OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Thursday, June 29 2006 14:52.13 CDT

Modified: Thursday, June 29 2006 14:52.51 CDT

Printer Friendly ...

Native Apps: Writing, Building, Testing. Part II: Building

Author: AlexIonescu

# Views: 3219

Today's entry will be all about Building your first native application. If you haven't done so already, make sure you read part I first (writing).

You'll need one of two things to create your native application:
1) Visual C++ 2005 Express (or higher)
2) Windows Driver Kit

I'm mentionning these two because they are:
1) FREE for DOWNLOAD
2) What I use

We'll start with the basics. First you'll create a header for your application, let's call it precomp.h, in which you'll add the NDK. The NDK is a special header kit that I've developed (and that will be on OpenRCE soon) which allows access to all the types required to build a native application. Now you can start defining and private types or prototypes you'd like. To define the NDK, just add:

#include "ntndk.h"

Now that that's done, create your main initialization file, which we will call init.c. In this file, add precomp.h like this:
#include "precomp.h"

And define your entrypoint:

NTSTATUS
__cdecl
main(INT argc,
     PCHAR argv[],
     PCHAR envp[],
     ULONG DebugFlag OPTIONAL)
{
    // Entry code here
}

Hopefully you are familiar with this entrypoint, it's the typical one used by C programs, except with an addon: the "DebugFlag". Right now, we don't need to care about this. We'll keep this entry simple, and turn this into a "Hello World":

NTSTATUS
__cdecl
main(INT argc,
     PCHAR argv[],
     PCHAR envp[],
     ULONG DebugFlag OPTIONAL)
{
    UNICODE_STRING HelloMsg = RTL_CONSTANT_STRING(L"Hello World!\n");

    //
    // Say hello
    //
    NtDisplayString(&HelloMsg);
}

Now, if you're wondering what NTSTATUS is, what NtDisplayString is or what RTL_CONSTANT_STRING and UNICODE_STRINGs are, then you'll need to read all the DDK documentation you can swallow, as well as Nebett's Undocumented Native API book. Although it's outdated, the information about the APIs is still pretty valid. I also plan to possibly give a fully-fledged lesson on this if lots of people are interested.

So now that we have our simple program, we need to build it.
I prefer using the WDK myself, because it's much simpler and doesn't require changing 100 of MSVC's default settings.
Assuming you've properly installed the WDK and entered the Windows build environment for your OS (from the Start Menu), you'll need to create two files in the directory where init.c and precomp.h are: sources and makefile.

Sources should look something like this:

--
TARGETNAME=native
TARGETTYPE=PROGRAM
UMTYPE=nt

INCLUDES=\
         $(DDK_INC_PATH); \
         $(NDK_INC_PATH);

SOURCES=init.c

PRECOMPILED_INCLUDE=precomp.h
--

Note that you'll have to set NDK_INC_PATH as an environment variable yourself, to where the NDK is installed (DDK_INC_PATH is already setup by the WDK).

Finally, you'll need a makefile:

--
INCLUDE $(NTMAKEENV)\makefile.def
--

That's all you really need for our purposes.

So now you should have init.c, precomp.h, sources and makefile.

The only thing left is to write "build", and the WDK should do the magic and create your first native application. Unforunately, you can't really test it for now, unless you do the following:

Open registry editor and browse to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
Edit the "BootExecute" key and write "native" instead of what's currently in it, then copy native.exe to your system32 directory and restart the computer. You should see the message appear on the screen for a little while. Make sure that you do NOT boot with /NOGUIBOOT, or else you will never see it.

In the next entry, I'll show how to do this with MSVC, as well as how to actually run and test your application inside Windows/MSVC.

If you'd like to see a working sample, check out:
http://svn.tinykrnl.org/svn/tinykrnl/base/urtl

There are 31,314 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit