64 bits.

muchas gracias. ya está solucionado!!

hola

La verdad es que me da mucha vergüenza entrar en una pagina de expertos y decir esto pero he de hacerlo porque quiera o no quiera me pica el gusanillo.

el problema está en este programa que ejecuto con el fasmw

y me da el siguiente error : file not found

y sale marcado : include 'win32a.inc'

porque es as? el programa es el siguiente

;
; Basic Windows(R) 32bit hooking example in FASM, (C) 2006 Bryan "RedGhost" Power
;
; Tested on:
;     Windows XP   SP2
;     Windows 2000 SP4
;
;     If it is not working on other versions of Windows you must disassemble for the correct opcode length (at least $5 bytes).
;
; Explaination:
;     Sometimes in a project you need to hook an API function for whatever reason, the easiest way is via a basic detour.
;     
;     A detour is inserting a jump to your hook at the start of the API, and if you choose to, emulating the instructions
;     you are overwriting and then calling the original API.
;
;     Here is a small example of hooking the "MessageBoxA" procedure from "user32.dl".
;
;
; here is the disassembly of "MessageBoxA" from "user32.dll" taken from OllyDbg
;
; Windows XP SP2
;
; 77D804EA > 8BFF             MOV EDI,EDI                    ; standard windows API padding
; 77D804EC   55               PUSH EBP                       ; start of stack frame
; 77D804ED   8BEC             MOV EBP,ESP                    ; right here we have exactly $5 bytes in opcodes, perfect, the length is $5
; 77D804EF   833D BC04DA77 00 CMP DWORD PTR DS:[77DA04BC],0
;
; Windows 2000 SP4
;
; 77E38098 > 55               PUSH EBP
; 77E38099   8BEC             MOV EBP,ESP
; 77E3809B   51               PUSH ECX
; 77E3809C   833D 3892E677 00 CMP DWORD PTR DS:[77E69238],0  ; here it's a bit more complex, we don't have exactly $5 bytes, the length is $B
;
; here we have the disassembly while our hook is inserted
;
; Windows XP SP2
;
; 77D804EA >-E9 AA0B6888      JMP detour_e.00401099          ; the jump to our hook
; 77D804EF   833D BC04DA77 00 CMP DWORD PTR DS:[77DA04BC],0
;
; Windows 2000 SP4
;
; 77E38098 >-E9 FC8F5C88      JMP detour_e.00401099
; 77E3809D   90               NOP
; 77E3809E   90               NOP
; 77E3809F   90               NOP
; 77E380A0   90               NOP
; 77E380A1   90               NOP
; 77E380A2   90               NOP                            ; all these nops to keep the instructions balanced
; 77E380A3   0F85 940E0100    JNZ user32.77E48F3D
;

format PE GUI

section '.flat' readable writeable executable

entry $                           ; entry point at current address
    mov   ecx, $5                 ; number of bytes for newer service packs, a length disassembly engine skips this work
    mov   eax, [MessageBoxA]
    cmp   word [eax], $FF8B       ; test if the first opcode is not "mov edi, edi" to identify an older service pack
    jz    @f
    add   ecx, $6                 ; we have an older MessageBoxA version, $B bytes in total (Windows 2000 SP4)

@@:
    mov   esi, [MessageBoxA]      ; the procedure we wish to detour
    mov   edi, MessageBoxA_gate   ; the hook we want called when MessageBoxA is called
    call  insert_detour
    mov   [oMessageBoxA], eax     ; address of the jump/call stub

    ; now we call MessageBoxA
    ; but magically we don't see the text we are passing =]
    push  $0
    push  _hello                  ; 'Hello World!'
    push  _hook_test              ; 'This is a hooking example with detours in FASM!'
    push  $0
    call  [MessageBoxA]

    ; here we make the same call again but with oMessageBoxA
    push  $0
    push  _hello
    push  _hook_test
    push  $0
    call  [oMessageBoxA]

    push  $0
    call  [ExitProcess]
;---

oMessageBoxA dd ?

_hello       db 'Hello World!', $0
_hook_test   db 'This is a hooking example with detours in FASM!', $0

; our hook which gets called when MessageBoxA is called in this process
MessageBoxA_gate:
    ; modify the parameters on the stack to our own
    mov   dword [esp+$C], .hello_hacked
    mov   dword [esp+$8], .hook_test_hacked

    jmp   [oMessageBoxA]          ; now we let MessageBoxA continue

.hello_hacked:
    db 'Hacked Hello World ', $0
.hook_test_hacked:
    db 'Hmm? Is this what we are supposed to see?!?', $0
;---

; Allocate some memory.
;
; ecx = length
;
; returns allocated memory address in eax
; returns $0 on failure
halloc:
    cmp   dword [.heapaddr], $0
    jz    .hinit

@@:
    push  ecx
    push  $0
    push  dword [.heapaddr]
    call  [HeapAlloc]

    ret

.hinit:
    ; get the process heap
    call  [GetProcessHeap]        ; .ProcessHeap is located at +$18 in the Process Environment Block
    test  eax, eax
    jz    .err

    mov   dword [.heapaddr], eax
    jmp   @b

.err:
    ret

.heapaddr:
    dd $0
;---

; Write a detour.
;
; esi = address of procedure (API) to detour
; edi = address of gateway (hook)
; ecx = length of opcode(s), must be atleast $5 (jmp + address = $5)
;
; returns jump/call stub in eax
; returns $0 on failure
insert_detour:
    push  ebx edi ebp
    pushfd

    cld

    mov   ebx, ecx                ; save the length for later, a length disassembly engine is a good idea here

    ; allocate jump stub
    mov   ecx, ebx
    add   ecx, $5                 ; +$5 for jmp + address back to original API
    call  halloc
    test  eax, eax
    jz    .done

    ; copy the instructions we are going to overwrite to our jump stub
    push  edi
   
    mov   ecx, ebx
    mov   edi, eax
    rep   movsb
   
    sub   esi, ebx                ; movsb incremented it
    pop   edi

    ; write a jump back to the original API, skip our inserted jump
    mov   byte [eax+ebx], $E9     ; jmp opcode
    mov   edx, esi
    sub   edx, eax                ; relative offset
    sub   edx, $5
    mov   dword [eax+ebx+1], edx

    push  eax                     ; save stub address

    ; get page base
    mov   ebp, esi
    and   ebp, $FFFFF000

    ; change protection state of the page to allow write access
    push  .protection
    push  PAGE_EXECUTE_READWRITE  ; EXECUTE in case of multi-threaded or VirtualProtectEx detour
    push  $00001000
    push  ebp
    push  $FFFFFFFF
    call  [VirtualProtectEx]      ; VirtualProtect calls VirtualProtectEx

    ; here we write the actual detour
    mov   byte [esi], $E9
    mov   edx, edi
    sub   edx, esi
    sub   edx, $5
    mov   dword [esi+1], edx

    ; pad with nops if instruction length > 5 so we don't corrupt the proceeding instructions
    cmp   ebx, $5
    jle   .cleanup

    ; ecx = number of nop instructions
    mov   ecx, ebx
    sub   ecx, $5

    mov   edi, esi
    add   edi, $5
    mov   al,  $90                ; nop opcode
    rep   stosb

.cleanup:
    ; restore original protection
    push  .protection
    push  dword [.protection]
    push  $00001000
    push  ebp
    push  $FFFFFFFF
    call  [VirtualProtectEx]

    pop   eax                     ; return stub address

.done:
    popfd
    pop   ebp edi ebx
    ret

.protection:
    dd ?
;---

include 'win32a.inc'

data import
    dd $0, $0, $0, rva kernel32_name, rva kernel32_table
    dd $0, $0, $0, rva user32_name,   rva user32_table
    dd $0, $0, $0, $0, $0

kernel32_table:
    VirtualProtectEx           dd rva _VirtualProtectEx
    GetProcessHeap             dd rva _GetProcessHeap
    HeapAlloc                  dd rva _HeapAlloc
    ExitProcess                dd rva _ExitProcess
    dd $0

user32_table:
    MessageBoxA                dd rva _MessageBoxA
    dd $0

;kernel32
    _VirtualProtectEx          dw $0
                               db 'VirtualProtectEx', $0
    _GetProcessHeap            dw $0
                               db 'GetProcessHeap', $0
    _HeapAlloc                 dw $0
                               db 'HeapAlloc', $0
    _ExitProcess               dw $0
                               db 'ExitProcess', $0

;user32
    _MessageBoxA               dw $0
                               db 'MessageBoxA', $0

    kernel32_name db 'kernel32.dll', $0
    user32_name   db 'user32.dll', $0
end data
;---

;bye




                                                                                                              ;
; Basic Windows(R) 32bit hooking example in FASM, (C) 2006 Bryan "RedGhost" Power
;
; Tested on:
;     Windows XP   SP2
;     Windows 2000 SP4
;
;     If it is not working on other versions of Windows you must disassemble for the correct opcode length (at least $5 bytes).
;
; Explaination:
;     Sometimes in a project you need to hook an API function for whatever reason, the easiest way is via a basic detour.
;     
;     A detour is inserting a jump to your hook at the start of the API, and if you choose to, emulating the instructions
;     you are overwriting and then calling the original API.
;
;     Here is a small example of hooking the "MessageBoxA" procedure from "user32.dl".
;
;
; here is the disassembly of "MessageBoxA" from "user32.dll" taken from OllyDbg
;
; Windows XP SP2
;
; 77D804EA > 8BFF             MOV EDI,EDI                    ; standard windows API padding
; 77D804EC   55               PUSH EBP                       ; start of stack frame
; 77D804ED   8BEC             MOV EBP,ESP                    ; right here we have exactly $5 bytes in opcodes, perfect, the length is $5
; 77D804EF   833D BC04DA77 00 CMP DWORD PTR DS:[77DA04BC],0
;
; Windows 2000 SP4
;
; 77E38098 > 55               PUSH EBP
; 77E38099   8BEC             MOV EBP,ESP
; 77E3809B   51               PUSH ECX
; 77E3809C   833D 3892E677 00 CMP DWORD PTR DS:[77E69238],0  ; here it's a bit more complex, we don't have exactly $5 bytes, the length is $B
;
; here we have the disassembly while our hook is inserted
;
; Windows XP SP2
;
; 77D804EA >-E9 AA0B6888      JMP detour_e.00401099          ; the jump to our hook
; 77D804EF   833D BC04DA77 00 CMP DWORD PTR DS:[77DA04BC],0
;
; Windows 2000 SP4
;
; 77E38098 >-E9 FC8F5C88      JMP detour_e.00401099
; 77E3809D   90               NOP
; 77E3809E   90               NOP
; 77E3809F   90               NOP
; 77E380A0   90               NOP
; 77E380A1   90               NOP
; 77E380A2   90               NOP                            ; all these nops to keep the instructions balanced
; 77E380A3   0F85 940E0100    JNZ user32.77E48F3D
;

format PE GUI

section '.flat' readable writeable executable

entry $                           ; entry point at current address
    mov   ecx, $5                 ; number of bytes for newer service packs, a length disassembly engine skips this work
    mov   eax, [MessageBoxA]
    cmp   word [eax], $FF8B       ; test if the first opcode is not "mov edi, edi" to identify an older service pack
    jz    @f
    add   ecx, $6                 ; we have an older MessageBoxA version, $B bytes in total (Windows 2000 SP4)

@@:
    mov   esi, [MessageBoxA]      ; the procedure we wish to detour
    mov   edi, MessageBoxA_gate   ; the hook we want called when MessageBoxA is called
    call  insert_detour
    mov   [oMessageBoxA], eax     ; address of the jump/call stub

    ; now we call MessageBoxA
    ; but magically we don't see the text we are passing =]
    push  $0
    push  _hello                  ; 'Hello World!'
    push  _hook_test              ; 'This is a hooking example with detours in FASM!'
    push  $0
    call  [MessageBoxA]

    ; here we make the same call again but with oMessageBoxA
    push  $0
    push  _hello
    push  _hook_test
    push  $0
    call  [oMessageBoxA]

    push  $0
    call  [ExitProcess]
;---

oMessageBoxA dd ?

_hello       db 'Hello World!', $0
_hook_test   db 'This is a hooking example with detours in FASM!', $0

; our hook which gets called when MessageBoxA is called in this process
MessageBoxA_gate:
    ; modify the parameters on the stack to our own
    mov   dword [esp+$C], .hello_hacked
    mov   dword [esp+$8], .hook_test_hacked

    jmp   [oMessageBoxA]          ; now we let MessageBoxA continue

.hello_hacked:
    db 'Hacked Hello World ', $0
.hook_test_hacked:
    db 'Hmm? Is this what we are supposed to see?!?', $0
;---

; Allocate some memory.
;
; ecx = length
;
; returns allocated memory address in eax
; returns $0 on failure
halloc:
    cmp   dword [.heapaddr], $0
    jz    .hinit

@@:
    push  ecx
    push  $0
    push  dword [.heapaddr]
    call  [HeapAlloc]

    ret

.hinit:
    ; get the process heap
    call  [GetProcessHeap]        ; .ProcessHeap is located at +$18 in the Process Environment Block
    test  eax, eax
    jz    .err

    mov   dword [.heapaddr], eax
    jmp   @b

.err:
    ret

.heapaddr:
    dd $0
;---

; Write a detour.
;
; esi = address of procedure (API) to detour
; edi = address of gateway (hook)
; ecx = length of opcode(s), must be atleast $5 (jmp + address = $5)
;
; returns jump/call stub in eax
; returns $0 on failure
insert_detour:
    push  ebx edi ebp
    pushfd

    cld

    mov   ebx, ecx                ; save the length for later, a length disassembly engine is a good idea here

    ; allocate jump stub
    mov   ecx, ebx
    add   ecx, $5                 ; +$5 for jmp + address back to original API
    call  halloc
    test  eax, eax
    jz    .done

    ; copy the instructions we are going to overwrite to our jump stub
    push  edi
   
    mov   ecx, ebx
    mov   edi, eax
    rep   movsb
   
    sub   esi, ebx                ; movsb incremented it
    pop   edi

    ; write a jump back to the original API, skip our inserted jump
    mov   byte [eax+ebx], $E9     ; jmp opcode
    mov   edx, esi
    sub   edx, eax                ; relative offset
    sub   edx, $5
    mov   dword [eax+ebx+1], edx

    push  eax                     ; save stub address

    ; get page base
    mov   ebp, esi
    and   ebp, $FFFFF000

    ; change protection state of the page to allow write access
    push  .protection
    push  PAGE_EXECUTE_READWRITE  ; EXECUTE in case of multi-threaded or VirtualProtectEx detour
    push  $00001000
    push  ebp
    push  $FFFFFFFF
    call  [VirtualProtectEx]      ; VirtualProtect calls VirtualProtectEx

    ; here we write the actual detour
    mov   byte [esi], $E9
    mov   edx, edi
    sub   edx, esi
    sub   edx, $5
    mov   dword [esi+1], edx

    ; pad with nops if instruction length > 5 so we don't corrupt the proceeding instructions
    cmp   ebx, $5
    jle   .cleanup

    ; ecx = number of nop instructions
    mov   ecx, ebx
    sub   ecx, $5

    mov   edi, esi
    add   edi, $5
    mov   al,  $90                ; nop opcode
    rep   stosb

.cleanup:
    ; restore original protection
    push  .protection
    push  dword [.protection]
    push  $00001000
    push  ebp
    push  $FFFFFFFF
    call  [VirtualProtectEx]

    pop   eax                     ; return stub address

.done:
    popfd
    pop   ebp edi ebx
    ret

.protection:
    dd ?
;---

include 'win32a.inc'

data import
    dd $0, $0, $0, rva kernel32_name, rva kernel32_table
    dd $0, $0, $0, rva user32_name,   rva user32_table
    dd $0, $0, $0, $0, $0

kernel32_table:
    VirtualProtectEx           dd rva _VirtualProtectEx
    GetProcessHeap             dd rva _GetProcessHeap
    HeapAlloc                  dd rva _HeapAlloc
    ExitProcess                dd rva _ExitProcess
    dd $0

user32_table:
    MessageBoxA                dd rva _MessageBoxA
    dd $0

;kernel32
    _VirtualProtectEx          dw $0
                               db 'VirtualProtectEx', $0
    _GetProcessHeap            dw $0
                               db 'GetProcessHeap', $0
    _HeapAlloc                 dw $0
                               db 'HeapAlloc', $0
    _ExitProcess               dw $0
                               db 'ExitProcess', $0

;user32
    _MessageBoxA               dw $0
                               db 'MessageBoxA', $0

    kernel32_name db 'kernel32.dll', $0
    user32_name   db 'user32.dll', $0
end data
;---

;bye