flat assembler
Message board for the users of flat assembler.

Index > Windows > PE/COFF - IAT in .code section blows Import table

Author
Thread Post new topic Reply to topic
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord 11 May 2009, 16:39
Hi,

I'm trying to xor (as told in a previous topic) the whole .code section of an exe file (still CALC.EXE).

Here is the code :

Code:
;test encrypt
pushad
xor ecx, ecx
add esi, 10h
mov ebx, dword[esi] ;section .CODE RAWSIZE

add esi, 4h  ;
mov edx, dword[esi]
add edx, [mapLocation];section .CODE RAWOFFSET (with the MAP location)

crypt:
inc ecx
inc edx
xor byte[edx], 36h
cmp ecx, ebx
jne crypt

popad
;;;;;;;;;;;;;    
    


My problem is the following : It encrypts the IAT which is at the beggining of the .code section.
So the import table is screwed up, and so the end file is corrupted.
I hardly find anything to help myself on the internet, no doc, no source, no explanation, nothing.

Does anyone has a clue for me to investigate ?

Thanks
Post 11 May 2009, 16:39
View user's profile Send private message Reply with quote
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord 11 May 2009, 18:30
I'm actually "playing" with the PE headers of the incrimined file (CALC.EXE)

It seems that just reset the IAT directory structure to
VA = 00000000
VS = 00000000

and reseting the boundimport directory structure to
VA = 00000000
VS = 00000000

Does NOT corrupt the execution of the file.

Is the IAT optional ? is this just a "helper" to resolve APIS faster ?? (instead of directly looking into the import table ?

I checked the MSDN documentation about the PE headers but it does not seems to be very clear for me !

Thanks for the help.
Post 11 May 2009, 18:30
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 11 May 2009, 20:18
IAT is necessary for the executable to function correctly.

You have to careful to only encrypt what is needed.
Post 11 May 2009, 20:18
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
pal



Joined: 26 Aug 2008
Posts: 227
pal 11 May 2009, 21:28
Can you actually encrypt the IAT? I don't think you can as the Windows process loader loads the IAT into memory before the execution of your program, so it wont work like that. I may be wrong, so please correct me if I am.

You could always use GetProcAddress and decrypt data upon loading. It would be a much better method. You could replace all calls to an API with injected code (IAT patching).
Post 11 May 2009, 21:28
View user's profile Send private message Reply with quote
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord 13 May 2009, 08:37
Hi,

Thank you for your answer.
I spent some time on the all import stuff and found out it's better to "fake" an import table importing loadlibrary and getprocaddress, and then restore the APIs during the file runtime, just as pal said.

This way I dont have to take care of what code portion i encrypt ! This sounds good to me, if there is anything that would make it impossible, illuminate me :p

Thank you again
Post 13 May 2009, 08:37
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.