Random Compiler Experiments on Arrays

One day a guy asked me how to print a 2d string array in C. So I coded an example for him. But just for curiosity, I examined the assembly code. In C both string[0][1] and *(*string + 1) are the same. But in reality, the compiler writes the assembly code in 2 different ways. If we use string[0][1] it will directly move the value from the stack. When we dereference a pointer *(*string + 1) it will actually dereference the address pointed inside the register. This happens only in the MinGW GCC compiler. I compiled this using the latest on Windows which is 8.2.0-3 by the time I am writing this.

The assembly code in the left is this one.
[code language=”C”]
#include <stdio.h>

int main() {
char *string[][2] = {
{"Osanda","Malith"},
{"ABC","JKL"},
{"DEF","MNO"},
};

printf("%s %s\n", string[0][0], string[0][1]);
}
[/code]

The assembly code on the right is this.
[code language=”C”]
#include <stdio.h>

int main() {
char *string[][2] = {
{"Osanda","Malith"},
{"ABC","JKL"},
{"DEF","MNO"},
};

printf("%s %s\n", **string, *(*string + 1));
}
[/code]
(more…)

A Simple API Monitor

This is a simple Windbg script to monitor common Win32 API calls and display the strings, IPs, Ports, Registry keys passed to the APIs. The Win32 API is huge and I have used common APIs used by programs and malware. I coded this for fun 🙂

[code]
Usage: ApiMon.wds run; g;
[/code]

You can remove APIs as you wish to minimize the output or you can add any API you desire. For example
[code]
bp DLLName!APIName @"$$>a<${$arg0} APIName FileNamePtr

bp kernelbase!CreateFileA @"$$>a<${$arg0} CreateFileA 1";
[/code]

This is a sample output that uses CreateProcess API.

This is from running netcat.

Download: https://github.com/OsandaMalith/ApiMon
(more…)