Random Compiler Experiments on Arrays

One day a guy asked me how to print a 2d string array in C. So I coded an example for him. But just for curiosity, I examined the assembly code. In C both string[0][1] and *(*string + 1) are the same. But in reality, the compiler writes the assembly code in 2 different ways. If we use string[0][1] it will directly move the value from the stack. When we dereference a pointer *(*string + 1) it will actually dereference the address pointed inside the register. This happens only in the MinGW GCC compiler. I compiled this using the latest on Windows which is 8.2.0-3 by the time I am writing this.

The assembly code in the left is this one.

#include <stdio.h>

int main() {
    char *string[][2] = { 
     {"Osanda","Malith"},
     {"ABC","JKL"},
     {"DEF","MNO"}, 
};

	printf("%s %s\n", string[0][0], string[0][1]);
}

The assembly code on the right is this.

#include <stdio.h>

int main() {
    char *string[][2] = { 
     {"Osanda","Malith"},
     {"ABC","JKL"},
     {"DEF","MNO"}, 
};

	printf("%s %s\n", **string, *(*string + 1));
}

(more…)

Advertisements

A Simple API Monitor

This is a simple Windbg script to monitor common Win32 API calls and display the strings, IPs, Ports, Registry keys passed to the APIs. The Win32 API is huge and I have used common APIs used by programs and malware. I coded this for fun ๐Ÿ™‚

Usage: ApiMon.wds run; g;

You can remove APIs as you wish to minimize the output or you can add any API you desire. For example

bp DLLName!APIName @"$$>a<${$arg0} APIName FileNamePtr

bp kernelbase!CreateFileA @"$$>a<${$arg0} CreateFileA 1";

This is a sample output that uses CreateProcess API.

This is from running netcat.

Download: https://github.com/OsandaMalith/ApiMon
(more…)

String Length Function in NASM

In certain situations when I want to print some string to stdout we need the length for the write syscall in linux. So we can’t always depend on the $-string macro, which is valid for a defined string.

We use the REPNE (REPeat while Not Equal) instruction which will loop as long as CX != 0. Along with REPNE we use SCASB (scan byte string). It compares the content of the accumulator (AL, AX, or EAX) against the current value pointed at by ES:[EDI]. In the end we calculate the difference between offsets of the scanned string (EDI) and the original string (EBX) to find the length.

_strlen:
push ebx
push ecx
mov ebx, edi
xor al, al
mov ecx, 0xffffffff
repne scasb ; REPeat while Not Equal [edi] != al
sub edi, ebx ; length = offset of (edi - ebx)
mov eax, edi
pop ebx
pop ecx
ret

(more…)