Announcement

**Anne Wilson** · 16 Oct 2022, 12:07 PM

Thank you Stuart

I have mod the code with GLOBALs hFONT9_bold

Code:

  GLOBAL hFONT9_bold AS DWORD

'=============================
FUNCTION PBMAIN () AS LONG

    ' Bold font for the label
      FONT NEW "Arial",9,1 TO hFONT9_bold

    ' GitRandNum_Stack1
      GitRandNum_Stack2
      DispTransientMsgBox

      FONT END hFONT9_bold

END FUNCTION

checked and found no spiraling GDI objects

**Anne Wilson** · 16 Oct 2022, 12:28 PM

Thank you Steve, Excellent routine

I believed that we should clear the memories of the before and after mod stack
pointers after the stack pointer has been modified so that it won't tipoff the
hacker? and to avoid hogging the global memories immediately after usage

We do not need the startup pointers after this?

Code:

preesp = 0
pstesp = 0

what do you think?

**Steve Hutchesson** · 16 Oct 2022, 05:20 PM

Hi Anne,

The are actually for post checking of any modifications to the stack, thats why they are GLOBAL in scope. If you did not need them, you would not leave them in the startup code. In a reasonably big app with a lot of code in it, it is easy to bury a number of tests in different places. It needs to be remembered that a stack exploit is done by some form of software so it will not be doing in depth analysis of the code layout, it will try and arbitrarily modify stack arguments to slip in some extra code.

One thing that is important, don't put the tests in one function and call it from multiple locations, embed a number of tests directly into different locations, in PB this can be done with a macro.

**Norbert Spoerl** · 17 Oct 2022, 08:50 AM

I forgot the one word "with" in my post 9.

My Question should be.

Steve, what is with WINMAIN and SDK-Style?

**Steve Hutchesson** · 17 Oct 2022, 09:38 AM

Hi Norbert,

It may be the time of day (1:30am) but I have not connected the drift of your question. Perhaps you could elaborate some.

**Anne Wilson** · 17 Oct 2022, 10:55 AM

Thanks so much Steve,
the second method looks very robust as I have deployed it in several of my programs

**Dale Yarker** · 17 Oct 2022, 11:10 AM

Originally posted by Norbert Spoerl View Post

I forgot the one word "with" in my post 9.

My Question should be.

Steve, what is with WINMAIN and SDK-Style?

Why post back here after Steve started another thread for you for that question?

**Steve Hutchesson** · 17 Oct 2022, 05:49 PM

Hi Anne,

Glad it worked for you, if you get around to it or have not yet implimented it yet, test the global against ESP to ensure ESP has not changed.

Code:

    ! cmp esp, pstesp
    ! je ok
    ' do something here to respond to alteration
    PostQuitMessage 0
  ok:

You can put this anywhere you like to make it hard to find if the code is in a used path, file save, screen update ....

**Norbert Spoerl** · 18 Oct 2022, 03:06 AM

Hello Steve, your code (post #1) is with FUNCTION PBmain(). PBmain is DDT style. I use WINMAIN and SDK. My question is, are there differences in your technique regarding DDT/PBmain and SDK/WINMAIN (applicability, usefulness)?
And sorry for the misunderstanding.

**Dale Yarker** · 18 Oct 2022, 03:32 AM

PBmain is DDT style.

Not really. Windows' programs need a MAIN function. PBMAIN is a version that does not present the four parameters. It can be used with either DDT or SDK. The parameters may gotten with API functions.

WINMAIN does present the four parameters. It also can be used with either DDT or SDK. The parameters are available at startup without additional API functions.

(note - Contents of Command$ vary slightly depending on how it is obtained (PB's COMMAND$, by pointer from WINMAIN, ENVIRON$, etc.)

Cheers,

**Steve Hutchesson** · 18 Oct 2022, 04:47 AM

Hi Norbert,

Using the PBMAIN is not restricted to the DDT wrapper interface, it works for anything you write after it as it is the application's "entry point". You certainly can use a WINMAIN but the arguments you get from a WINMAIN can be done other ways like the command line and the instance handle. SDK was long ago an expensive package from Microsoft but these days, the term is used for the wide range of Windows API functions and you can use them after either a PBMAIN or a WINMAIN.

**Norbert Spoerl** · 18 Oct 2022, 05:43 AM

Steve, you wrote in your post #1 this
>>>
This technique performs the task in a different manner, it adjusts the stack pointer dynamically at the application's entry point across a random range so that the stack pointer is different every time the app starts.
<<<
Regarding this sentence, do I understand it right, your ASM code is applicable and useful whether the application has the entry point with PBmain or WINMAIN.

Announcement

Modernise security with stack randomisation

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment