Kernel32.dll Beep Function 04-05-2013, 04:32 AM
#2
Alright, so in a mental debate on which area of the forum I should post this in, it was decided that this is "enough" of a suitable place for it. What I am trying to do is to compile a shellcode string (representing a set of instructions), that is to call the Beep function from kernel32.dll in Windows.
I was able to get a message box to show, as well as the beep in XP SP3... But I can't get this to work with Win8 x64.
This is what I am trying to simulate if you will:
So I used from NASM suite, the NDISASM.exe utility to disassemble a test compiled binary in C++ with Visual Studio and got this result:
As you can see in this portion of the disassembly, there is the arguments for the function being pushed onto the stack starting with the duration, and then the frequency (with consideration to LIFO).
I created wrote and debugged a tidbit of C++ code to retrieve the address of the Beep function from the kernel32.dll:
Which gave me this address ~ 0x764531AF, which I suspect would be the equivalent of 0xAF 0x31 0x45 0x76 in shellcode, in that byte order.
![[Image: k0DCxfA.png]](http://i.imgur.com/k0DCxfA.png)
After pointing to this address with my shellcode string, I still couldn't get a beep, so I went back to the start and verified that my address was correct. I even wrote inline asm block in C++ to verify that this address was pointing to the Beep function in the dll...
Worked like a charm. But my byte code did not:
Initially I wrote some inline asm, without the hard coded address, which gave values that I couldn't really use.
I managed to get a beep in XP SP3, but this would not work in Win8 x64 obviously as shellcode is usually very OS dependent.
Any ideas on where my shellcode is wrong?
I was able to get a message box to show, as well as the beep in XP SP3... But I can't get this to work with Win8 x64.
This is what I am trying to simulate if you will:
Code:
Beep(700, 1000);So I used from NASM suite, the NDISASM.exe utility to disassemble a test compiled binary in C++ with Visual Studio and got this result:
Code:
push word 0x3e8
add [bx+si],al
push word 0x2bc
add [bx+si],al
call word [di]As you can see in this portion of the disassembly, there is the arguments for the function being pushed onto the stack starting with the duration, and then the frequency (with consideration to LIFO).
I created wrote and debugged a tidbit of C++ code to retrieve the address of the Beep function from the kernel32.dll:
Code:
GetProcAddress(
GetModuleHandle(L"kernel32.dll"),
"Beep"
);Which gave me this address ~ 0x764531AF, which I suspect would be the equivalent of 0xAF 0x31 0x45 0x76 in shellcode, in that byte order.
After pointing to this address with my shellcode string, I still couldn't get a beep, so I went back to the start and verified that my address was correct. I even wrote inline asm block in C++ to verify that this address was pointing to the Beep function in the dll...
Code:
__asm
{
mov eax,dword ptr 0x764531AF
push 0x3E8
push 0x2EE
call eax
}Code:
mov eax,764531AFh
push 3E8h
push 2EEh
call eaxWorked like a charm. But my byte code did not:
Code:
0xB8 0xAF 0x31 0x45 0x76 0x68 0xE8 0x03 0x00 0x00 0x68 0xEE 0x02 0x00 0x00 0xFF 0xD0Initially I wrote some inline asm, without the hard coded address, which gave values that I couldn't really use.
I managed to get a beep in XP SP3, but this would not work in Win8 x64 obviously as shellcode is usually very OS dependent.
Any ideas on where my shellcode is wrong?
ArkPhaze
"Object oriented way to get rich? Inheritance"
Getting Started: C/C++ | Common Mistakes
[ Assembly / C++ / .NET / Haskell / J Programmer ]
"Object oriented way to get rich? Inheritance"
Getting Started: C/C++ | Common Mistakes
[ Assembly / C++ / .NET / Haskell / J Programmer ]
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)