0x2B|~0x2B – Page 10 – My broken wings still strong enough to cross the ocean with.

Pre/Post-main Function Call Implementation in C

February 13, 2014 by gonwan·0 Comments

In C++, pre/post-main function call can be implemented using a global class instance. Its constructor and destructor are invoked automatically before and after the main function. But in C, no such mechanism. Actually, there’s a glib implementation that can help. You may want to read my previous post about CRT sections of MSVC. I just copy the code and do some renaming:

#include <stdlib.h>
#if defined (_MSC_VER)
#if (_MSC_VER >= 1500)
/* Visual Studio 2008 and later have __pragma */
#define HAS_CONSTRUCTORS
#define DEFINE_CONSTRUCTOR(_func) \
    static void _func(void); \
    static int _func ## _wrapper(void) { _func(); return 0; } \
    __pragma(section(".CRT$XCU",read)) \
    __declspec(allocate(".CRT$XCU")) static int (* _array ## _func)(void) = _func ## _wrapper;
#define DEFINE_DESTRUCTOR(_func) \
    static void _func(void); \
    static int _func ## _constructor(void) { atexit (_func); return 0; } \
    __pragma(section(".CRT$XCU",read)) \
    __declspec(allocate(".CRT$XCU")) static int (* _array ## _func)(void) = _func ## _constructor;
#elif (_MSC_VER >= 1400)
/* Visual Studio 2005 */
#define HAS_CONSTRUCTORS
#pragma section(".CRT$XCU",read)
#define DEFINE_CONSTRUCTOR(_func) \
    static void _func(void); \
    static int _func ## _wrapper(void) { _func(); return 0; } \
    __declspec(allocate(".CRT$XCU")) static int (* _array ## _func)(void) = _func ## _wrapper;
#define DEFINE_DESTRUCTOR(_func) \
    static void _func(void); \
    static int _func ## _constructor(void) { atexit (_func); return 0; } \
    __declspec(allocate(".CRT$XCU")) static int (* _array ## _func)(void) = _func ## _constructor;
#else
/* Visual Studio 2003 and early versions should use #pragma code_seg() to define pre/post-main functions. */
#error Pre/Post-main function not supported on your version of Visual Studio.
#endif
#elif (__GNUC__ > 2) || (__GNUC__ == 2 && __GNUC_MINOR__ >= 7)
#define HAS_CONSTRUCTORS
#define DEFINE_CONSTRUCTOR(_func) static void __attribute__((constructor)) _func (void);
#define DEFINE_DESTRUCTOR(_func) static void __attribute__((destructor)) _func (void);
#else
/* not supported */
#endif

#include <stdlib.h>

#if defined (_MSC_VER)

#if (_MSC_VER >= 1500)

/* Visual Studio 2008 and later have __pragma */

#define HAS_CONSTRUCTORS

#define DEFINE_CONSTRUCTOR(_func) \

static void _func(void); \

static int _func ## _wrapper(void) { _func(); return 0; } \

__pragma(section(".CRT$XCU",read)) \

__declspec(allocate(".CRT$XCU")) static int (* _array ## _func)(void) = _func ## _wrapper;

#define DEFINE_DESTRUCTOR(_func) \

static void _func(void); \

static int _func ## _constructor(void) { atexit (_func); return 0; } \

__pragma(section(".CRT$XCU",read)) \

__declspec(allocate(".CRT$XCU")) static int (* _array ## _func)(void) = _func ## _constructor;

#elif (_MSC_VER >= 1400)

/* Visual Studio 2005 */

#define HAS_CONSTRUCTORS

#pragma section(".CRT$XCU",read)

#define DEFINE_CONSTRUCTOR(_func) \

static void _func(void); \

static int _func ## _wrapper(void) { _func(); return 0; } \

__declspec(allocate(".CRT$XCU")) static int (* _array ## _func)(void) = _func ## _wrapper;

#define DEFINE_DESTRUCTOR(_func) \

static void _func(void); \

static int _func ## _constructor(void) { atexit (_func); return 0; } \

__declspec(allocate(".CRT$XCU")) static int (* _array ## _func)(void) = _func ## _constructor;

#else

/* Visual Studio 2003 and early versions should use #pragma code_seg() to define pre/post-main functions. */

#error Pre/Post-main function not supported on your version of Visual Studio.

#endif

#elif (__GNUC__ > 2) || (__GNUC__ == 2 && __GNUC_MINOR__ >= 7)

#define HAS_CONSTRUCTORS

#define DEFINE_CONSTRUCTOR(_func) static void __attribute__((constructor)) _func (void);

#define DEFINE_DESTRUCTOR(_func) static void __attribute__((destructor)) _func (void);

#else

/* not supported */

#endif

One limitation in glib code is the lack of support for VS2003 and early versions. #pragma code_seg() is used to implement the same function:

/*
 * cl ctor.c
 * gcc ctor.c -o ctor
 */
#include "ctor.h"
#include <stdio.h>

#ifdef HAS_CONSTRUCTORS
DEFINE_CONSTRUCTOR(before)
DEFINE_DESTRUCTOR(after)
#else
#ifdef _MSC_VER
static void before(void);
static void after(void);
#pragma data_seg(".CRT$XCU")
static void (*msc_ctor)(void) = before;
#pragma data_seg(".CRT$XPU")
static void (*msc_dtor)(void) = after;
#pragma data_seg()
#endif
#endif

void before()
{
    printf("before main\n");
}

void after()
{
    printf("after main\n");
}

int main()
{
    printf("in main\n");
    return 0;
}

* cl ctor.c

* gcc ctor.c -o ctor

#include "ctor.h"

#include <stdio.h>

#ifdef HAS_CONSTRUCTORS

DEFINE_CONSTRUCTOR(before)

DEFINE_DESTRUCTOR(after)

#else

#ifdef _MSC_VER

static void before(void);

static void after(void);

#pragma data_seg(".CRT$XCU")

static void (*msc_ctor)(void) = before;

#pragma data_seg(".CRT$XPU")

static void (*msc_dtor)(void) = after;

#pragma data_seg()

#endif

void before()

{

printf("before main\n");

}

void after()

{

printf("after main\n");

}

int main()

{

printf("in main\n");

return 0;

}

Output from msvc/gcc:

before main
in main
after main

before main

in main

after main

MSVC CRT Initialization

February 13, 2014 by gonwan·0 Comments

This post provides a detailed view of the MSDN article CRT Initialization. Just paste some content here:

The CRT obtains the list of function pointers from the Visual C++ compiler. When the compiler sees a global initializer, it generates a dynamic initializer in the .CRT$XCU section (where CRT is the section name and XCU is the group name). To obtain a list of those dynamic initializers run the command dumpbin /all main.obj, and then search the .CRT$XCU section (when main.cpp is compiled as a C++ file, not a C file).

The CRT defines two pointers:
– __xc_a in .CRT$XCA
– __xc_z in .CRT$XCZ

Both groups do not have any other symbols defined except __xc_a and __xc_z. Now, when the linker reads various .CRT groups, it combines them in one section and orders them alphabetically. This means that the user-defined global initializers (which the Visual C++ compiler puts in .CRT$XCU) will always come after .CRT$XCA and before .CRT$XCZ.

So, the CRT library uses both __xc_a and __xc_z to determine the start and end of the global initializers list because of the way in which they are laid out in memory after the image is loaded.

Let’s run our VS debugger to further investigate the CRT implementation. I’m using VS2010, and a global instance of class A is declared and initialized:

class A
{
public:
    A();
    ~A();
};

A::A()
{
    std::cout << "in A::A()" << std::endl;
}

A::~A()
{
    std::cout << "in A::~A()" << std::endl;
}

A a;

class A

{

public:

A();

~A();

};

A::A()

{

std::cout << "in A::A()" << std::endl;

}

A::~A()

{

std::cout << "in A::~A()" << std::endl;

}

A a;

Now set the breakpoints in the constructor and destructor, and start debugging. I’ve tried exe/dll and dynamic/static CRT combinations to view the call stacks:

1) exe with crt dynamic linked:
  crtexe.c: (w)mainCRTStartup()
    +--> crtexe.c: __tmainCRTStartup()
           +--> crt0dat.c: _initterm()
2) exe with crt static linked:
  crt0.c: _tmainCRTStartup()
    +--> crt0.c: __tmainCRTStartup()
           +--> crt0dat.c: _cinit()
                  +--> crt0dat.c: _initterm()
3) dll with crt dynamic linked:
  crtdll.c: _DllMainCRTStartup()
    +--> crtdll.c: __DllMainCRTStartup()
           +--> crtdll.c: _CRT_INIT()
                  +--> crt0dat.c: _initterm()
4) dll with crt static linked:
  dllcrt0.c: _DllMainCRTStartup()
    +--> dllcrt0.c: __DllMainCRTStartup()
           +--> dllcrt0.c: _CRT_INIT()
                  +--> crt0dat.c: _cinit()
                         +--> crt0dat.c: _initterm()

1) exe with crt dynamic linked:

crtexe.c: (w)mainCRTStartup()

+--> crtexe.c: __tmainCRTStartup()

+--> crt0dat.c: _initterm()

2) exe with crt static linked:

crt0.c: _tmainCRTStartup()

+--> crt0.c: __tmainCRTStartup()

+--> crt0dat.c: _cinit()

+--> crt0dat.c: _initterm()

3) dll with crt dynamic linked:

crtdll.c: _DllMainCRTStartup()

+--> crtdll.c: __DllMainCRTStartup()

+--> crtdll.c: _CRT_INIT()

+--> crt0dat.c: _initterm()

4) dll with crt static linked:

dllcrt0.c: _DllMainCRTStartup()

+--> dllcrt0.c: __DllMainCRTStartup()

+--> dllcrt0.c: _CRT_INIT()

+--> crt0dat.c: _cinit()

+--> crt0dat.c: _initterm()

_initterm is defined as follow. It is used to walk through __xc_a and __xc_z mentioned above:

// crt0dat.c
void __cdecl _initterm (
        _PVFV * pfbegin,
        _PVFV * pfend
        )
{
        /*
         * walk the table of function pointers from the bottom up, until
         * the end is encountered.  Do not skip the first entry.  The initial
         * value of pfbegin points to the first valid entry.  Do not try to
         * execute what pfend points to.  Only entries before pfend are valid.
         */
        while ( pfbegin < pfend )
        {
            /*
             * if current table entry is non-NULL, call thru it.
             */
            if ( *pfbegin != NULL )
                (**pfbegin)();
            ++pfbegin;
        }
}

// crt0dat.c

void __cdecl _initterm (

_PVFV * pfbegin,

_PVFV * pfend

)

{

* walk the table of function pointers from the bottom up, until

* the end is encountered. Do not skip the first entry. The initial

* value of pfbegin points to the first valid entry. Do not try to

* execute what pfend points to. Only entries before pfend are valid.

while ( pfbegin < pfend )

{

* if current table entry is non-NULL, call thru it.

if ( *pfbegin != NULL )

(**pfbegin)();

++pfbegin;

}

__xc_a, __xc_z and other section groups are defined as:

// crt0dat.c
/*
 * pointers to initialization sections
 */
extern _CRTALLOC(".CRT$XIA") _PIFV __xi_a[];
extern _CRTALLOC(".CRT$XIZ") _PIFV __xi_z[];    /* C initializers */
extern _CRTALLOC(".CRT$XCA") _PVFV __xc_a[];
extern _CRTALLOC(".CRT$XCZ") _PVFV __xc_z[];    /* C++ initializers */
extern _CRTALLOC(".CRT$XPA") _PVFV __xp_a[];
extern _CRTALLOC(".CRT$XPZ") _PVFV __xp_z[];    /* C pre-terminators */
extern _CRTALLOC(".CRT$XTA") _PVFV __xt_a[];
extern _CRTALLOC(".CRT$XTZ") _PVFV __xt_z[];    /* C terminators */
// sect_attribs.h
#define _CRTALLOC(x) __declspec(allocate(x))

// crt0dat.c

* pointers to initialization sections

extern _CRTALLOC(".CRT$XIA") _PIFV __xi_a[];

extern _CRTALLOC(".CRT$XIZ") _PIFV __xi_z[]; /* C initializers */

extern _CRTALLOC(".CRT$XCA") _PVFV __xc_a[];

extern _CRTALLOC(".CRT$XCZ") _PVFV __xc_z[]; /* C++ initializers */

extern _CRTALLOC(".CRT$XPA") _PVFV __xp_a[];

extern _CRTALLOC(".CRT$XPZ") _PVFV __xp_z[]; /* C pre-terminators */

extern _CRTALLOC(".CRT$XTA") _PVFV __xt_a[];

extern _CRTALLOC(".CRT$XTZ") _PVFV __xt_z[]; /* C terminators */

// sect_attribs.h

#define _CRTALLOC(x) __declspec(allocate(x))

gcc uses similar technology to deal with pre/post-main stuff. The section names are .init and .fini .

Exception Safety with shared_ptr

February 10, 2014 by gonwan·0 Comments

Code snippet:

#include <iostream>
#include <boost/shared_ptr.hpp>

class A {
public:
    A() { std::cout << "in A::A()." << std::endl; }
    ~A() { std::cout << "in A::~A()." << std::endl; }
};

class B {
public:
    B() { std::cout << "in B::B()." << std::endl; throw 1024; }
    ~B() { std::cout << "in B::~B()." << std::endl; }
};

class C {
public:
    C() : m_a(new A), m_b(new B) { }
#ifndef _USE_SHARED_PTR
    ~C() { delete m_b; delete m_a; }
#endif
private:
#ifndef _USE_SHARED_PTR
    A *m_a;
    B *m_b;
#else
    boost::shared_ptr<A> m_a;
    boost::shared_ptr<B> m_b;
#endif
};

int main() {
    try { C c; } catch (...) { }
    return 0;
}

#include <iostream>

#include <boost/shared_ptr.hpp>

class A {

public:

A() { std::cout << "in A::A()." << std::endl; }

~A() { std::cout << "in A::~A()." << std::endl; }

};

class B {

public:

B() { std::cout << "in B::B()." << std::endl; throw 1024; }

~B() { std::cout << "in B::~B()." << std::endl; }

};

class C {

public:

C() : m_a(new A), m_b(new B) { }

#ifndef _USE_SHARED_PTR

~C() { delete m_b; delete m_a; }

#endif

private:

#ifndef _USE_SHARED_PTR

A *m_a;

B *m_b;

#else

boost::shared_ptr<A> m_a;

boost::shared_ptr<B> m_b;

#endif

};

int main() {

try { C c; } catch (...) { }

return 0;

}

Output:

binson@binson-precise:~$ g++ ptr.cpp -o ptr
binson@binson-precise:~$ ./ptr
in A::A().
in B::B().
binson@binson-precise:~$ g++ -D_USE_SHARED_PTR ptr.cpp -o ptr
binson@binson-precise:~$ ./ptr
in A::A().
in B::B().
in A::~A().

binson@binson-precise:~$ g++ ptr.cpp -o ptr

binson@binson-precise:~$ ./ptr

in A::A().

in B::B().

binson@binson-precise:~$ g++ -D_USE_SHARED_PTR ptr.cpp -o ptr

binson@binson-precise:~$ ./ptr

in A::A().

in B::B().

in A::~A().

Exception safety is ensured, when using shared_ptr. Memory allocated by m_a is freed even when an exception is thrown. The trick is: the destructor of class shared_ptr is invoked after the destructor of class C.

Linux System Call

November 8, 2013 by gonwan·0 Comments

The HelloWorld application is much simpler than the Windows one. Just put parameters into registers from %eax to %edx, and trigger a 0x80 interrupt.

# gcc -nostdlib syscall_linux.s -o syscall_linux
.global _start

.text

_start:
    # write(1, message, 13)
    mov     $4, %eax            # system call 4 is write
    mov     $1, %ebx            # file handle 1 is stdout
    mov     $message, %ecx      # address of string to output
    mov     $13, %edx           # number of bytes to write
    int     $0x80               # invoke system call  
    # exit(0)
    mov     $1, %eax            # system call 1 is exit
    xor     %ebx, %ebx          # return 0
    int     $0x80               # invoke system call
message:
    .ascii  "Hello World!\n"

# gcc -nostdlib syscall_linux.s -o syscall_linux

.global _start

.text

_start:

# write(1, message, 13)

mov $4, %eax # system call 4 is write

mov $1, %ebx # file handle 1 is stdout

mov $message, %ecx # address of string to output

mov $13, %edx # number of bytes to write

int $0x80 # invoke system call

# exit(0)

mov $1, %eax # system call 1 is exit

xor %ebx, %ebx # return 0

int $0x80 # invoke system call

message:

.ascii "Hello World!\n"

Windows System Call Sequence and Simulation

November 7, 2013 by gonwan·0 Comments

There are hundreds of documents telling how Windows implements its system call, using int 2e or sysenter. But I can find no code to run to learn how exactly it works. And I managed to write it for my own.

The C code requires only SDK to compile, for I have copied all DDK definitions inline. It opens a C:\test.txt file and write Hello World! to it. Quite simple. I’ve tried a HelloWorld console application. But its call sequence is far more complex than I have expected, after I have made some reverse engineering and read some code from ReactOS project(Wine does not help, since it does not implement a Win32 compatible call sequence in the console case). The code is the basis of our further investigation. It invokes NtCreateFile(), NtWriteFile() and NtClose() in ntdll.dll with dynamic loading:

#include <windows.h>
#include <stdio.h>

#define FILE_OVERWRITE_IF               0x00000005
#define FILE_SYNCHRONOUS_IO_NONALERT    0x00000020
#define OBJ_KERNEL_HANDLE               0x00000200L
#define NT_SUCCESS(Status)      ((NTSTATUS)(Status) >= 0)

typedef LONG NTSTATUS;

typedef struct _UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength;
    PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES {
    ULONG Length;
    HANDLE RootDirectory;
    PUNICODE_STRING ObjectName;
    ULONG Attributes;
    PVOID SecurityDescriptor;        // Points to type SECURITY_DESCRIPTOR
    PVOID SecurityQualityOfService;  // Points to type SECURITY_QUALITY_OF_SERVICE
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

typedef struct _IO_STATUS_BLOCK {
    union {
        NTSTATUS Status;
        PVOID Pointer;
    };
    ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef VOID (NTAPI *PIO_APC_ROUTINE) (
    IN PVOID ApcContext,
    IN PIO_STATUS_BLOCK IoStatusBlock,
    IN ULONG Reserved
);

typedef NTSTATUS (WINAPI *FnNtCreateFile)(
    PHANDLE FileHandle,
    ACCESS_MASK DesiredAccess,
    POBJECT_ATTRIBUTES ObjectAttributes,
    PIO_STATUS_BLOCK IoStatusBlock,
    PLARGE_INTEGER AllocationSize,
    ULONG FileAttributes,
    ULONG ShareAccess,
    ULONG CreateDisposition,
    ULONG CreateOptions,
    PVOID EaBuffer,
    ULONG EaLength
);

typedef NTSTATUS (WINAPI *FnNtWriteFile)(
    HANDLE FileHandle,
    HANDLE Event,
    PIO_APC_ROUTINE ApcRoutine,
    PVOID ApcContext,
    PIO_STATUS_BLOCK IoStatusBlock,
    PVOID Buffer,
    ULONG Length,
    PLARGE_INTEGER ByteOffset,
    PULONG Key
);

typedef NTSTATUS (WINAPI *FnNtClose)(
    HANDLE Handle
);

int main()
{
    HMODULE hModule;
    FnNtCreateFile pfnNtCreateFile;
    FnNtWriteFile pfnNtWriteFile;
    FnNtClose pfnNtClose;
    hModule = LoadLibraryA("ntdll.dll");  /* always 0x7c900000 on XP */
    if (hModule == NULL) {
        return -1;
    }
    pfnNtCreateFile = (FnNtCreateFile)GetProcAddress(hModule, "NtCreateFile");  /* 0x7c90d090 */
    pfnNtWriteFile = (FnNtWriteFile)GetProcAddress(hModule, "NtWriteFile");  /* 0x7c90df60 */
    pfnNtClose = (FnNtClose)GetProcAddress(hModule, "NtClose");  /* 0x7c90cfd0 */
    if (pfnNtCreateFile == NULL || pfnNtWriteFile == NULL || pfnNtClose == NULL) {
        FreeLibrary(hModule);
        return -1;
    } else {
        NTSTATUS ntStatus;
        UNICODE_STRING us;
        OBJECT_ATTRIBUTES oa;
        IO_STATUS_BLOCK ioStatusBlock;
        HANDLE hFile;
        char szHello[] = "Hello World!";
        us.Buffer = L"\\??\\C:\\test.txt";
        us.Length = (USHORT)wcslen(us.Buffer) * sizeof(WCHAR);
        us.MaximumLength = us.Length + sizeof(WCHAR);
        oa.Length = sizeof(oa);
        oa.RootDirectory = NULL;
        oa.ObjectName = &us;
        oa.Attributes = OBJ_KERNEL_HANDLE;
        oa.SecurityDescriptor = NULL;
        oa.SecurityQualityOfService = NULL;
        ntStatus = pfnNtCreateFile(&hFile,
            GENERIC_ALL | SYNCHRONIZE,
            &oa,
            &ioStatusBlock,
            NULL,
            FILE_ATTRIBUTE_NORMAL,
            0,
            FILE_OVERWRITE_IF,
            FILE_SYNCHRONOUS_IO_NONALERT,
            NULL,
            0);
        if (!NT_SUCCESS(ntStatus)) {
            fprintf(stderr, "Failed to create file, error = 0x%x\n", ntStatus);
            FreeLibrary(hModule);
            return -1;
        }
        ntStatus = pfnNtWriteFile(hFile,
            NULL,
            NULL,
            NULL,
            &ioStatusBlock,
            szHello,
            (ULONG)strlen(szHello),
            NULL,
            NULL);
        if (!NT_SUCCESS(ntStatus)) {
            fprintf(stderr, "Failed to write file, error = 0x%x\n", ntStatus);
            FreeLibrary(hModule);
            return -1;
        }
        pfnNtClose(hFile);
    }
    FreeLibrary(hModule);
    return 0;
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

#include <windows.h>

#include <stdio.h>

#define FILE_OVERWRITE_IF 0x00000005

#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020

#define OBJ_KERNEL_HANDLE 0x00000200L

#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

typedef LONG NTSTATUS;

typedef struct _UNICODE_STRING {

USHORT Length;

USHORT MaximumLength;

PWSTR Buffer;

} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES {

ULONG Length;

HANDLE RootDirectory;

PUNICODE_STRING ObjectName;

ULONG Attributes;

PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR

PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE

} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

typedef struct _IO_STATUS_BLOCK {

union {

NTSTATUS Status;

PVOID Pointer;

};

ULONG_PTR Information;

} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef VOID (NTAPI *PIO_APC_ROUTINE) (

IN PVOID ApcContext,

IN PIO_STATUS_BLOCK IoStatusBlock,

IN ULONG Reserved

);

typedef NTSTATUS (WINAPI *FnNtCreateFile)(

PHANDLE FileHandle,

ACCESS_MASK DesiredAccess,

POBJECT_ATTRIBUTES ObjectAttributes,

PIO_STATUS_BLOCK IoStatusBlock,

PLARGE_INTEGER AllocationSize,

ULONG FileAttributes,

ULONG ShareAccess,

ULONG CreateDisposition,

ULONG CreateOptions,

PVOID EaBuffer,

ULONG EaLength

);

typedef NTSTATUS (WINAPI *FnNtWriteFile)(

HANDLE FileHandle,

HANDLE Event,

PIO_APC_ROUTINE ApcRoutine,

PVOID ApcContext,

PIO_STATUS_BLOCK IoStatusBlock,

PVOID Buffer,

ULONG Length,

PLARGE_INTEGER ByteOffset,

PULONG Key

);

typedef NTSTATUS (WINAPI *FnNtClose)(

HANDLE Handle

);

int main()

{

HMODULE hModule;

FnNtCreateFile pfnNtCreateFile;

FnNtWriteFile pfnNtWriteFile;

FnNtClose pfnNtClose;

hModule = LoadLibraryA("ntdll.dll"); /* always 0x7c900000 on XP */

if (hModule == NULL) {

return -1;

}

pfnNtCreateFile = (FnNtCreateFile)GetProcAddress(hModule, "NtCreateFile"); /* 0x7c90d090 */

pfnNtWriteFile = (FnNtWriteFile)GetProcAddress(hModule, "NtWriteFile"); /* 0x7c90df60 */

pfnNtClose = (FnNtClose)GetProcAddress(hModule, "NtClose"); /* 0x7c90cfd0 */

if (pfnNtCreateFile == NULL || pfnNtWriteFile == NULL || pfnNtClose == NULL) {

FreeLibrary(hModule);

return -1;

} else {

NTSTATUS ntStatus;

UNICODE_STRING us;

OBJECT_ATTRIBUTES oa;

IO_STATUS_BLOCK ioStatusBlock;

HANDLE hFile;

char szHello[] = "Hello World!";

us.Buffer = L"\\??\\C:\\test.txt";

us.Length = (USHORT)wcslen(us.Buffer) * sizeof(WCHAR);

us.MaximumLength = us.Length + sizeof(WCHAR);

oa.Length = sizeof(oa);

oa.RootDirectory = NULL;

oa.ObjectName = &us;

oa.Attributes = OBJ_KERNEL_HANDLE;

oa.SecurityDescriptor = NULL;

oa.SecurityQualityOfService = NULL;

ntStatus = pfnNtCreateFile(&hFile,

GENERIC_ALL | SYNCHRONIZE,

&oa,

&ioStatusBlock,

NULL,

FILE_ATTRIBUTE_NORMAL,

FILE_OVERWRITE_IF,

FILE_SYNCHRONOUS_IO_NONALERT,

NULL,

0);

if (!NT_SUCCESS(ntStatus)) {

fprintf(stderr, "Failed to create file, error = 0x%x\n", ntStatus);

FreeLibrary(hModule);

return -1;

}

ntStatus = pfnNtWriteFile(hFile,

NULL,

&ioStatusBlock,

szHello,

(ULONG)strlen(szHello),

NULL,

NULL);

if (!NT_SUCCESS(ntStatus)) {

fprintf(stderr, "Failed to write file, error = 0x%x\n", ntStatus);

FreeLibrary(hModule);

return -1;

}

pfnNtClose(hFile);

}

FreeLibrary(hModule);

return 0;

}

I found the handle value and all three function pointers are fixed, at least on my Windows XP(SP3). It may be caused by the preferred base address of ntdll.dll. The code should work on all Windows platforms, since it has no hardcoded values.

Now, translate the C code into assembly. Error handling is ommitted:

.386
.model flat,stdcall
.data

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;            SDK prototypes            ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
NULL            EQU 0

UNICODE_STRING STRUCT
    Len             WORD ?
    MaximumLength   WORD ?
    Buffer          DWORD ?
UNICODE_STRING ENDS

OBJECT_ATTRIBUTES STRUCT
    Len                         DWORD ?
    RootDirectory               DWORD ?
    ObjectName                  DWORD ?
    Attributes                  DWORD ?
    SecurityDescriptor          DWORD ?
    SecurityQualityOfService    DWORD ?
OBJECT_ATTRIBUTES ENDS

IO_STATUS_BLOCK STRUCT
    Status  DWORD ?
    Pointer DWORD ?
IO_STATUS_BLOCK ENDS

ExitProcess PROTO :DWORD

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;         Program declarations         ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; IMPORTANT: The paddding is required!!
STR_HELLO           DB      "Hello World!",0,0,0,0
STR_FILE            WORD    "\","?","?","\","C",":","\","t","e","s","t",".","t","x","t",0

.code

NtCreateFile PROC
    ; 25h(XP) or 42h(Win7)
    mov eax, 25h
    mov edx, 7ffe0300h
    call DWORD PTR [edx]
    retn 2ch
NtCreateFile ENDP

NtWriteFile PROC
    ; 112h(XP) or 18ch(Win7)
    mov eax, 112h
    mov edx, 7ffe0300h
    call DWORD PTR [edx]
    retn 24h
NtWriteFile ENDP

NtClose PROC
    ; 19h(XP) or 32h(Win7)
    mov eax, 19h
    mov edx, 7ffe0300h
    call DWORD PTR [edx]
    retn 4h
NtClose ENDP

main PROC
    ;LOCAL ntStatus:DWORD
    LOCAL us:UNICODE_STRING
    LOCAL oa:OBJECT_ATTRIBUTES
    LOCAL ioStatusBlock:IO_STATUS_BLOCK
    LOCAL hFile:DWORD
    ; 1. initialization
    mov us.Buffer, OFFSET STR_FILE
    mov us.Len, 30
    mov us.MaximumLength, 32
    mov oa.Len, TYPE OBJECT_ATTRIBUTES
    mov oa.RootDirectory, NULL
    lea eax, [us]
    mov oa.ObjectName, eax
    ; OBJ_KERNEL_HANDLE
    mov oa.Attributes, 200h
    mov oa.SecurityDescriptor, NULL
    mov oa.SecurityQualityOfService, NULL
    ; 2. parameters of NtCreateFile
    push 0
    push NULL
    ; FILE_SYNCHRONOUS_IO_NONALERT
    push 20h
    ; FILE_OVERWRITE_IF
    push 5h
    push 0
    ; FILE_ATTRIBUTE_NORMAL
    push 80h      
    push NULL
    lea eax, [ioStatusBlock]
    push eax
    lea eax, [oa]
    push eax
    ; GENERIC_ALL | SYNCHRONIZE
    push 10100000h
    lea eax, [hFile]
    push eax
    ; 3. call NtCreateFile
    call NtCreateFile
    ; 4. parameters of NtWriteFile
    push NULL
    push NULL
    push 12
    push OFFSET STR_HELLO
    lea eax, [ioStatusBlock]
    push eax
    push NULL
    push NULL
    push NULL
    push hFile
    ; 5. call NtWriteFile
    call NtWriteFile
    ; 6. parameters of NtClose
    push hFile
    ; 7. call NtClose
    call NtClose
    ; 8. Exit
    ;INVOKE ExitProcess, 0
    ret
main ENDP

END main

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

.386

.model flat,stdcall

.data

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; SDK prototypes ;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

NULL EQU 0

UNICODE_STRING STRUCT

Len WORD ?

MaximumLength WORD ?

Buffer DWORD ?

UNICODE_STRING ENDS

OBJECT_ATTRIBUTES STRUCT

Len DWORD ?

RootDirectory DWORD ?

ObjectName DWORD ?

Attributes DWORD ?

SecurityDescriptor DWORD ?

SecurityQualityOfService DWORD ?

OBJECT_ATTRIBUTES ENDS

IO_STATUS_BLOCK STRUCT

Status DWORD ?

Pointer DWORD ?

IO_STATUS_BLOCK ENDS

ExitProcess PROTO :DWORD

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; Program declarations ;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; IMPORTANT: The paddding is required!!

STR_HELLO DB "Hello World!",0,0,0,0

STR_FILE WORD "\","?","?","\","C",":","\","t","e","s","t",".","t","x","t",0

.code

NtCreateFile PROC

; 25h(XP) or 42h(Win7)

mov eax, 25h

mov edx, 7ffe0300h

call DWORD PTR [edx]

retn 2ch

NtCreateFile ENDP

NtWriteFile PROC

; 112h(XP) or 18ch(Win7)

mov eax, 112h

mov edx, 7ffe0300h

call DWORD PTR [edx]

retn 24h

NtWriteFile ENDP

NtClose PROC

; 19h(XP) or 32h(Win7)

mov eax, 19h

mov edx, 7ffe0300h

call DWORD PTR [edx]

retn 4h

NtClose ENDP

main PROC

;LOCAL ntStatus:DWORD

LOCAL us:UNICODE_STRING

LOCAL oa:OBJECT_ATTRIBUTES

LOCAL ioStatusBlock:IO_STATUS_BLOCK

LOCAL hFile:DWORD

; 1. initialization

mov us.Buffer, OFFSET STR_FILE

mov us.Len, 30

mov us.MaximumLength, 32

mov oa.Len, TYPE OBJECT_ATTRIBUTES

mov oa.RootDirectory, NULL

lea eax, [us]

mov oa.ObjectName, eax

; OBJ_KERNEL_HANDLE

mov oa.Attributes, 200h

mov oa.SecurityDescriptor, NULL

mov oa.SecurityQualityOfService, NULL

; 2. parameters of NtCreateFile

push 0

push NULL

; FILE_SYNCHRONOUS_IO_NONALERT

push 20h

; FILE_OVERWRITE_IF

push 5h

push 0

; FILE_ATTRIBUTE_NORMAL

push 80h

push NULL

lea eax, [ioStatusBlock]

push eax

lea eax, [oa]

push eax

; GENERIC_ALL | SYNCHRONIZE

push 10100000h

lea eax, [hFile]

push eax

; 3. call NtCreateFile

call NtCreateFile

; 4. parameters of NtWriteFile

push NULL

push 12

push OFFSET STR_HELLO

lea eax, [ioStatusBlock]

push eax

push NULL

push hFile

; 5. call NtWriteFile

call NtWriteFile

; 6. parameters of NtClose

push hFile

; 7. call NtClose

call NtClose

; 8. Exit

;INVOKE ExitProcess, 0

ret

main ENDP

END main

Compile the code with:

# ml /c testnt.asm
# link /subsystem:console testnt.obj

1 2	# ml /c testnt.asm # link /subsystem:console testnt.obj

The assembly code of NtCreateFile(), NtWriteFile() and NtClose() are copied directly from ntdll.dll. For NtCreate(), 25h is the system service number that will be used to index into the KiServiceTable(SSDT, System Service Dispatch Table) to locate the kernel function that handles the call.

System service numbers vary between Windows versions. This is why they are not recommend to be used directly to invoke system calls. I only demonstrate the approach here. For Windows XP, the values of the three numbers are 25h, 112h and 19h. While for Windows 7, they are 42h, 18ch and 32h. Change them yourself if you’re running Windows 7. For a complete list of system service numbers, refer here or dissemble your ntdll.dll manually :). The output executable is a tiny one, only 3KB in size, since it eliminates the usage of CRT. Moreover, it has an empty list of import functions!

At 7ffe0300h is a pointer to the following code:

mov edx, esp
sysenter

1 2	mov edx, esp sysenter

NOTE: The assembly code may work only when compiled to a 32-bit application. 64-bit mode is not tested and need modification to work.

One last point, it seems the STR_HELLO string is required to be aligned to 8 byte border. Otherwise, you will get 0x80000002 error code(STATUS_DATATYPE_MISALIGNMENT).