Assembly Language for Beginners

(nextflipdebug2) #1

6.5 Windows NT


Let’s runuptimewhile loading our library before the others:

LD_PRELOAD=`pwd`/fool_uptime.so uptime

And we see:

01:23:02 up 24855 days, 3:14, 3 users, load average: 0.00, 0.01, 0.05

If theLD_PRELOAD

environmentvariablealwayspointstothefilenameandpathofourlibrary, itistobeloadedforallstarting
programs.

More examples:


  • Very simple interception of the strcmp() (Yong Huang)http://go.yurichev.com/17143

  • Kevin Pulo—Fun with LD_PRELOAD. A lot of examples and ideas.yurichev.com

  • File functions interception for compression/decompression files on fly (zlibc).http://go.yurichev.
    com/17146


6.5 Windows NT


6.5.1 CRT (win32).


Does the program execution start right at themain()function? No, it does not.

If we would open any executable file inIDAor HIEW, we can seeOEPpointing to some another code block.

This code is doing some maintenance and preparations before passing control flow to our code. It is called
startup-code or CRT code (C RunTime).

Themain()function takes an array of the arguments passed on the command line, and also one with
environment variables. But in fact a generic string is passed to the program, the CRT code finds the
spaces in it and cuts it in parts. The CRT code also prepares the environment variables arrayenvp.

As forGUI^13 win32 applications,WinMainis used instead ofmain(), having its own arguments:

int CALLBACK WinMain(
_In_ HINSTANCE hInstance,
_In_ HINSTANCE hPrevInstance,
_In_ LPSTR lpCmdLine,
_In_ int nCmdShow
);

The CRT code prepares them as well.

Also, the number returned by themain()function is the exit code.

It may be passed in CRT to theExitProcess()function, which takes the exit code as an argument.

Usually, each compiler has its own CRT code.

Here is a typical CRT code for MSVC 2008.

1 _tmainCRTStartup proc near
2
3 var_24 = dword ptr -24h
4 var_20 = dword ptr -20h
5 var_1C = dword ptr -1Ch
6 ms_exc = CPPEH_RECORD ptr -18h
7
8 push 14h
9 push offset stru_4092D0
10 call
SEH_prolog4
11 mov eax, 5A4Dh


(^13) Graphical User Interface

Free download pdf