flat assembler
Message board for the users of flat assembler.

Index > Windows > Launch Executable from Memory ?

Goto page Previous  1, 2, 3, 4, 5  Next
Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 07 Apr 2011, 07:59
First of all, I'm sorry, I've copied other code.. Sad I was really sleepy and tired so.. Also I though OR and '+' was same thing. I've wrote this which worked fine but code was not modified by another application.
Code:
invoke VirtualProtect,0x400000,[nSize],PAGE_READWRITE,somebufferhere    

What's difference between PAGE_READWRITE and PAGE_EXECUTE_READWRITE ?
Regards
Post 07 Apr 2011, 07:59
View user's profile Send private message Reply with quote
dancho



Joined: 06 Mar 2011
Posts: 74
dancho 07 Apr 2011, 08:06
@Overflowz
from Win7SDK :
PAGE_READWRITE (0x04) - Enables read-only, read/write, or copy-on-write access to the committed region of pages.

PAGE_EXECUTE_READWRITE (0x40) - Enables execute, read-only, read/write, or copy-on-write access to the committed region of pages.Windows Server 2003 and Windows XP: This attribute is not supported by the CreateFileMapping function until Windows XP with SP2 and Windows Server 2003 with SP1.
Post 07 Apr 2011, 08:06
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 07 Apr 2011, 08:16
dancho
I know that but I need only READ and WRITE access right ? Process is created already with SUSPEND flag and it just needs to call ResumeThread API. Should I need EXECUTE flag too ? Neutral
Post 07 Apr 2011, 08:16
View user's profile Send private message Reply with quote
dancho



Joined: 06 Mar 2011
Posts: 74
dancho 07 Apr 2011, 08:25
@Overflowz
it depends what you wanna do,if you have PAGE_READWRITE protection attribute and you try to execute code in that page it will raise an access violation...
Post 07 Apr 2011, 08:25
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 07 Apr 2011, 11:36
still can't get it work.. ERROR_NOACCESS on VirtualProtect with PAGE_EXECUTE_READWRITE flag and same on PAGE_EXECUTE_READ and both. Works only with PAGE_READWRITE flag. I think code rewrite won't work because it will replace current code = ResumeThread won't work then.. I need to modify just PE things and can anyone suggest me what should I replace in memory ? I know that I should replace IAT, EP and buffer addreses I think.. Help ):
Post 07 Apr 2011, 11:36
View user's profile Send private message Reply with quote
LiuGuoHua(Chinese)



Joined: 26 Sep 2003
Posts: 25
LiuGuoHua(Chinese) 08 Apr 2011, 08:12
I think there should be two ways to achieve this:
1. Compile the child exe with reloc section, do relocation before you jump to the entry point.
2. Make the entrypint of the child exe diffrent from its parent. Then load it manually to the address it should be in, and jump to its entrypoint.
Post 08 Apr 2011, 08:12
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 08 Apr 2011, 10:07
LiuGouHua(Chinese)
Thanks for reply! But I got another problem, I don't know so much things )) I'm trying now to translate this one to FASM but I can't get it work uhh !!
MASM Source:
Code:
LoadEXEfromMem PROC pEXE:DWORD,pModule:DWORD

LOCAL exeptr:DWORD,nthdr:IMAGE_NT_HEADERS32,entry:DWORD

    mov esi,pEXE
    add esi, [esi+3ch]
    lea edi,nthdr
    mov ecx, sizeof IMAGE_NT_HEADERS32
    cld 
    rep movsb                 
......                           


FASM Source:
Code:
section '.data' data readable writeable
nthdr IMAGE_NT_HEADERS32
.....
section '.code' code readable executable
............
     mov esi,[alloc]     ;<--- executable file handle
     add esi,[esi+0x3c]
     mov edi,nthdr
     mov ecx,sizeof.IMAGE_NT_HEADERS32
     cld
     rep movsb
     mov ax,[nthdr.OptionalHeader.Magic] ;<--- Checking this for sure but it's not MZ.. Sad
    
Post 08 Apr 2011, 10:07
View user's profile Send private message Reply with quote
ctl3d32



Joined: 30 Dec 2009
Posts: 206
Location: Brazil
ctl3d32 08 Apr 2011, 10:46
maybe this:

Code:
mov ax,[edi + OptionalHeader.Magic]
    
Post 08 Apr 2011, 10:46
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 08 Apr 2011, 12:18
ctl3d32
Nope, it says undefined symbol "OptionalHeader.Magic" I've also tried those:
Code:
mov ax,[edi + OptionalHeader.Magic]
mov ax,[esi + OptionalHeader.Magic]
mov ax,[edi + nthdr.OptionalHeader.Magic]
mov ax,[esi + nthdr.OptionalHeader.Magic]    

None of them shows true result..
exe base = OK, starting with 4d 5a when I'm following it in dump.
Post 08 Apr 2011, 12:18
View user's profile Send private message Reply with quote
dancho



Joined: 06 Mar 2011
Posts: 74
dancho 08 Apr 2011, 14:37
@Overflowz
something like this maybe :
Code:
invoke CreateFile,fileName,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0
invoke CreateFileMapping,eax,0,PAGE_READONLY,0,0,0
invoke MapViewOfFile,eax,FILE_MAP_READ,0,0,0
virtual at eax
         .idh IMAGE_DOS_HEADER
end virtual
mov edx,[.idh.e_lfanew]
add eax,edx
virtual at eax
          .inth IMAGE_NT_HEADERS32
end virtual
movzx edx,[.inth.OptionalHeader.Magic]
.if edx<>10bh ; IMAGE_NT_OPTIONAL_HDR32_MAGIC
        ; error msg
.endif
    


just remember to release handles when you are done...
Post 08 Apr 2011, 14:37
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 08 Apr 2011, 14:42
can't it be done without using CreateFileMapping/MapViewOfFile API calls ? and also, I don't know what virtual does ):
Post 08 Apr 2011, 14:42
View user's profile Send private message Reply with quote
dancho



Joined: 06 Mar 2011
Posts: 74
dancho 08 Apr 2011, 14:48
sure,
VirtualAlloc or HeapAlloc + ReadFile api will do...

virtual directive :
http://flatassembler.net/docs.php?article=manual#2.2.4
Post 08 Apr 2011, 14:48
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 08 Apr 2011, 19:19
dancho
I don't understand that.. Because of my poor English knowledge Sad
P.S I've done GlobalAlloc + ReadFile and [alloc] = BASE of executable.
Post 08 Apr 2011, 19:19
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 09 Apr 2011, 10:40
First of all, I have problems with PE headers.. It never shows true result....
Here's what I'm trying but all the time, it has same value everytime.. What I'm doing wrong ?..
Code:
     invoke CreateFile,fName,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0
     mov [hFile],eax
     invoke GetFileSize,eax,0
     mov [nSize],eax
     invoke VirtualAlloc,0,[nSize],MEM_COMMIT,PAGE_EXECUTE_READWRITE
     mov [alloc],eax
     invoke ReadFile,[hFile],[alloc],[nSize],lpBytesRead,0
     invoke CloseHandle,[hFile]
     mov esi,[alloc]
     add esi,[esi+0x3c]
     mov edi,nthdr
     mov ecx,sizeof.IMAGE_NT_HEADERS32
     cld
     rep movsb
     invoke VirtualAlloc,0,nthdr.OptionalHeader.SizeOfImage,MEM_COMMIT, PAGE_EXECUTE_READWRITE
     add eax,nthdr.OptionalHeader.AddressOfEntryPoint
     mov [nEntry],eax
     ret    

nthdr.OptionalHeader.SizeOfImage shows same result on different size files.. What's wrong ? Neutral
I guess, I have problem with headers.. Can someone help me about this ?
Post 09 Apr 2011, 10:40
View user's profile Send private message Reply with quote
dancho



Joined: 06 Mar 2011
Posts: 74
dancho 09 Apr 2011, 14:35
@Overflowz
download PEview :
http://www.magma.ca/~wjr/

and check your result with peview result for yours test files...
btw
size of the file and size of the file on the disk are two very different things,
and SizeOfImage.IMAGE_OPTIONAL_HEADER is third one,it represents sum of all headers and sections lenghts aligned to SectionAlignment...
Post 09 Apr 2011, 14:35
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 09 Apr 2011, 14:56
dancho
I think I'm doing wrong and I don't have problems about headers because when I'm checking nthdr.OptionalHeader.Magic it's not MZ and not must be MZ. I have question to you, how can I fill IMAGE_DOS_HEADER ? ))
Post 09 Apr 2011, 14:56
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 09 Apr 2011, 15:45
I found problem. Smile
invoke VirtualAlloc,0,[nthdr.OptionalHeader.SizeOfImage],MEM_COMMIT,PAGE_EXECUTE_READWRITE

I'll follow translation and if I'll have some problems, I'll write it here. Smile
Post 09 Apr 2011, 15:45
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 09 Apr 2011, 16:34
1 little problem here, I don't know how to convert this to fasm.. Can anyone help ? Smile
MASM Syntax:
Code:
mov ebx, nthdr.OptionalHeader.DataDirectory[1*8].VirtualAddress    
Post 09 Apr 2011, 16:34
View user's profile Send private message Reply with quote
dancho



Joined: 06 Mar 2011
Posts: 74
dancho 09 Apr 2011, 17:44
so you need access to the second IMAGE_DATA_DIRECTORY element and its VirtualAddress member of the DataDirectory array :
something like this then :
Code:
; eax is pointer to IMAGE_NT_HEADERS32
; 1. skip signature                4+
; 2. skip FileHeader         0x14+
; 3. skip OptionalHeader  0x60   = 0x78    
add eax,0x78
; you are now at the very start of the array...
; skip 1. element (2*4)
add eax,8
; and now eax is pointing to the 2.element
mov ebx,[eax]   ; ebx have VirtualAddress data
    
Post 09 Apr 2011, 17:44
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 09 Apr 2011, 20:14
dancho
Thank you for help but I can't get it right.. ): I'm stuck here...
FASM Syntax:
Code:
     virtual at ebx
     sehdr IMAGE_SECTION_HEADER
     end virtual
     xor ecx,ecx
     mov cx,[nthdr.FileHeader.NumberOfSections]
@@:
     mov esi,[sehdr.PointerToRawData]
     add esi,[alloc]
     mov edi,[sehdr.VirtualAddress]
     add edi,[nBase]
     push ecx
     cld
     rep movsb
     pop ecx
     add ebx,sizeof.IMAGE_SECTION_HEADER
     loop @b
     add ebx,0x78
     add ebx,8
     mov eax,[ebx]    

MASM Syntax:
Code:
    ASSUME  ebx : ptr IMAGE_SECTION_HEADER                                    
   
    xor ecx, ecx                                    
    mov cx, nthdr.FileHeader.NumberOfSections

@@:
    mov esi, [ebx].PointerToRawData
    add esi,pEXE
    mov edi, [ebx].VirtualAddress
    add edi, exeptr
    push ecx
    mov ecx, [ebx].SizeOfRawData
    cld
    rep movsb
    pop ecx
    add ebx, sizeof IMAGE_SECTION_HEADER
    loop @B

    mov ebx, nthdr.OptionalHeader.DataDirectory[1*8].VirtualAddress    

pExe = alloc
exeptr = nBase

I'm doing something wrong ?
P.S is this same ?
Code:
virtual at ebx
tstring db 5
end virtual    

and this:
Code:
mov [ebx],5    
Post 09 Apr 2011, 20:14
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4, 5  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.