flat assembler
Message board for the users of flat assembler.

Index > Windows > Easy way of adding new section to a pe file ??????

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 16 Oct 2005, 17:15
Reverend, thanks.

patch was simply an adapted version of a project that I had written earlier. That project was a generic code-attachment utility. If you look in attach.inc from patch.rar, you will see the actual code that gets attached. A new section is required because the program makes relocations, so the code in attach.inc would run normally under another imagebase. Only with a new section it is possible to "fake" an arbitrary imagebase.

However, if the attached code is something as simple as a call to LoadLibrary, then a cavity can be used instead. The program would be very specialized then, as opposed to patch being a generic code attachment utility.

I hope I made myself clear.
Post 16 Oct 2005, 17:15
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Reverend



Joined: 24 Aug 2004
Posts: 408
Location: Poland
Reverend 17 Oct 2005, 13:48
comrade wrote:
A new section is required because the program makes relocations, so the code in attach.inc would run normally under another imagebase. Only with a new section it is possible to "fake" an arbitrary imagebase.
But the 'attach' code could be written imagebase-indepedently, just as viruses are. The file I am attaching is a handler for my API Monitor. In fact it is the code that is injected to the given process, and so it is imagebase-independent.

EDIT: Code is MASM-specific.


Description: Part of ApiMon project
Download
Filename: ApiHandler.inc
Filesize: 5.31 KB
Downloaded: 366 Time(s)

Post 17 Oct 2005, 13:48
View user's profile Send private message Visit poster's website Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 17 Oct 2005, 23:49
Yes, but it is a pain to write imagebase-independent code. With my solution of performing relocations during attachment, it is possible to inject almost any code with little changes (just the import table and a bit more during start-up).
Post 17 Oct 2005, 23:49
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Reverend



Joined: 24 Aug 2004
Posts: 408
Location: Poland
Reverend 18 Oct 2005, 12:16
comrade: It's not so hard. Just do at the beginning:
Code:
call @F
@@: pop ebp
sub ebp, @B    
And after this instead of writing to [memory], write to [ebp+memory]:
Code:
; mov eax, [memory_location1]
mov eax, [ebp+memory_location1]
; inc [memory_location2]
inc [ebp+memory_location2]    
Such code would be place-independent, and wherever you put it, it will work well
Post 18 Oct 2005, 12:16
View user's profile Send private message Visit poster's website Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 18 Oct 2005, 16:48
I know. I consider that painful. Do not kid yourself. This is not a style you want to program normally in, when you have to reference everything in memory relative to some location.
Post 18 Oct 2005, 16:48
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 18 Oct 2005, 16:51
Would you rather write this:
Code:
code:
        mov     eax,[ebp-data+var1]
        add     eax,[ebp-data+var2]
        movzx   ecx,byte [ebp-data+var3]
        xor     eax,ecx
data:
        var1    dd      ?
        var2    dd      ?
        var3    db      ?    


or this:
Code:
code:
        mov     eax,[var1]
        add     eax,[var2]
        movzx   ecx,[var3]
        xor     eax,ecx
data:
        var1    dd      ?
        var2    dd      ?
        var3    db      ?    


In fact, I don't know if you could even write "-data" with FASM.
Post 18 Oct 2005, 16:51
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Reverend



Joined: 24 Aug 2004
Posts: 408
Location: Poland
Reverend 18 Oct 2005, 17:38
There wasn't so much of the code to be place-independent. Only from 'attach' file. But ok, it's your decision. Peace Smile
Post 18 Oct 2005, 17:38
View user's profile Send private message Visit poster's website Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 19 Oct 2005, 00:15
The attach.inc file could be enormous. In one project, I had a full-blown GUI as an attachment. The relocation technique worked quite well, and I did not have to bother myself with writing address-independent code.
Post 19 Oct 2005, 00:15
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.