Grafting Compiled Code: Unlimited Code Reuse

Jeffrey Walton

Rate me:

4.83/5 (30 votes)

7 Mar 2008CPOL17 min read

95.2K

2.2K

Add functionality to a project using existing compiled machine code.

codegraft5.zip
- Code Graft 5
  - PEChecksum.sln
  - PEChecksum
    - CheckSum.asm
    - PEChecksum.aps
    - PEChecksum.cpp
    - PEChecksum.h
    - PEChecksum.rc
    - PEChecksum.vcproj
    - PEChecksumDlg.cpp
    - PEChecksumDlg.h
    - res
      - Sample.ico
      - Sample.rc2
    - resource.h
    - stdafx.cpp
    - stdafx.h
codegraft1.zip
- Code Graft 1
  - CodeGraft.sln
  - CodeGraft
    - CodeGraft.cpp
    - CodeGraft.vcproj
    - stdafx.cpp
    - stdafx.h
codegraft2.zip
- Code Graft 2
  - CodeGraft.sln
  - CodeGraft
    - Addition.asm
    - CodeGraft.cpp
    - CodeGraft.vcproj
    - stdafx.cpp
    - stdafx.h
checksummappedfile.zip
- CheckSumMappedFile.Listing
chksum.zip
- ChkSum.Listing
checksumasm.zip
- CheckSum.asm
codegraft3.zip
- Code Graft 3
  - PEChecksum.sln
  - PEChecksum
    - CheckSum.asm
    - PEChecksum.cpp
    - PEChecksum.h
    - PEChecksum.rc
    - PEChecksum.vcproj
    - PEChecksumDlg.cpp
    - PEChecksumDlg.h
    - res
      - Sample.ico
      - Sample.rc2
    - resource.h
    - stdafx.cpp
    - stdafx.h
codegraft4.zip
- Code Graft 4
  - PEChecksum.sln
  - PEChecksum
    - CheckSum.asm
    - PEChecksum.cpp
    - PEChecksum.h
    - PEChecksum.rc
    - PEChecksum.vcproj
    - PEChecksumDlg.cpp
    - PEChecksumDlg.h
    - res
      - Sample.ico
      - Sample.rc2
    - resource.h
    - stdafx.cpp
    - stdafx.h
pechecksum.zip
- PEChecksum.exe

PUBLIC CheckSumMemMapFile 
;; PUBLIC _ChkSum
;; PUBLIC _ImageNtHeader

.486
.MODEL FLAT, C

.CODE

CheckSumMemMapFile PROC

    ;;push    10h
    ;;push    offset `string'+0x3c (76c96fc8)
    ;   Inspecting 0x76c96fc8 shows this is '-1'...
    ;   push 0FFFFFFFFh
    ;; 76c96f08 e8acc5ffff      call    _SEH_prolog (76c934b9)

    PUSH EBP        ; Reference
    MOV EBP, ESP
    
    SUB ESP, 10h    ; Space for 4 Temporary Variables
                    ; T1: EBP-10h use in place of ebp-18h
                    ; T2: EBP-0Ch use in place of ebp-1Ch
                    ; T3: EBP-08h use in place of ebp-20h
                    ; T4: EBP-04h use in place of ebp-04h
                    
    
    mov     esi,dword ptr [ebp+10h]     ; Header CheckSum Variable (Read From PE Header)
    and     dword ptr [esi],0           ;   Header CheckSum = 0
    mov     eax,dword ptr [ebp+0Ch]     ; File Size
    shr     eax,1                       ;   File Size = File Size / 2
    push    eax                         ; Parameter 3: File Size
    push    dword ptr [ebp+8]           ; Parameter 2: Source (pBaseAddress)
    push    0                           ; Parameter 1: Partial Sum
    
    ; 76c96f1e e856d6ffff      call    _ChkSum@4(76c94579)    
    call _ChkSum
    
    ;; No Longer STDCALL
    ;;   Clean the parameters from the Stack
    ADD ESP, 0Ch

    mov     edi,eax                     ; EDI = Return from _ChkSum
    mov     dword ptr [EBP-0Ch],edi     ; Sum
    and     dword ptr [EBP-04h],0       ; File Size = 0???

    ;; push    dword ptr [ebp+8]
    ;; 76c96f2f e81ed2ffff      call    RtlpImageNtHeader (76c94152)
    push [ebp+8]                        ; Source (pBaseAddress)
    call _ImageNTHeader
    ADD ESP, 4

    mov     dword ptr [EBP-08h],eax
    or      dword ptr [EBP-04h],0FFFFFFFFh
    jmp     _CheckSum_0x4f
    nop
    nop
    nop
    nop
    nop
    xor     eax,eax
    inc     eax
    ret
    nop
    nop
    nop
    nop
    nop
    mov     esp,dword ptr [EBP-10h]
    xor     eax,eax
    or      dword ptr [EBP-04h],0FFFFFFFFh
    mov     esi,dword ptr [ebp+10h]     ;
    mov     edi,dword ptr [EBP-0Ch]     ; T3

_CheckSum_0x4f:
    test    eax,eax
    je      _CheckSum_0x90
    cmp     eax,dword ptr [ebp+8]
    je      _CheckSum_0x90
    mov     cx,word ptr [eax+18h]
    cmp     cx,10Bh
    je      _CheckSum_0x6a
    cmp     cx,20Bh
    jne     _CheckSum_0xb5

_CheckSum_0x6a:
    lea     ecx,[eax+58h]           ; Existing (Header) Checksum
    mov     edx,dword ptr [ecx]
    mov     dword ptr [esi],edx
    xor     edx,edx
    mov     dx,word ptr [ecx]
    cmp     di,dx
    sbb     esi,esi
    neg     esi
    add     esi,edx
    sub     edi,esi
    movzx   ecx,word ptr [ecx+2]
    cmp     di,cx
    sbb     edx,edx
    neg     edx
    add     edx,ecx
    sub     edi,edx

_CheckSum_0x90:
    mov     ecx,dword ptr [ebp+0Ch]
    test    cl,1
    je      _CheckSum_0xa3 ; (76c96fae)
    mov     edx,dword ptr [ebp+8]
    movzx   dx,byte ptr [edx+ecx-1]
    add     edi,edx

_CheckSum_0xa3:
    movzx   edx,di
    add     edx,ecx
    mov     ecx,dword ptr [ebp+14h]
    mov     dword ptr [ecx],edx
    ; 76c96fb8 e83cc5ffff      call    _SEH_epilog (76c934f9)
    
    ADD ESP, 10h
    POP EBP

    ;; No Longer STDCALL
    ;; ret     10h
    ret

_CheckSum_0xb5:
    xor     eax,eax
    nop
    nop
    nop
    nop

    ;; 76c96fc8 ff              ???
    ;; 76c96fc9 ff              ???
    ;; 76c96fca ff              ???
    DB 3 DUP(0FFh)

    ;; 76c96fcb ff426f          inc     dword ptr [edx+6Fh]
    DB 0FFh, 042h, 06Fh

    ;; 76c96fce c9              leave
    DB 0C9h

    ;; 76c96fcf 764b            jbe     imagehlp!MapFileAndCheckSumA+0x43 (76c9701c)
    DB 076h, 04Bh

    ;; 76c96fd1 6f              outs    dx,dword ptr [esi]
    DB 06Fh

    ;; 76c96fd2 c9              leave
    DB 0C9h

    ;; 76c96fd3 7690            jbe     imagehlp!_CheckSum+0x5a (76c96f65)
    DB 076h, 090h

    ;; 76c96fd5 90              nop
    ;; 76c96fd6 90              nop
    ;; 76c96fd7 90              nop
    ;; 76c96fd8 90              nop
    DB 4 DUP(090h)

CheckSumMemMapFile ENDP

_ChkSum PROC

    PUSH EBP
    MOV EBP, ESP
    
    push    esi
    
    ;; Stack Based
    ;; mov     ecx,[esp+10h]   ; File Size / 2
    ;; mov     esi,[esp+0Ch]   ; Source (pBaseAddress)
    ;; mov     eax,[esp+8]     ; Partial Sum
    
    ;; Frame Based
    mov     ecx,[EBP+10h]   ; File Size / 2
    mov     esi,[EBP+0Ch]   ; Source (pBaseAddress)
    mov     eax,[EBP+08h]   ; Partial Sum

    shl     ecx,1           ; File Size = File Size * 2
    je      _ChkSum_0x16e
    test    esi,2
    je      _ChkSum_0x2d
    sub     edx,edx
    mov     dx,[esi]
    add     eax,edx
    adc     eax,0
    add     esi,2
    sub     ecx,2
    
_ChkSum_0x2d:
    mov     edx,ecx
    and     edx,7
    sub     ecx,edx
    je      _ChkSum_0x158
    test    ecx,8
    je      _ChkSum_0x56
    add     eax,[esi]
    adc     eax,[esi+4]
    adc     eax,0
    add     esi,8
    sub     ecx,8
    je      _ChkSum_0x158

_ChkSum_0x56:
    test    ecx,10h
    je      _ChkSum_0x78
    add     eax,[esi]
    adc     eax,[esi+4]
    adc     eax,[esi+8]
    adc     eax,[esi+0Ch]
    adc     eax,0
    add     esi,10h
    sub     ecx,10h
    je      _ChkSum_0x158
    
_ChkSum_0x78:
    test    ecx,20h
    je     _ChkSum_0xa6
    add     eax,dword ptr [esi]
    adc     eax,dword ptr [esi+4]
    adc     eax,dword ptr [esi+8]
    adc     eax,dword ptr [esi+0Ch]
    adc     eax,dword ptr [esi+10h]
    adc     eax,dword ptr [esi+14h]
    adc     eax,dword ptr [esi+18h]
    adc     eax,dword ptr [esi+1Ch]
    adc     eax,0
    add     esi,20h
    sub     ecx,20h
    je      _ChkSum_0x158
    
_ChkSum_0xa6:
    test    ecx,40h
    je      _ChkSum_0xe8
    add     eax,dword ptr [esi]
    adc     eax,dword ptr [esi+4]
    adc     eax,dword ptr [esi+8]
    adc     eax,dword ptr [esi+0Ch]
    adc     eax,dword ptr [esi+10h]
    adc     eax,dword ptr [esi+14h]
    adc     eax,dword ptr [esi+18h]
    adc     eax,dword ptr [esi+1Ch]
    adc     eax,dword ptr [esi+20h]
    adc     eax,dword ptr [esi+24h]
    adc     eax,dword ptr [esi+28h]
    adc     eax,dword ptr [esi+2Ch]
    adc     eax,dword ptr [esi+30h]
    adc     eax,dword ptr [esi+34h]
    adc     eax,dword ptr [esi+38h]
    adc     eax,dword ptr [esi+3Ch]
    adc     eax,0
    add     esi,40h
    sub     ecx,40h
    je     _ChkSum_0x158
    
_ChkSum_0xe8:
    add     eax,dword ptr [esi]
    adc     eax,dword ptr [esi+4]
    adc     eax,dword ptr [esi+8]
    adc     eax,dword ptr [esi+0Ch]
    adc     eax,dword ptr [esi+10h]
    adc     eax,dword ptr [esi+14h]
    adc     eax,dword ptr [esi+18h]
    adc     eax,dword ptr [esi+1Ch]
    adc     eax,dword ptr [esi+20h]
    adc     eax,dword ptr [esi+24h]
    adc     eax,dword ptr [esi+28h]
    adc     eax,dword ptr [esi+2Ch]
    adc     eax,dword ptr [esi+30h]
    adc     eax,dword ptr [esi+34h]
    adc     eax,dword ptr [esi+38h]
    adc     eax,dword ptr [esi+3Ch]
    adc     eax,dword ptr [esi+40h]
    adc     eax,dword ptr [esi+44h]
    adc     eax,dword ptr [esi+48h]
    adc     eax,dword ptr [esi+4Ch]
    adc     eax,dword ptr [esi+50h]
    adc     eax,dword ptr [esi+54h]
    adc     eax,dword ptr [esi+58h]
    adc     eax,dword ptr [esi+5Ch]
    adc     eax,dword ptr [esi+60h]
    adc     eax,dword ptr [esi+64h]
    adc     eax,dword ptr [esi+68h]
    adc     eax,dword ptr [esi+6Ch]
    adc     eax,dword ptr [esi+70h]
    adc     eax,dword ptr [esi+74h]
    adc     eax,dword ptr [esi+78h]
    adc     eax,dword ptr [esi+7Ch]
    adc     eax,0
    add     esi,80h
    sub     ecx,80h
    jne     _ChkSum_0xe8
    
_ChkSum_0x158:
    test    edx,edx
    je      _ChkSum_0x16e
    
_ChkSum_0x15c:
    sub     ecx,ecx
    mov     cx, word ptr [esi]
    add     eax,ecx
    adc     eax,0
    add     esi,2
    sub     edx,2
    jne    _ChkSum_0x15c  ; (76c946d5)
    
_ChkSum_0x16e:
    mov     edx,eax         ;; Fold 32 bits in 16
    shr     edx,10h
    and     eax,0FFFFh
    add     eax,edx
    mov     edx,eax
    shr     edx,10h
    add     eax,edx
    and     eax,0FFFFh
    pop     esi
    
    ;; No longer STDCALL
    ;; ret     0Ch
    
    POP EBP

    ret

_ChkSum ENDP

_ImageNtHeader PROC

    push ebp
    mov ebp, esp
    
    push esi
  
    ;; ESI = pBaseAdddress
    mov eax, dword ptr[ ebp+08h ]
    mov esi, eax
    
    ;; pBaseAdddress == NULL?
    cmp esi, 0
    je  NULLRETURN
    
    ;; MZ Signature
    cmp byte ptr [ESI], 'M'
    jne  NULLRETURN
    cmp byte ptr [ESI+01h], 'Z'
    jne  NULLRETURN
    
    ;; ESI is a pointer to IMAGE_DOS_HEADER
    ;; Grab the e_lfanew DWORD
    ;
    ;    IMAGE_DOS_HEADER
    ;      is 64 bytes (0x40) long
    ;
    ;    e_lfanew occupies bytes
    ;      IMAGE_DOS_HEADER[60-63]
    ;
    ;    ESI+060 is _not_ Hex!!!
    ;
    mov eax, esi
    add eax, dword ptr[ ESI+060 ]   ; value at e_lfanew
    mov esi, eax
    
    ;; PE Signature
    cmp byte ptr [ESI], 'P'
    jne  NULLRETURN
    cmp byte ptr [ESI+01h], 'E'
    jne  NULLRETURN
    
    ;;
    ;; EAX = PIMAGE_NT_HEADER
    ;;

    jmp CLEANSTACK
    
NULLRETURN:    
    mov eax, 0
    
CLEANSTACK:    
    pop esi
    pop ebp
    
    ret

_ImageNtHeader ENDP

END

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Written By

Jeffrey Walton

Systems / Hardware Administrator

United States

This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Grafting Compiled Code: Unlimited Code Reuse

License

Comments and Discussions