flat assembler
Message board for the users of flat assembler.
![]() Goto page 1, 2, 3, 4, 5 Next |
Author |
|
b1528932 14 Mar 2011, 20:07
Quote: And another thing, I'm interesting how to get base address from EP. ep is just entry point. I belive you really mean IB (image base). IB is an address on wich headers are loaded. Sections are loaded at addreses from their headers. Those addreses are RVA, relative to image base. |
|||
![]() |
|
Overflowz 14 Mar 2011, 20:17
b1528932
Okay, I got it. and is there any way to do like this ? And how to count Image base from EP ? (PE Header + 38,39 or 40 don't remember = EP in Debugger) |
|||
![]() |
|
Dex4u 14 Mar 2011, 23:52
This may not be what you want, but you will find it usefull http://comrade.ownz.com/projects/petools.html
|
|||
![]() |
|
Overflowz 15 Mar 2011, 10:52
Dex4u
Nothing from them are useful for this what I'm trying to do. I'll explain better now. 1)I have executable(1.exe), which has another executable(2.exe) in resources. 2)After starting 1.exe, it extracts 2.exe from resources and executes it. 2.exe are starting normal after extract. But can I do this without extracting it and just run the code from memory ? I mean can I execute executable(2.exe) from resources without extracting it on HD ? |
|||
![]() |
|
b1528932 15 Mar 2011, 18:05
forget the ep. i can set it to any vaklue i like. It only tells where to start executing code.
It can be anywhere at the end, beggining, middle or even outside. You can creayte a process using data from another exe, but its undocumented, you will run into problems, and if you dont get thats EP, its also pointless. Allocatnig memory, parsing exe headers and creating process/thread objects is not hard, but you also have to notify csrss about new process and do other stuff i cant remember right now. Creating process this way is pointless, i cant help you with that because i havent done it myself. Quote: I mean can I execute executable(2.exe) from resources without extracting it on HD ? What you define by execute? Start executing code? Yes, just jump to it.. Or perhaps start executing code in a new process? I told you before its hard. Createing process manually will propably not work on some windows versions, wich you dont want to happen. Also remember that if you extract a file from resources, most AVs will detect it as a trojan/dropper, co if you write a malware consider if you realy want to do it this way. Its better to include second file, and just execute second one from first one. |
|||
![]() |
|
Overflowz 15 Mar 2011, 19:20
b1528932
No mate, I'm not trying to write malware. I'm just trying to protect my files from debugging/editing them. But this is nice idea for me and always trying to find some way to do that. I think, RunPE does what I'm asking for. But it's in VB and I don't understand it much.. I've tried so much but without luck. Look here for example, trying to read file from HD, then parse it in memory and trying to execute it. But IAT and buffer and other things are destroyed cause of first exe.. removed source for security reasons. Last edited by Overflowz on 18 Mar 2011, 21:02; edited 1 time in total |
|||
![]() |
|
b1528932 15 Mar 2011, 19:46
EP is a relative address from image base.
Note that you do not know in wich section it might be. You have to loop through section table, and test if EP is between virtual address of seciton and its size. Also it is terrible code, i guess you use it only to test something. Dont mix api calls and fnuction body like that, split it into many functions, create abstraction layer, and check for errors, every single time, thats why they are there. |
|||
![]() |
|
Overflowz 15 Mar 2011, 19:58
b1528932
Yes, I wrote just for testing. Using ollydbg and watching everything there. Anyway I don't understand how to do that ![]() P.S I found delphi source on NET and can someone translate it in FASM ? )) Thank you. removed source for security reasons. Last edited by Overflowz on 18 Mar 2011, 21:02; edited 2 times in total |
|||
![]() |
|
Feryno 16 Mar 2011, 08:48
Quote: Overflowz wrote: another approach, easier to implement (both 1.exe as well 2.exe are the same file, so you won't extract anything) 1.exe runs itself again (GetCommandLine ... CreateProcess with DEBUG_PROCESS flag) parent becomes debugger of the child both parent and child starts to run from the same OEP, but some code splits execution into parent procedure and child procedure the skeleton of such code looks like: start: call [IsDebuggePresent] test al,1 jnz child parent: call [GetCommandLine] invoke [CreateProcess], rax, ... , DEBUG_PROCESS, ... L0: call [WaitForDebugEvent] ; more code here, e.g. jump to exit when intercepting Exit Process Debug Event call [ContinueDebugEvent] jmp L0 child: ; your_protected_code you have some samples in fdbg package (projects section of the FASM forum), look there for self_dbg directory in the package for windows it is only for x64 (you must port it to i386 if your project is not x64) Your code will be compatible among all versions of windows, you won't need to manually create memory for the second exe neither parse exe header / sections. You have to add some protection into child proc (some instructions to generate exceptions) which will be handled in parent debug loop (else the attacker may ignore parent and start to debug child process immediatelly, your child proc must essentially depend on parent debugger else such protection will be broken immediately, your child proc mustn't run correctly without its parent debugger). |
|||
![]() |
|
Overflowz 16 Mar 2011, 10:14
Feryno
Thanks for reply! there is 1 more problem. Here's structure what I'm trying to do. [1] 1.exe MUST start first because it modifies some data in 2.exe [2] after data is modified, then it should run 2.exe without extracting. That's what I'm asking for.. ![]() ![]() 1 more thing, I'm opening executable as binary file and not code to execute it.. |
|||
![]() |
|
pearlz 16 Mar 2011, 19:33
Code: There is no API support for running an EXE from memory. Manually loading an exe and preparing it for execution is no trivial task (code is not for Windows), although I'm sure there are utilities and code out there that do it. The typical solution is to dump the image to a temporary file and run it from there. source from: http://cboard.cprogramming.com/windows-programming/63419-loading-process-memory.html#5 |
|||
![]() |
|
Overflowz 16 Mar 2011, 20:10
pearlz
I know that already. I need "trick" how to do that because I saw people are already doing that thing! Watch delphi source what I've posted. ![]() |
|||
![]() |
|
Feryno 17 Mar 2011, 13:17
you can do the same using debugger methods
the parent (debugger) modifies the child (debuggee) on the fly, there is only 1 executable on the disk the most ugly way (for reverser) is when the parent decrypts on the fly the only one instruction of the child which is executing and after it is executed by the child the parent encrypts it back some protectors under 16 bit DOS used this method it requires additional work under protected mode but it can be done successfully also just try to debug these executables (I found my backports from x64 to i386) I'll delete this attachment soon as I reached the edge of quota limit of the forum (5 MB), let me know that you got it so I can delete it then the first sample a0C.exe uses REPZ LODSD instruction to modify child MazeGen likes such instructions very much http://board.flatassembler.net/topic.php?p=63103#63103 the second sample a0D.exe contains about 10 instructions to be decrypted/encrypted as they execute (who says that there can't be 10000 such instructions if you extend it in the feature?) Last edited by Feryno on 18 Mar 2011, 06:03; edited 1 time in total |
|||
![]() |
|
Feryno 17 Mar 2011, 13:26
sorry the sample decrypting the only one instruction of the child which is executing exists at me only in x64 version
edit 2011-03-18 deleted attachment Last edited by Feryno on 18 Mar 2011, 06:03; edited 1 time in total |
|||
![]() |
|
Overflowz 17 Mar 2011, 13:36
Feryno
Well, downloaded and thank you for helping! ![]() ![]() |
|||
![]() |
|
typedef 18 Mar 2011, 00:23
Did you mean this
Code: proc SomeProc PUSH EBP MOV EBP,ESP ;use EBP and ESP here MOV EAX,[SomeVarWithAMemoryValue] ; If passed on stack ; ESP = EIP ; ;If system pushed a flag (Some error happened) ; ESP = Error code ; ESP + 4 = EIP ; ESP + 8 = Parameters ; ESP + A = Eflags MOV EBP,EAX ; POP EBP ret endp ; You know where this will jump to ;In memory,assuming everything is set up fine proc SomeMemoryAddressToBeJumpedTo PUSH MB_OK PUSH someVar ; My title PUSH someVar2 ; I come in peace ! PUSH 0 call [MessageBox] MOV EBP,ESP ret endp I think that is what you need, maybe ![]() You can test it with OllyDbg....I use Pelles-C Debugger it works well too |
|||
![]() |
|
Overflowz 18 Mar 2011, 09:31
typedef
Wish I had commands hehe ![]() ![]() ![]() |
|||
![]() |
|
Overflowz 18 Mar 2011, 12:21
removed source for security reasons.
Last edited by Overflowz on 18 Mar 2011, 21:02; edited 3 times in total |
|||
![]() |
|
Overflowz 18 Mar 2011, 20:59
Hey! I though much and much and I think I got solution for this! I'll remove source codes for security reason. SOLVED!
|
|||
![]() |
|
Goto page 1, 2, 3, 4, 5 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.