flat assembler
Message board for the users of flat assembler.
Index
> Windows > Launch Executable from Memory ? Goto page Previous 1, 2, 3, 4, 5 Next |
Author |
|
dancho 07 Apr 2011, 08:06
@Overflowz
from Win7SDK : PAGE_READWRITE (0x04) - Enables read-only, read/write, or copy-on-write access to the committed region of pages. PAGE_EXECUTE_READWRITE (0x40) - Enables execute, read-only, read/write, or copy-on-write access to the committed region of pages.Windows Server 2003 and Windows XP: This attribute is not supported by the CreateFileMapping function until Windows XP with SP2 and Windows Server 2003 with SP1. |
|||
07 Apr 2011, 08:06 |
|
Overflowz 07 Apr 2011, 08:16
dancho
I know that but I need only READ and WRITE access right ? Process is created already with SUSPEND flag and it just needs to call ResumeThread API. Should I need EXECUTE flag too ? |
|||
07 Apr 2011, 08:16 |
|
dancho 07 Apr 2011, 08:25
@Overflowz
it depends what you wanna do,if you have PAGE_READWRITE protection attribute and you try to execute code in that page it will raise an access violation... |
|||
07 Apr 2011, 08:25 |
|
Overflowz 07 Apr 2011, 11:36
still can't get it work.. ERROR_NOACCESS on VirtualProtect with PAGE_EXECUTE_READWRITE flag and same on PAGE_EXECUTE_READ and both. Works only with PAGE_READWRITE flag. I think code rewrite won't work because it will replace current code = ResumeThread won't work then.. I need to modify just PE things and can anyone suggest me what should I replace in memory ? I know that I should replace IAT, EP and buffer addreses I think.. Help ):
|
|||
07 Apr 2011, 11:36 |
|
LiuGuoHua(Chinese) 08 Apr 2011, 08:12
I think there should be two ways to achieve this:
1. Compile the child exe with reloc section, do relocation before you jump to the entry point. 2. Make the entrypint of the child exe diffrent from its parent. Then load it manually to the address it should be in, and jump to its entrypoint. |
|||
08 Apr 2011, 08:12 |
|
Overflowz 08 Apr 2011, 10:07
LiuGouHua(Chinese)
Thanks for reply! But I got another problem, I don't know so much things )) I'm trying now to translate this one to FASM but I can't get it work uhh !! MASM Source: Code: LoadEXEfromMem PROC pEXE:DWORD,pModule:DWORD LOCAL exeptr:DWORD,nthdr:IMAGE_NT_HEADERS32,entry:DWORD mov esi,pEXE add esi, [esi+3ch] lea edi,nthdr mov ecx, sizeof IMAGE_NT_HEADERS32 cld rep movsb ...... FASM Source: Code: section '.data' data readable writeable nthdr IMAGE_NT_HEADERS32 ..... section '.code' code readable executable ............ mov esi,[alloc] ;<--- executable file handle add esi,[esi+0x3c] mov edi,nthdr mov ecx,sizeof.IMAGE_NT_HEADERS32 cld rep movsb mov ax,[nthdr.OptionalHeader.Magic] ;<--- Checking this for sure but it's not MZ.. |
|||
08 Apr 2011, 10:07 |
|
ctl3d32 08 Apr 2011, 10:46
maybe this:
Code: mov ax,[edi + OptionalHeader.Magic] |
|||
08 Apr 2011, 10:46 |
|
Overflowz 08 Apr 2011, 12:18
ctl3d32
Nope, it says undefined symbol "OptionalHeader.Magic" I've also tried those: Code: mov ax,[edi + OptionalHeader.Magic] mov ax,[esi + OptionalHeader.Magic] mov ax,[edi + nthdr.OptionalHeader.Magic] mov ax,[esi + nthdr.OptionalHeader.Magic] None of them shows true result.. exe base = OK, starting with 4d 5a when I'm following it in dump. |
|||
08 Apr 2011, 12:18 |
|
dancho 08 Apr 2011, 14:37
@Overflowz
something like this maybe : Code: invoke CreateFile,fileName,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0 invoke CreateFileMapping,eax,0,PAGE_READONLY,0,0,0 invoke MapViewOfFile,eax,FILE_MAP_READ,0,0,0 virtual at eax .idh IMAGE_DOS_HEADER end virtual mov edx,[.idh.e_lfanew] add eax,edx virtual at eax .inth IMAGE_NT_HEADERS32 end virtual movzx edx,[.inth.OptionalHeader.Magic] .if edx<>10bh ; IMAGE_NT_OPTIONAL_HDR32_MAGIC ; error msg .endif just remember to release handles when you are done... |
|||
08 Apr 2011, 14:37 |
|
Overflowz 08 Apr 2011, 14:42
can't it be done without using CreateFileMapping/MapViewOfFile API calls ? and also, I don't know what virtual does ):
|
|||
08 Apr 2011, 14:42 |
|
dancho 08 Apr 2011, 14:48
sure,
VirtualAlloc or HeapAlloc + ReadFile api will do... virtual directive : http://flatassembler.net/docs.php?article=manual#2.2.4 |
|||
08 Apr 2011, 14:48 |
|
Overflowz 08 Apr 2011, 19:19
dancho
I don't understand that.. Because of my poor English knowledge P.S I've done GlobalAlloc + ReadFile and [alloc] = BASE of executable. |
|||
08 Apr 2011, 19:19 |
|
Overflowz 09 Apr 2011, 10:40
First of all, I have problems with PE headers.. It never shows true result....
Here's what I'm trying but all the time, it has same value everytime.. What I'm doing wrong ?.. Code: invoke CreateFile,fName,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0 mov [hFile],eax invoke GetFileSize,eax,0 mov [nSize],eax invoke VirtualAlloc,0,[nSize],MEM_COMMIT,PAGE_EXECUTE_READWRITE mov [alloc],eax invoke ReadFile,[hFile],[alloc],[nSize],lpBytesRead,0 invoke CloseHandle,[hFile] mov esi,[alloc] add esi,[esi+0x3c] mov edi,nthdr mov ecx,sizeof.IMAGE_NT_HEADERS32 cld rep movsb invoke VirtualAlloc,0,nthdr.OptionalHeader.SizeOfImage,MEM_COMMIT, PAGE_EXECUTE_READWRITE add eax,nthdr.OptionalHeader.AddressOfEntryPoint mov [nEntry],eax ret nthdr.OptionalHeader.SizeOfImage shows same result on different size files.. What's wrong ? I guess, I have problem with headers.. Can someone help me about this ? |
|||
09 Apr 2011, 10:40 |
|
dancho 09 Apr 2011, 14:35
@Overflowz
download PEview : http://www.magma.ca/~wjr/ and check your result with peview result for yours test files... btw size of the file and size of the file on the disk are two very different things, and SizeOfImage.IMAGE_OPTIONAL_HEADER is third one,it represents sum of all headers and sections lenghts aligned to SectionAlignment... |
|||
09 Apr 2011, 14:35 |
|
Overflowz 09 Apr 2011, 14:56
dancho
I think I'm doing wrong and I don't have problems about headers because when I'm checking nthdr.OptionalHeader.Magic it's not MZ and not must be MZ. I have question to you, how can I fill IMAGE_DOS_HEADER ? )) |
|||
09 Apr 2011, 14:56 |
|
Overflowz 09 Apr 2011, 15:45
I found problem.
invoke VirtualAlloc,0,[nthdr.OptionalHeader.SizeOfImage],MEM_COMMIT,PAGE_EXECUTE_READWRITE I'll follow translation and if I'll have some problems, I'll write it here. |
|||
09 Apr 2011, 15:45 |
|
Overflowz 09 Apr 2011, 16:34
1 little problem here, I don't know how to convert this to fasm.. Can anyone help ?
MASM Syntax: Code: mov ebx, nthdr.OptionalHeader.DataDirectory[1*8].VirtualAddress |
|||
09 Apr 2011, 16:34 |
|
dancho 09 Apr 2011, 17:44
so you need access to the second IMAGE_DATA_DIRECTORY element and its VirtualAddress member of the DataDirectory array :
something like this then : Code: ; eax is pointer to IMAGE_NT_HEADERS32 ; 1. skip signature 4+ ; 2. skip FileHeader 0x14+ ; 3. skip OptionalHeader 0x60 = 0x78 add eax,0x78 ; you are now at the very start of the array... ; skip 1. element (2*4) add eax,8 ; and now eax is pointing to the 2.element mov ebx,[eax] ; ebx have VirtualAddress data |
|||
09 Apr 2011, 17:44 |
|
Overflowz 09 Apr 2011, 20:14
dancho
Thank you for help but I can't get it right.. ): I'm stuck here... FASM Syntax: Code: virtual at ebx sehdr IMAGE_SECTION_HEADER end virtual xor ecx,ecx mov cx,[nthdr.FileHeader.NumberOfSections] @@: mov esi,[sehdr.PointerToRawData] add esi,[alloc] mov edi,[sehdr.VirtualAddress] add edi,[nBase] push ecx cld rep movsb pop ecx add ebx,sizeof.IMAGE_SECTION_HEADER loop @b add ebx,0x78 add ebx,8 mov eax,[ebx] MASM Syntax: Code: ASSUME ebx : ptr IMAGE_SECTION_HEADER xor ecx, ecx mov cx, nthdr.FileHeader.NumberOfSections @@: mov esi, [ebx].PointerToRawData add esi,pEXE mov edi, [ebx].VirtualAddress add edi, exeptr push ecx mov ecx, [ebx].SizeOfRawData cld rep movsb pop ecx add ebx, sizeof IMAGE_SECTION_HEADER loop @B mov ebx, nthdr.OptionalHeader.DataDirectory[1*8].VirtualAddress pExe = alloc exeptr = nBase I'm doing something wrong ? P.S is this same ? Code: virtual at ebx
tstring db 5
end virtual and this: Code: mov [ebx],5 |
|||
09 Apr 2011, 20:14 |
|
Goto page Previous 1, 2, 3, 4, 5 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.